Merge pull request #373 from cloud-gov/harden-image

Harden image

ci/pipeline.yml

@@ -242,19 +242,9 @@ jobs:
  params: {depth: 1}
  trigger: true
  passed: [reconfigure]
-
- - put: dev-docker-image
- # We push this docker image _only_ so that we can use it in the next task
- # below. :shrug: concourse.
- params:
- build: src
- dockerfile: src/docker/Dockerfile.dev
- tag_as_latest: true
- cache: true
-
+ - get: external-domain-broker-testing
  - task: test
- # Run the tests using the image pushed above.
- image: dev-docker-image
+ image: external-domain-broker-testing
  config:
  platform: linux
  params:
@@ -434,12 +424,12 @@ jobs:
  - get: cf-staging
  trigger: true
  passed: [staging]
- - get: dev-docker-image
+ - get: external-domain-broker-testing
  - get: test-timer
  trigger: true
  - in_parallel:
  - task: acceptance-cdn
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -453,7 +443,7 @@ jobs:
  run:
  path: /app/acceptance/run.sh
  - task: acceptance-alb
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -463,7 +453,7 @@ jobs:
  run:
  path: /app/acceptance/run.sh
  - task: acceptance-dedicated
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -473,7 +463,7 @@ jobs:
  run:
  path: /app/acceptance/run.sh
  - task: acceptance-cdn-dedicated-waf
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -586,12 +576,12 @@ jobs:
  - get: cf-production
  trigger: true
  passed: [production]
- - get: dev-docker-image
+ - get: external-domain-broker-testing
  - get: test-timer
  trigger: true
  - in_parallel:
  - task: acceptance-cdn
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -601,7 +591,7 @@ jobs:
  run:
  path: /app/acceptance/run.sh
  - task: acceptance-alb
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -615,7 +605,7 @@ jobs:
  run:
  path: /app/acceptance/run.sh
  - task: acceptance-dedicated
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -629,7 +619,7 @@ jobs:
  run:
  path: /app/acceptance/run.sh
  - task: acceptance-cdn-dedicated-waf
- image: dev-docker-image
+ image: external-domain-broker-testing
  timeout: 6h
  config:
  platform: linux
@@ -744,14 +734,14 @@ resources:
  uri: https://github.com/cloud-gov/((name))
  branch: ((git-branch))
 
-- name: dev-docker-image
- type: docker-image
- icon: docker
+- name: external-domain-broker-testing
+ type: registry-image
  source:
- email: ((docker-email))
- username: ((docker-username))
- password: ((docker-password))
- repository: ((docker-image-dev))
+ aws_access_key_id: ((ecr_aws_key))
+ aws_secret_access_key: ((ecr_aws_secret))
+ repository: external-domain-broker-testing
+ aws_region: us-gov-west-1
+ tag: latest
 
 - name: cf-dev
  type: cf

dev

@@ -82,6 +82,7 @@ build_image() {
  --build-arg UID="$(id -u)" \
  --build-arg GID="$(id -g)" \
  --build-arg USER="$USER" \
+ --build-arg base_image="ubuntu:22.04" \
  .
 }
 

docker/Dockerfile.dev

@@ -1,4 +1,6 @@
-FROM python:3.11-slim as base
+ARG base_image
+
+FROM ${base_image} AS base
 
 # When building locally, these should be set to your UID/GID. That way, any
 # files written to the $PWD mount will be owned by you. This is not
@@ -9,37 +11,44 @@ ARG USER=app
 
 # In case the host user's GID is already in the base image.
 RUN grep -q ":$GID:" /etc/group \
- || groupadd --gid="$GID" "$USER"
+  || groupadd --gid="$GID" "$USER"
 
