Rework dockerfile to do multi-stage build and run as non-root uid by default#3542
Rework dockerfile to do multi-stage build and run as non-root uid by default#3542ilkka-ollakka wants to merge 3 commits intobookwyrm-social:mainfrom
Conversation
|
Just realized that in upgrade of production setup, this makes images and static directories inside container still be owned by root uid, which causes that new account can't write to those directories. I'll check if there is some reasonable flow for that. |
|
@ilkka-ollakka I'm a little unclear on the status of this PR - is it ready to check, or did you want to do some more work on it? |
…default This changes the created image size from ~1.3G -> ~0.5G and runs code as non-root uid in container
Simplest way for now to allow current bw-dev commands to work and run the actual services as non-root-uid
changes ownership to bookwyrm user for imsages/static/exports directories
ilkka-ollakka
force-pushed
the
feat/rework_dockerfile
branch
from
01e002c to
6348997
Compare
|
@hughrun I had some changes in local that I had forgot to push into this PR. Now it is in state that it could be checked. I was checking if using entrypoint in web-container could be used instead of separate bw-dev command for permissions, but that is ran under bookwyrm user, so it can't fix the permissions. I'm not sure how typical bookwyrm instance is used, does it use s3-style storage or local storage, mainly how this should be informed on update flow that permissions needs to be fixed/changed with local volumes? |
|
I think @mouse-reeve has a list of instance admins, or you could just ask in the main Matrix room. My guess would be most are using s3 but that's just a guess. |
|
Actually now that I've been looking this, after #3605 we don't need build phase and can use the slim-image directly as psycopg3 doesn't need to be compiled. |
|
I'll close this PR as I'm starting to prepare PR that has container build/entrypoint for migrations and container publishing flows included. |
2 participants
Description
Change Dockerfile to do multi-stage build to get smaller container (from ~1.3G -> ~0.5G). Removing lot of not-needed stuff that is needed in build-phase but not when running things, things like gcc compilers and things. It builds/installs dependencies in full python image but installs things in virtualenv and copies that to -slim image that also contains non-root account that is used by default to run commands.
Bw-dev command is slightly modified to run pylint etc things as root-uid, making it smallest feasible change without needing to rework all the flows and commands.
I did test this by running
bw-dev pytestand running bookwyrm in locally on development mode, running csv file import task and check that it didn't show up any new errors.What type of Pull Request is this?
Does this PR change settings or dependencies, or break something?
Details of breaking or configuration changes (if any of above checked)
If instance has local storage in use, command
bw-dev fix_volume_permissionsshould be run during update to change local volume and asset permissions for exports/images/static files.Documentation
Tests