Merge #2539

2539: Upgrade alpine, make setup use the base image r=mergify[bot] a=nextgens ## What type of PR? enhancement ## What does this PR do? Upgrade alpine, make setup use the base image, introduce a health-check, drop privileges. Drop privileges on admin too. It may or may not help #2536 Co-authored-by: Florent Daigniere <nextgens@freenetproject.org>
2 years ago · 6a3daa75ac
parent c1da586444 f994c8687e
commit 6a3daa75ac
10 changed files with 45 additions and 38 deletions
--- a/.github/workflows/build_test_deploy.yml
+++ b/.github/workflows/build_test_deploy.yml
@ -126,7 +126,7 @@ jobs:
          password: ${{ secrets.Docker_Password }}
      - name: Helper to convert docker org to lowercase
        id: string
-        uses: ASzc/change-string-case-action@v2
+        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ github.repository_owner }}
      - name: Build all docker images
@ -182,7 +182,7 @@ jobs:
          password: ${{ secrets.Docker_Password }}
      - name: Helper to convert docker org to lowercase
        id: string
-        uses: ASzc/change-string-case-action@v2
+        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ github.repository_owner }}
      - name: Build all docker images
@ -244,7 +244,7 @@ jobs:
          password: ${{ secrets.Docker_Password }}
      - name: Helper to convert docker org to lowercase
        id: string
-        uses: ASzc/change-string-case-action@v2
+        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ github.repository_owner }}
      - name: Build all docker images
@ -307,7 +307,7 @@ jobs:
          password: ${{ secrets.Docker_Password }}
      - name: Helper to convert docker org to lowercase
        id: string
-        uses: ASzc/change-string-case-action@v2
+        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ github.repository_owner }}
      - name: Build all docker images
@ -370,7 +370,7 @@ jobs:
          password: ${{ secrets.GITHUB_TOKEN }}
      - name: Helper to convert docker org to lowercase
        id: string
-        uses: ASzc/change-string-case-action@v2
+        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ github.repository_owner }}
      - name: Install python packages
@ -416,7 +416,7 @@ jobs:
          password: ${{ secrets.Docker_Password }}
      - name: Helper to convert docker org to lowercase
        id: string
-        uses: ASzc/change-string-case-action@v2
+        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ github.repository_owner }}
      - name: Push image to Docker
@ -461,7 +461,7 @@ jobs:
          password: ${{ secrets.Docker_Password }}
      - name: Helper to convert docker org to lowercase
        id: string
-        uses: ASzc/change-string-case-action@v2
+        uses: ASzc/change-string-case-action@v5
        with:
          string: ${{ github.repository_owner }}
      - name: Push image to Docker
--- a/core/admin/start.py
+++ b/core/admin/start.py
@ -2,8 +2,15 @@

 import os
 import logging as log
+from pwd import getpwnam
 import sys

+os.system("chown mailu:mailu -R /dkim")
+os.system("find /data | grep -v /fetchmail | xargs -n1 chown mailu:mailu")
+mailu_id = getpwnam('mailu')
+os.setgid(mailu_id.pw_gid)
+os.setuid(mailu_id.pw_uid)
+
 log.basicConfig(stream=sys.stderr, level=os.environ.get("LOG_LEVEL", "INFO"))

 os.system("flask mailu advertise")
--- a/core/base/Dockerfile
+++ b/core/base/Dockerfile
@ -1,7 +1,7 @@
 # syntax=docker/dockerfile-upstream:1.4.3

 # base system image (intermediate)
-ARG DISTRO=alpine:3.16.2
+ARG DISTRO=alpine:3.16.3
 FROM $DISTRO as system

 ENV TZ=Etc/UTC LANG=C.UTF-8
@ -12,7 +12,7 @@ ARG MAILU_GID=1000
 RUN set -euxo pipefail \
  ; addgroup -Sg ${MAILU_GID} mailu \
  ; adduser -Sg ${MAILU_UID} -G mailu -h /app -g "mailu app" -s /bin/bash mailu \
-  ; apk add --no-cache bash ca-certificates curl python3 tzdata \
+  ; apk add --no-cache bash ca-certificates curl python3 tzdata libcap \
  ; machine="$(uname -m)" \
  ; ! [[ "${machine}" == x86_64 ]] \
    || apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing hardened-malloc
@ -71,6 +71,7 @@ RUN set -euxo pipefail \
 FROM system

