inteligr8/alfresco-ng2-components
1
0
Fork 0
mirror of https://github.com/Alfresco/alfresco-ng2-components.git synced 2025-05-19 17:14:57 +00:00
Code Issues Packages Projects Releases Wiki Activity

[ADF-4158] improved Docker image security (#4371)

Browse Source 
* improved Docker image security

* remove layer duplication

* update scripts
This commit is contained in:
Denys Vuika 2019-03-04 11:18:32 +00:00 committed by Eugenio Romano
parent bbf1f20439
commit d6f856f1c5
4 changed files with 105 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
Dockerfile
View File

@ -1,6 +1,41 @@
FROM nginx:alpine # 1. Generate licenses
COPY demo-shell/nginx.conf /etc/nginx/nginx.conf FROM node:11.9-alpine AS builder
WORKDIR /usr/src/alfresco
COPY package.json package.json
RUN mkdir -p ./licenses && \
yarn licenses list > ./licenses/licenses.txt && \
yarn licenses generate-disclaimer > ./licenses/disclaimer.txt
# 2. Generate image
FROM nginx:stable-alpine
LABEL version="3.0.0"
ARG GROUPNAME=Alfresco
ARG GROUPID=1000
ARG USERNAME=adf
ARG USERID=33011
ARG BUILD_NUMBER
COPY ./docker/nginx.conf /etc/nginx/nginx.conf
COPY ./docker/entrypoint.sh /
WORKDIR /usr/share/nginx/html WORKDIR /usr/share/nginx/html
COPY demo-shell/dist/ . COPY demo-shell/dist/ .
COPY --from=builder /usr/src/alfresco/licenses ./licenses
RUN addgroup -g ${GROUPID} ${GROUPNAME} && \
adduser -S -u ${USERID} -G ${GROUPNAME} -s "/bin/bash" ${USERNAME} && \
chown -R ${USERNAME}:${GROUPNAME} ./${BUILD_NUMBER}/app.config.json && \
chown -R ${USERNAME}:${GROUPNAME} /var/cache/nginx && \
touch /var/run/nginx.pid && \
chown -R ${USERNAME}:${GROUPNAME} /var/run/nginx.pid && \
chmod +x /entrypoint.sh && \
chown -R ${USERNAME}:${GROUPNAME} /entrypoint.sh
EXPOSE 8080
USER ${USERNAME}
ENTRYPOINT [ "/entrypoint.sh" ]

60
docker/entrypoint.sh Normal file
View File

@ -0,0 +1,60 @@
#!/bin/sh
if [ -n "${APP_CONFIG_AUTH_TYPE}" ];then
sed -e "s/\"authType\": \".*\"/\"authType\": \"${APP_CONFIG_AUTH_TYPE}\"/g" \
-i ./app.config.json
fi
if [ -n "${APP_CONFIG_OAUTH2_HOST}" ];then
replace="\/"
encoded=${APP_CONFIG_OAUTH2_HOST//\//$replace}
sed -e "s/\"host\": \".*\"/\"host\": \"${encoded}\"/g" \
-i ./app.config.json
fi
if [ -n "${APP_CONFIG_OAUTH2_CLIENTID}" ];then
sed -e "s/\"clientId\": \".*\"/\"clientId\": \"${APP_CONFIG_OAUTH2_CLIENTID}\"/g" \
-i ./app.config.json
fi
if [ -n "${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}" ];then
sed "/implicitFlow/s/true/${APP_CONFIG_OAUTH2_IMPLICIT_FLOW}/" \
-i ./app.config.json
fi
if [ -n "${APP_CONFIG_OAUTH2_SILENT_LOGIN}" ];then
sed "/silentLogin/s/true/${APP_CONFIG_OAUTH2_SILENT_LOGIN}/" \
-i ./app.config.json
fi
if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI}" ];then
replace="\/"
encoded=${APP_CONFIG_OAUTH2_REDIRECT_SILENT_IFRAME_URI//\//$replace}
sed -e "s/\"redirectSilentIframeUri\": \".*\"/\"redirectSilentIframeUri\": \"${encoded}\"/g" \
-i ./app.config.json
fi
if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_LOGIN}" ];then
replace="\/"
encoded=${APP_CONFIG_OAUTH2_REDIRECT_LOGIN//\//$replace}
sed -e "s/\"redirectUri\": \".*\"/\"redirectUri\": \"${encoded}\"/g" \
-i ./app.config.json
fi
if [ -n "${APP_CONFIG_OAUTH2_REDIRECT_LOGOUT}" ];then
replace="\/"
encoded=${APP_CONFIG_OAUTH2_REDIRECT_LOGOUT//\//$replace}
sed -e "s/\"redirectUriLogout\": \".*\"/\"redirectUriLogout\": \"${encoded}\"/g" \
-i ./app.config.json
fi
if [[ $ACSURL ]]; then
sed -i s%{protocol}//{hostname}{:port}%"$ACSURL"%g /usr/share/nginx/html/app.config.json
fi
if [ -n "${APP_BASE_SHARE_URL}" ];then
sed -e "s/\"baseShareUrl\": \".*\"/\"baseShareUrl\": \"${APP_BASE_SHARE_URL}\"/g" \
-i ./app.config.json
fi
nginx -g "daemon off;"

8
demo-shell/nginx.conf → docker/nginx.conf
View File

@ -6,7 +6,7 @@ events {
http { http {
server { server {
listen 80; listen 8080;
server_name localhost; server_name localhost;
root /usr/share/nginx/html; root /usr/share/nginx/html;
@ -22,6 +22,12 @@ http {
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
} }
location ~ \.html$ {
add_header Cache-Control "private, no-cache, no-store, must-revalidate";
add_header Expires "Sat, 01 Jan 2000 00:00:00 GMT";
add_header Pragma no-cache;
}
location ~ ^/[a-zA-Z0-9_-]+/ { location ~ ^/[a-zA-Z0-9_-]+/ {
try_files $uri $uri/ /index.html; try_files $uri $uri/ /index.html;
} }

2
scripts/pr-publish.sh
View File

@ -40,7 +40,7 @@ cd $DIR/..
echo "====== PUBLISH DOCKER IMAGE TAG pr $NAME_PR =====" echo "====== PUBLISH DOCKER IMAGE TAG pr $NAME_PR ====="
docker build -t $DOCKER_REPO/adf/demo-shell:$NAME_PR . docker build -t $DOCKER_REPO/adf/demo-shell:$NAME_PR --build-arg BUILD_NUMBER=$NAME_PR .
echo "====== LOGIN =====" echo "====== LOGIN ====="
docker login http://$DOCKER_REPO -p $PASSWORD_DOCKER -u $USERNAME_DOCKER docker login http://$DOCKER_REPO -p $PASSWORD_DOCKER -u $USERNAME_DOCKER