explore: non-root user for docker

.github/workflows/startup-tests.yml

@@ -133,8 +133,6 @@ jobs:
         run: pnpm exec playwright install
       - name: Build the Docker app
         run: |
-          rm -rf db
-          mkdir db
           docker compose -f docker-compose-build.yml up -d
       - name: Create backend environment variables file
         working-directory: ${{ env.backend-directory }}
@@ -143,7 +141,10 @@ jobs:
           export $(grep -v '^#' .env | xargs)
       - name: Config the Docker app
         run: |
-          sleep 120 # give the migrations time to finish (included in the up on the previous step)
+          until docker compose -f docker-compose-build.yml exec -T backend curl -f http://localhost:8000/api/build >/dev/null 2>&1; do
+            echo "Backend is not ready - waiting 10s..."
+            sleep 10
+          done
           docker compose -f docker-compose-build.yml exec backend /bin/bash -c "[email protected] DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput && exit 0"
       - name: Run tests
         working-directory: ${{ env.frontend-directory }}
@@ -270,15 +271,19 @@ jobs:
         working-directory: ${{ env.enterprise-frontend-build-directory }}
         run: pnpm exec playwright install
       - name: Build the Docker app
-        run: docker compose -f enterprise/docker-compose-build.yml up -d
+        run: |
+          docker compose -f enterprise/docker-compose-build.yml up -d
       - name: Create backend environment variables file
         working-directory: ${{ env.backend-directory }}
         run: |
           touch .env
           export $(grep -v '^#' .env | xargs)
       - name: Config the Docker app
         run: |
-          sleep 120 # give the migrations time to finish (included in the up on the previous step)
+          until docker compose -f enterprise/docker-compose-build.yml exec -T backend curl -f http://localhost:8000/api/build >/dev/null 2>&1; do
+            echo "Backend is not ready - waiting 10s..."
+            sleep 10
+          done
           docker compose -f enterprise/docker-compose-build.yml exec backend /bin/bash -c "[email protected] DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput --settings=${{ env.enterprise-backend-settings-module }} && exit 0"
       - name: Run tests
         working-directory: ${{ env.frontend-directory }}

README.md

@@ -273,6 +273,9 @@ For the following executions, use "docker compose up" directly.
 > [!TIP]
 > If you want a fresh install, simply delete the `db` directory, (default: backend/db) where the database is stored.
 
+> [!Note]
+> For docker compose under Linux, using a bind-mount, it is necessary to do `chown 1001:1001 db`.
+
 ## Docker-compose on remote
 
 For docker setup on a remote server or hypervisor, checkout the [specific instructions here](https://intuitem.gitbook.io/ciso-assistant/deployment/remote-virtualization)

backend/Dockerfile

@@ -5,7 +5,8 @@ ENV PYTHONUNBUFFERED=1 \
     POETRY_NO_INTERACTION=1 \
     POETRY_VIRTUALENVS_IN_PROJECT=1 \
     POETRY_VIRTUALENVS_CREATE=1 \
-    POETRY_CACHE_DIR=/tmp/poetry_cache
+    POETRY_CACHE_DIR=/tmp/poetry_cache \
+    HOME=/tmp/
 
 WORKDIR /code
 
@@ -47,6 +48,9 @@ RUN poetry install --no-root \
 
 #watch out for local files during dev and maintenance of .dockerignore
 COPY . .
+RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app && mkdir -p /code/db && chown 1001:1001 /code/db
+USER app
+VOLUME /code/db
 
 EXPOSE 8000
 ENTRYPOINT ["poetry", "run", "bash", "startup.sh"]

docker-compose-build.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-DOCKER_COMPOSE_FILE=docker-compose-build.yml
+DOCKER_COMPOSE_FILE="${1:-docker-compose-build.yml}"
 
 prepare_meta_file() {
   VERSION=$(git describe --tags --always)
@@ -16,28 +16,24 @@ prepare_meta_file() {
 export DOCKER_BUILDKIT=1
 export COMPOSE_DOCKER_CLI_BUILD=1
 
