forked from DefectDojo/django-DefectDojo
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile.django-debian
162 lines (152 loc) · 5.31 KB
/
Dockerfile.django-debian
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
# code: language=Dockerfile
# The code for the build image should be identical with the code in
# Dockerfile.nginx to use the caching mechanism of Docker.
# Ref: https://devguide.python.org/#branchstatus
FROM python:3.11.9-slim-bookworm@sha256:8c1036ec919826052306dfb5286e4753ffd9d5f6c24fbc352a5399c3b405b57e AS base
FROM base AS build
WORKDIR /app
RUN \
apt-get -y update && \
apt-get -y upgrade && \
apt-get -y install --no-install-recommends \
gcc \
build-essential \
dnsutils \
libpq-dev \
postgresql-client \
xmlsec1 \
git \
uuid-runtime \
# libcurl4-openssl-dev is required for installing pycurl python package
libcurl4-openssl-dev \
# apparently, libssl-dev is also needed
libssl-dev \
libldap2-dev \
libsasl2-dev \
&& \
apt-get clean && \
rm -rf /var/lib/apt/lists && \
true
COPY requirements.txt ./
# CPUCOUNT=1 is needed, otherwise the wheel for uwsgi won't always be build succesfully
# https://github.com/unbit/uwsgi/issues/1318#issuecomment-542238096
RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
FROM base AS django
WORKDIR /app
ARG uid=1001
ARG gid=1337
ARG appuser=defectdojo
ENV appuser=${appuser}
RUN \
apt-get -y update && \
apt-get -y upgrade && \
# ugly fix to install postgresql-client without errors
mkdir -p /usr/share/man/man1 /usr/share/man/man7 && \
apt-get -y install --no-install-recommends \
# libopenjp2-7 libjpeg62 libtiff are required by the pillow package
libopenjp2-7 \
libjpeg62 \
libtiff6 \
# dnsutils \
xmlsec1 \
# required by gitpython module
git \
# uuid-runtime \
# libpq-dev \
# only required for the dbshell (used by the initializer job)
postgresql-client \
# libcurl4-openssl-dev is required for installing pycurl python package
libcurl4-openssl-dev \
# apparently, libssl-dev is also needed
libssl-dev \
&& \
apt-get clean && \
rm -rf /var/lib/apt/lists && \
true
COPY --from=build /tmp/wheels /tmp/wheels
COPY requirements.txt ./
# fixes inability to connect to LDAPS servers
RUN mkdir -p /etc/ldap && \
echo "TLS_CACERT /etc/ssl/certs/ca-certificates.crt" >> /etc/ldap/ldap.conf
RUN export PYCURL_SSL_LIBRARY=openssl && \
pip3 install \
--no-cache-dir \
--no-index \
--find-links=/tmp/wheels \
-r ./requirements.txt && \
# remove tests installed by python modules
rm -rf /usr/local/lib/python*/site-packages/*/tests /usr/local/lib/python*/site-packages/slapdtest/certs
COPY \
docker/entrypoint-celery-beat.sh \
docker/entrypoint-celery-worker.sh \
docker/entrypoint-initializer.sh \
docker/entrypoint-uwsgi.sh \
# docker/entrypoint-uwsgi-dev.sh \
# docker/entrypoint-unit-tests.sh \
# docker/entrypoint-unit-tests-devDocker.sh \
docker/wait-for-it.sh \
docker/secret-file-loader.sh \
docker/reach_database.sh \
docker/certs/* \
/
COPY wsgi.py manage.py docker/unit-tests.sh ./
COPY dojo/ ./dojo/
# install custom CA certificates
COPY docker/certs/*.crt /usr/local/share/ca-certificates
RUN update-ca-certificates
# Add extra fixtures to docker image which are loaded by the initializer
COPY docker/extra_fixtures/* /app/dojo/fixtures/
# COPY tests/ ./tests/
RUN \
# Remove placeholder copied from docker/certs
rm -f /readme.txt && \
# Remove placeholder copied from docker/extra_fixtures
rm -f dojo/fixtures/readme.txt && \
mkdir -p dojo/migrations && \
chmod g=u dojo/migrations && \
true
USER root
RUN \
addgroup --gid ${gid} ${appuser} && \
adduser --system --no-create-home --disabled-password --gecos '' \
--uid ${uid} --gid ${gid} ${appuser} && \
chown -R root:root /app && \
chmod -R u+rwX,go+rX,go-w /app && \
# Allow for bind mounting local_settings.py and other setting overrides
chown -R root:${appuser} /app/dojo/settings && \
chmod -R 775 /app/dojo/settings && \
mkdir /var/run/${appuser} && \
chown ${appuser} /var/run/${appuser} && \
chmod g=u /var/run/${appuser} && \
chmod 775 /*.sh && \
mkdir -p media/threat && chown -R ${uid} media && \
# To avoid warning: (staticfiles.W004) The directory '/app/components/node_modules' in the STATICFILES_DIRS setting does not exist.
mkdir -p components/node_modules && \
chown ${appuser} components/node_modules && \
# removing setuid bits
find / -xdev -perm /6000 -type f -exec chmod a-s {} \; || true
USER ${uid}
ENV \
# Only variables that are not defined in settings.dist.py
DD_ADMIN_USER=admin \
DD_ADMIN_PASSWORD='' \
DD_ADMIN_FIRST_NAME=Admin \
DD_ADMIN_LAST_NAME=User \
DD_CELERY_LOG_LEVEL="INFO" \
DD_CELERY_WORKER_POOL_TYPE="solo" \
# Enable prefork and options below to ramp-up celeryworker performance. Presets should work fine for a machine with 8GB of RAM, while still leaving room.
# See https://docs.celeryproject.org/en/stable/userguide/workers.html#id12 for more details
# DD_CELERY_WORKER_POOL_TYPE="prefork" \
# DD_CELERY_WORKER_AUTOSCALE_MIN="2" \
# DD_CELERY_WORKER_AUTOSCALE_MAX="8" \
# DD_CELERY_WORKER_CONCURRENCY="8" \
# DD_CELERY_WORKER_PREFETCH_MULTIPLIER="128" \
DD_INITIALIZE=true \
DD_UWSGI_MODE="socket" \
DD_UWSGI_ENDPOINT="0.0.0.0:3031" \
DD_UWSGI_NUM_OF_PROCESSES="2" \
DD_UWSGI_NUM_OF_THREADS="2"
ENTRYPOINT ["/entrypoint-uwsgi.sh"]
FROM django AS django-unittests
COPY unittests/ ./unittests/