add non-root user to frontend and backend containers

also remove huey further
intuitem · Dec 22, 2024 · c05fbc5 · c05fbc5
1 parent c7b0bfb
commit c05fbc5
Show file tree

Hide file tree

Showing 5 changed files with 18 additions and 11 deletions.
diff --git a/backend/Dockerfile b/backend/Dockerfile
@@ -30,6 +30,9 @@ RUN pip install --upgrade pip && \
 RUN poetry install
 RUN rm -rf $POETRY_CACHE_DIR
 
+RUN addgroup -g 1001 -S backend && adduser -u 1001 -S -G backend backend
+RUN chown -R backend:backend /code/db
+USER backend
 
 ENTRYPOINT ["poetry", "run",  "bash", "startup.sh"]
 EXPOSE 8000
diff --git a/backend/ciso_assistant/settings.py b/backend/ciso_assistant/settings.py
@@ -375,15 +375,15 @@ def set_ciso_assistant_url(_, __, event_dict):
     # OTHER SETTINGS
 }
 
-HUEY = {
-    "huey_class": "huey.SqliteHuey",  # Huey implementation to use.
-    "name": "huey-ciso-assistant",  # Use db name for huey.
-    "results": True,  # Store return values of tasks.
-    "store_none": False,  # If a task returns None, do not save to results.
-    "immediate": DEBUG,  # If DEBUG=True, run synchronously.
-    "utc": True,  # Use UTC for all times internally.
-    "filename": "db/huey.sqlite3",
-}
+#HUEY = {
+#    "huey_class": "huey.SqliteHuey",  # Huey implementation to use.
+#    "name": "huey-ciso-assistant",  # Use db name for huey.
+#    "results": True,  # Store return values of tasks.
+#    "store_none": False,  # If a task returns None, do not save to results.
+#    "immediate": DEBUG,  # If DEBUG=True, run synchronously.
+#    "utc": True,  # Use UTC for all times internally.
+#    "filename": "db/huey.sqlite3",
+#}
 
 # SSO with allauth
 

diff --git a/backend/startup.sh b/backend/startup.sh
@@ -7,7 +7,7 @@ fi
 
 if [ ! -n "$DJANGO_SECRET_KEY" ]; then
 	if [ ! -f db/django_secret_key ]; then
-		cat /proc/sys/kernel/random/uuid >db/django_secret_key
+		install -m 600 <(cat /proc/sys/kernel/random/uuid) db/django_secret_key
 		echo "generating initial Django secret key"
 	fi
 	export DJANGO_SECRET_KEY=$(<db/django_secret_key)

diff --git a/docker-compose-build.sh b/docker-compose-build.sh
@@ -32,7 +32,7 @@ else
 
   # Simple wait for database migrations
   echo "Giving some time for the database to be ready, please wait ..."
-  sleep 30
+  sleep 60
 
   echo "Initialize your superuser account..."
   docker compose exec backend poetry run python manage.py createsuperuser

diff --git a/frontend/Dockerfile b/frontend/Dockerfile
@@ -21,4 +21,8 @@ COPY package.json .
 EXPOSE 3000
 ENV NODE_ENV=production
 ENV BODY_SIZE_LIMIT=20000000
+
+RUN addgroup -g 1002 -S frontend && adduser -u 1002 -S -G frontend frontend
+USER frontend
+
 CMD [ "node", "server" ]