 COPY --from=build /app/venv/ /app/venv/
+RUN setcap 'cap_net_bind_service=+ep' /app/venv/bin/gunicorn

 ENV VIRTUAL_ENV=/app/venv
 ENV PATH="${VIRTUAL_ENV}/bin:${PATH}"
--- a/core/none/Dockerfile
+++ b/core/none/Dockerfile
@ -10,5 +10,5 @@ RUN echo $VERSION >/version

 HEALTHCHECK CMD true

-USER app
+USER mailu
 CMD ["/bin/bash", "-c", "sleep infinity"]
--- a/core/rspamd/start.py
+++ b/core/rspamd/start.py
@ -33,4 +33,7 @@ while True:
    log.warning("Admin is not up just yet, retrying in 1 second")

 # Run rspamd
-os.execv("/usr/sbin/rspamd", ["rspamd", "-i", "-f"])
+os.system("mkdir -m 755 -p /run/rspamd")
+os.system("chown rspamd:rspamd /run/rspamd")
+os.system("find /var/lib/rspamd | grep -v /filter | xargs -n1 chown rspamd:rspamd")
+os.execv("/usr/sbin/rspamd", ["rspamd", "-f", "-u", "rspamd", "-g", "rspamd"])
--- a/setup/Dockerfile
+++ b/setup/Dockerfile
@ -1,24 +1,21 @@
-ARG DISTRO=alpine:3.14.5
-FROM $DISTRO
-ARG VERSION
-ENV TZ Etc/UTC
+# syntax=docker/dockerfile-upstream:1.4.3
+
+# setup image
+FROM base
+
+ARG VERSION=local
 LABEL version=$VERSION

-
-RUN mkdir -p /app
-WORKDIR /app
-
-COPY requirements.txt requirements.txt
-RUN apk add --no-cache curl python3 py3-pip \
-    && pip3 install -r requirements.txt
-
-COPY server.py ./server.py
-COPY main.py ./main.py
 COPY flavors /data/flavors
 COPY templates /data/templates
 COPY static ./static
+COPY server.py ./server.py
+COPY main.py ./main.py
+
+RUN echo $VERSION >> /version

 EXPOSE 80/tcp
+HEALTHCHECK --start-period=350s CMD curl -skfLo /dev/null http://localhost/
+USER mailu

 CMD gunicorn -w 4 -b :80 --access-logfile - --error-logfile - --preload main:app
-RUN echo $VERSION >> /version
--- a/setup/requirements.txt
+++ b/setup/requirements.txt
@ -1,12 +0,0 @@
-Flask==1.0.2
-Flask-Bootstrap==3.3.7.1
-gunicorn==19.9.0
-redis==3.2.1
-Jinja2==3.0.3
-MarkupSafe==2.1.0
-Werkzeug==2.0.3
-click==8.0.3
-dominate==2.6.0
-itsdangerous==2.0.1
-redis==3.2.1
-visitor==0.1.3
--- a/tests/build.hcl
+++ b/tests/build.hcl
@ -106,6 +106,9 @@ target "docs" {
 target "setup" {
  inherits = ["defaults"]
  context = "setup/"
+  contexts = {
+    base = "target:base"
+  }
  tags = tag("setup")
 }

--- a/tests/compose/filters/02_email_antispam.sh
+++ b/tests/compose/filters/02_email_antispam.sh
@ -0,0 +1,7 @@
+# GTUBE should be blocked, see https://rspamd.com/doc/gtube_patterns.html
+python3 tests/email_test.py "XJS*C4JDBQADN1.NSBN3*2IDNEN*GTUBE-STANDARD-ANTI-UBE-TEST-EMAIL*C.34X"
+if [ $? -eq 25 ]; then
+	exit 0
+else
+	exit 1
+fi
--- a/towncrier/newsfragments/2539.misc
+++ b/towncrier/newsfragments/2539.misc
@ -0,0 +1 @@
+Upgrade to Alpine 3.16.3; Make setup, admin and rspamd run without root privs. Please ensure that your folder overrides/rspamd is owned by 1000:1000
				`@ -0,0 +1 @@`
				`Upgrade to Alpine 3.16.3; Make setup, admin and rspamd run without root privs. Please ensure that your folder overrides/rspamd is owned by 1000:1000`