-# Check if database already exists
-if [ -f db/ciso-assistant.sqlite3 ]; then
-  echo "The database seems already created."
-  echo "For successive runs, you can now use 'docker compose up'."
-else
-  prepare_meta_file
+prepare_meta_file
 
-  # Build and start the containers
-  echo "Building containers..."
-  docker compose -f "${DOCKER_COMPOSE_FILE}" build --pull
+# Build and start the containers
+echo "Building containers..."
+docker compose -f "${DOCKER_COMPOSE_FILE}" build --pull
 
-  echo "Starting services..."
-  docker compose -f "${DOCKER_COMPOSE_FILE}" up -d
+echo "Starting services..."
+docker compose -f "${DOCKER_COMPOSE_FILE}" up -d
 
-  # Simple wait for database migrations
-  echo "Giving some time for the database to be ready, please wait ..."
-  sleep 50
+echo "Waiting for CISO Assistant backend to be ready..."
+until docker compose -f "${DOCKER_COMPOSE_FILE}" exec -T backend curl -f http://localhost:8000/api/build >/dev/null 2>&1; do
+  echo "Backend is not ready - waiting 10s..."
+  sleep 10
+done
 
-  echo "Initialize your superuser account..."
-  docker compose exec backend poetry run python manage.py createsuperuser
+echo "Initialize your superuser account..."
+docker compose -f "${DOCKER_COMPOSE_FILE}" exec backend poetry run python manage.py createsuperuser
 
-  echo "🚀 CISO Assistant is ready!"
-  echo "Connect to CISO Assistant on https://localhost:8443"
-  echo "For successive runs, you can now use 'docker compose up'."
-fi
+echo "🚀 CISO Assistant is ready!"
+echo "Connect to CISO Assistant on https://localhost:8443"
+echo "For successive runs, you can now use 'docker compose -f ${DOCKER_COMPOSE_FILE} up -d'."

docker-compose-build.yml

@@ -1,3 +1,6 @@
+volumes:
+  db:
+  caddy_data:
 services:
   backend:
     container_name: backend
@@ -10,7 +13,7 @@ services:
       - CISO_ASSISTANT_URL=https://localhost:8443
       - DJANGO_DEBUG=True
     volumes:
-      - ./db:/code/db
+      - db:/code/db
 
   huey:
     container_name: huey
@@ -25,7 +28,7 @@ services:
       - CISO_ASSISTANT_URL=https://localhost:8443
       - DJANGO_DEBUG=False
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     entrypoint:
       - /bin/sh
       - -c
@@ -55,7 +58,7 @@ services:
     ports:
       - 8443:8443
     volumes:
-      - ./db:/data
+      - caddy_data:/data
     command: |
       sh -c 'echo $$CISO_ASSISTANT_URL "{
       reverse_proxy /api/* backend:8000

docker-compose.sh

@@ -1,12 +1,6 @@
 #! /bin/bash
 set -euo pipefail
 
-DOCKER_COMPOSE_FILE=docker-compose.yml
-if [ -d ./db ]; then
-  echo "The database seems already created. You should launch 'docker compose up -d' instead."
-  echo "For a clean start, you can remove the db folder, and then run 'docker compose rm -fs' and start over"
-  exit 1
-fi
 echo "Starting CISO Assistant services..."
 docker compose pull
 echo "Initializing the database. This can take up to 2 minutes, please wait.."
@@ -24,3 +18,4 @@ docker compose exec backend poetry run python manage.py createsuperuser
 
 echo -e "Initialization complete!"
 echo "You can now access CISO Assistant at https://localhost:8443 (or the host:port you've specified)"
+

docker-compose.yml

@@ -1,3 +1,6 @@
+volumes:
+  db:
+  caddy_data:
 services:
   backend:
     container_name: backend
@@ -11,7 +14,7 @@ services:
       - AUTH_TOKEN_TTL=7200
 
