Merge pull request #15 from helyOSFramework/security_docker

non-root user for helyos core

helyos_dashboard/package.json

@@ -24,8 +24,6 @@
  "@angular/platform-browser": "14.3.0",
  "@angular/platform-browser-dynamic": "14.3.0",
  "@angular/router": "14.3.0",
- "@asymmetrik/ngx-leaflet": "14.0.1",
- "@asymmetrik/ngx-leaflet-draw": "14.0.1",
  "@ng-bootstrap/ng-bootstrap": "13.1.1",
  "@ngx-translate/core": "14.0.0",
  "@ngx-translate/http-loader": "7.0.0",
@@ -49,8 +47,6 @@
  "@types/jasmine": "4.6.0",
  "@types/jasminewd2": "2.0.11",
  "@types/js-yaml": "^4.0.7",
- "@types/leaflet": "1.9.6",
- "@types/leaflet-draw": "1.0.8",
  "@types/node": "14.18.63",
  "codelyzer": "6.0.2",
  "jasmine-core": "4.1.1",

helyos_server/package.json

@@ -18,10 +18,10 @@
  "amqplib": "^0.10.3",
  "events": "^3.3.0",
  "express": "4.18.3",
+ "js-yaml": "^4.1.0",
  "nock": "^13.5.4",
- "node-rtsp-stream": "0.0.8",
  "pg": "^8.7.3",
- "postgraphile": "^4.7.0",
+ "postgraphile": "4.13.0",
  "redoc-cli": "^0.13.21",
  "request": "2.88.2",
  "socket.io": "4.6.1",

packaging/Dockerfile

@@ -1,7 +1,7 @@
 # First stage
-FROM node:18 AS build
+FROM node:18 AS dashboard_build
 
-# ------------------- building the dashboard app -----------------------------
+# ------------------- BUILDING THE DASHBOARD -----------------------------
 WORKDIR /usr/src/app
 COPY helyos_dashboard/package.json /usr/src/app/package.json
 COPY helyos_dashboard/package-lock.json /usr/src/app/package-lock.json
@@ -11,55 +11,55 @@ RUN npm run build --prod
 
 
 
-# Second stage
+# # Second stage
 FROM helyosframework/helyos_core_base:2.0.1
 
-# ------------------- building the backend services -----------------------------
+# ------------------- BUILDING THE SERVER -----------------------------
 
+
+# FOLDER STRUCTURE
+WORKDIR /usr/local/helyos_core/helyos_server/
 RUN mkdir -p /usr/local/helyos_core/helyos_server
 RUN mkdir -p /usr/local/helyos_core/helyos_database
 RUN mkdir -p /usr/local/helyos_core/helyos_dashboard
-
-RUN mkdir -p /etc/helyos
+RUN mkdir -p /usr/local/helyos_core/bin
 RUN mkdir -p /etc/helyos/config
 RUN mkdir -p /etc/helyos/.ssl_keys
 RUN mkdir -p /etc/helyos/db_initial_data
 
+# NON ROOT USER 
+RUN adduser --disabled-password --gecos '' helyosnonroot
+RUN chown -R helyosnonroot:helyosnonroot /usr/local/helyos_core
+RUN chown -R helyosnonroot:helyosnonroot /etc/helyos
+USER helyosnonroot
 
-# DASHBOARD
-COPY --from=build /usr/src/app/dist/ /usr/local/helyos_core/helyos_dashboard/dist/
-# LICENSE
-COPY LICENSE.txt /usr/local/helyos_core/LICENSE.txt
-
-
-# NODE JS PACKAGES 
-WORKDIR /usr/local/helyos_core/helyos_server/
-COPY helyos_server/package.json /usr/local/helyos_core/helyos_server/package.json
-COPY helyos_server/package-lock.json /usr/local/helyos_core/helyos_server/package-lock.json
-RUN npm set fetch-retry-maxtimeout 600000 && npm install --timeout=600000
-
-# SET ENVIRONMENT VARIABLE with the default path for node_modules
+# INSTALL HELYOS CORE DEPENDENCIES
 ENV NODE_PATH=/usr/local/helyos_core/helyos_server/node_modules
+COPY --chown=helyosnonroot helyos_server/package.json /usr/local/helyos_core/helyos_server/package.json
+COPY --chown=helyosnonroot helyos_server/package-lock.json /usr/local/helyos_core/helyos_server/package-lock.json
+RUN npm ci --omit=dev --timeout=600000
+
+# HELYOS CORE SERVER FILES
+COPY --chown=helyosnonroot helyos_server/ /usr/local/helyos_core/helyos_server
+COPY --chown=helyosnonroot LICENSE.txt /usr/local/helyos_core/LICENSE.txt
+COPY --chown=helyosnonroot --from=dashboard_build /usr/src/app/dist/ /usr/local/helyos_core/helyos_dashboard/dist/
 