 RUN useradd \
-  --home-dir="/home/$USER" \
-  --no-log-init \
-  --create-home \
-  --shell=/bin/bash \
-  --gid=$GID \
-  --uid=$UID \
-  --no-user-group \
-  --non-unique \
-  "$USER"
+ --home-dir="/home/$USER" \
+ --no-log-init \
+ --create-home \
+ --shell=/bin/bash \
+ --gid=$GID \
+ --uid=$UID \
+ --no-user-group \
+ --non-unique \
+ "$USER"
 
 RUN apt update \
- && apt -y upgrade \
- && apt install -y --no-install-recommends \
- build-essential \
- libpq-dev \
- curl \
- gnupg2 \
- procps \
- git \
- lsb-release
+ && apt -y upgrade \
+ && apt install -y --no-install-recommends \
+ build-essential \
+ libpq-dev \
+ curl \
+ gnupg2 \
+ procps \
+ git \
+ lsb-release \
+ ca-certificates \
+ python3.11 \
+ python3-pip \
+ python3.11-dev
+
+# Symlink python command to python3.11
+RUN ln -s /usr/bin/python3.11 /usr/bin/python
 
 # Install Fake Pebble LE server
 COPY --from=letsencrypt/pebble:latest /usr/bin/pebble /usr/bin/pebble
 COPY --from=letsencrypt/pebble:latest /test/ /test/
 COPY --from=letsencrypt/pebble-challtestsrv:latest /usr/bin/pebble-challtestsrv /usr/bin/pebble-challtestsrv
 
 RUN cp /test/certs/pebble.minica.pem /usr/local/share/ca-certificates/pebble.crt \
- && update-ca-certificates
+  && update-ca-certificates
 
 # Install Redis
 # cloud.gov currently supports redis 5.0
@@ -53,27 +62,30 @@ RUN curl -sSL "https://cli.run.pivotal.io/stable?release=linux64-binary&version=
 # Install PostgreSQL
 ENV PG_MAJOR=15
 RUN echo "deb http://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main"\
- > /etc/apt/sources.list.d/pgdg.list \
- && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
- && apt update \
- && apt install -y --no-install-recommends "postgresql-$PG_MAJOR"
+ > /etc/apt/sources.list.d/pgdg.list \
+ && curl -sSL https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+ && apt update \
+ && DEBIAN_FRONTEND=noninteractive apt install -y --no-install-recommends "postgresql-$PG_MAJOR"
+
+# Disable login shell for postgres user
+RUN usermod -s /sbin/nologin postgres
 
 ENV PGDATA /tmp/data
 ENV PGCONFIG /tmp/data/postgresql.conf
 ENV PATH $PATH:/usr/lib/postgresql/$PG_MAJOR/bin
 
 RUN mkdir -p "$PGDATA" \
- && chown -R "$USER:" "$PGDATA" \
- && chmod 700 "$PGDATA"
+  && chown -R "$USER:" "$PGDATA" \
+  && chmod 700 "$PGDATA"
 
 ENV POSTGRES_HOST_AUTH_METHOD=trust
 
 RUN apt install -y --no-install-recommends awscli jq
 
 # Install local python packages
-RUN pip install --upgrade pip
+RUN python -m pip install --upgrade pip
 COPY pip-tools/dev-requirements.txt ./pip-tools/
-RUN pip install -r pip-tools/dev-requirements.txt
+RUN python -m pip install -r pip-tools/dev-requirements.txt
 
 WORKDIR /app
 RUN chown "$UID:$GID" .

docker/start-servers.sh

@@ -9,7 +9,7 @@ if ! pgrep -x postgres > /dev/null; then
  (
  cd "$PGDATA"
  echo > "$LOGS/postgres.log"
- pg_ctl -l "$LOGS/postgres.log" start 
+ pg_ctl -l "$LOGS/postgres.log" start
  )
 fi
 

docker/stop-servers.sh

@@ -4,4 +4,4 @@ pkill -x pebble
 pkill -x pebble-chall
 pkill -x redis-server
 pkill -f 'python -m smtpd'
-pg_ctl stop 
+pg_ctl stop