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     healthcheck:
       test: ["CMD-SHELL", "curl -f http://backend:8000/api/build || exit 1"]
       interval: 10s
@@ -34,7 +37,7 @@ services:
       - AUTH_TOKEN_TTL=7200
 
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     entrypoint:
       - /bin/sh
       - -c
@@ -66,7 +69,7 @@ services:
     ports:
       - 8443:8443
     volumes:
-      - ./caddy_data:/data
+      - caddy_data:/data
     command: |
       sh -c 'echo $$CISO_ASSISTANT_URL "{
       reverse_proxy /api/* backend:8000

enterprise/README.md

@@ -4,12 +4,12 @@ New: use the config builder on the `config` folder.
 
 To run CISO Assistant Enterprise locally in a straightforward way, you can use Docker compose.
 
-1. Make sure you are located in the enterprise directory of the repository
+1. Make sure you are located in the top directory of the repository
 
 2. Launch docker-compose script with enterprise docker-compose.yml file:
 
 ```sh
-./docker-compose-build.sh -f enterprise/docker-compose-build.yml
+docker compose-build.sh enterprise/docker-compose-build.yml
 ```
 
 When asked for, enter your email and password for your superuser.

enterprise/backend/Dockerfile

@@ -5,7 +5,8 @@ ENV PYTHONUNBUFFERED=1 \
    POETRY_VIRTUALENVS_IN_PROJECT=1 \
    POETRY_VIRTUALENVS_CREATE=1 \
    POETRY_CACHE_DIR=/tmp/poetry_cache \
-   DJANGO_SETTINGS_MODULE=enterprise_core.settings
+   DJANGO_SETTINGS_MODULE=enterprise_core.settings \
+   HOME=/tmp
 
 WORKDIR /code
 
@@ -53,5 +54,9 @@ COPY backend /code/
 COPY enterprise/backend/enterprise_core /code/enterprise_core
 COPY backend/startup.sh /code/
 
+RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app && mkdir -p /code/db && chown 1001:1001 /code/db
+USER app
+VOLUME /code/db
+
 EXPOSE 8000
 ENTRYPOINT ["poetry", "run", "bash", "startup.sh"]

enterprise/docker-compose-build.yml

@@ -1,3 +1,6 @@
+volumes:
+  db:
+  caddy_data:
 services:
   backend:
     container_name: backend
@@ -13,21 +16,23 @@ services:
       - LICENSE_EXPIRATION=2025-12-21
       - DJANGO_SETTINGS_MODULE=enterprise_core.settings
     volumes:
-      - ./db:/code/db
+      - db:/code/db
 
   huey:
     container_name: huey
     build:
       context: ../
       dockerfile: ./enterprise/backend/Dockerfile
+    depends_on:
+      - backend    
     restart: always
     environment:
       - ALLOWED_HOSTS=backend,localhost
       - DJANGO_DEBUG=True
       - LICENSE_SEATS=5
       - LICENSE_EXPIRATION=2025-12-21
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     entrypoint:
       - /bin/sh
       - -c
@@ -57,7 +62,7 @@ services:
     ports:
       - 8443:8443
     volumes:
-      - ./db:/data
+      - caddy_data:/data
     command: |
       sh -c 'echo $$CISO_ASSISTANT_URL "{
       reverse_proxy /api/* backend:8000

enterprise/frontend/Dockerfile

@@ -24,4 +24,8 @@ COPY frontend/package.json .
 EXPOSE 3000
 ENV NODE_ENV=production
 ENV BODY_SIZE_LIMIT=20000000
+
+RUN addgroup -g 1001 app && adduser -u 1001 -G app -D app
+USER app
+
 CMD [ "node", "server" ]

frontend/Dockerfile

@@ -21,6 +21,7 @@ COPY package.json .
 EXPOSE 3000
 ENV NODE_ENV=production
 ENV BODY_SIZE_LIMIT=20000000
-
+RUN addgroup -g 1001 app && adduser -u 1001 -G app -D app
+USER app
 
 CMD [ "node", "server" ]