-COPY helyos_database/ /usr/local/helyos_core/helyos_database
+# DATABASE
+COPY --chown=helyosnonroot helyos_database/ /usr/local/helyos_core/helyos_database
 RUN dos2unix /usr/local/helyos_core/helyos_database/db_commands/migrate.sh
 RUN chmod +x /usr/local/helyos_core/helyos_database/db_commands/migrate.sh
 RUN dos2unix /usr/local/helyos_core/helyos_database/db_commands/create_admin_account.sh
 RUN chmod +x /usr/local/helyos_core/helyos_database/db_commands/create_admin_account.sh
 
 
-# BACKEND SERVICES 
-COPY helyos_server/ /usr/local/helyos_core/helyos_server
-
-
 # ENTRYPOINT FILES
-COPY packaging/wait-for-postgres.sh /usr/local/bin/wait-for-postgres.sh
-RUN dos2unix /usr/local/bin/wait-for-postgres.sh
-RUN chmod +x /usr/local/bin/wait-for-postgres.sh 
+COPY --chown=helyosnonroot packaging/wait-for-postgres.sh /usr/local/helyos_core/bin/wait-for-postgres.sh
+RUN dos2unix /usr/local/helyos_core/bin/wait-for-postgres.sh
+RUN chmod +x /usr/local/helyos_core/bin/wait-for-postgres.sh 
 
-COPY packaging/entrypoint.sh /usr/local/bin/entrypoint.sh
-RUN dos2unix /usr/local/bin/entrypoint.sh
-RUN chmod +x /usr/local/bin/entrypoint.sh 
+COPY --chown=helyosnonroot packaging/entrypoint.sh /usr/local/helyos_core/bin/entrypoint.sh
+RUN dos2unix /usr/local/helyos_core/bin/entrypoint.sh
+RUN chmod +x /usr/local/helyos_core/bin/entrypoint.sh 
 
 
 # ----------------- OPTIONALS ------------------------------
@@ -70,7 +70,7 @@ RUN chmod +x /usr/local/bin/entrypoint.sh
 # RUN npm run make_path_api_doc
 
 # SET INITIAL DB DATA WITHINGG THIS DOCKER IMAGE
-# COPY ./your_sql_folder/db_initial_data/ /etc/helyos/db_initial_data/
+# COPY --chown=helyosnonroot ./your_sql_folder/db_initial_data/ /etc/helyos/db_initial_data/
 
 # CONVERT THE SOURCE CODE TO A SINGLE BINARY FILE AND DELETE THE SOURCE CODE
 # RUN npm install -g pkg
@@ -79,12 +79,12 @@ RUN chmod +x /usr/local/bin/entrypoint.sh
 # RUN rm -r /usr/local/helyos_core/helyos_server/src
 
 
-# ------------------- start -----------------------
+# ------------------- START -----------------------
 EXPOSE 5002
 EXPOSE 5000
 EXPOSE 8080
 
-CMD [ "/usr/local/bin/wait-for-postgres.sh", "sh -c /usr/local/bin/entrypoint.sh"]
+CMD [ "/usr/local/helyos_core/bin/wait-for-postgres.sh", "sh -c /usr/local/helyos_core/bin/entrypoint.sh"]
 
 
 

packaging/build.sh

@@ -1 +1 @@
-docker build -f ./Dockerfile -t helyosframework/helyos_core:test .. 
+docker build --no-cache -f ./Dockerfile -t helyosframework/helyos_core:test ..