-
Notifications
You must be signed in to change notification settings - Fork 8
/
Copy pathDockerfile
117 lines (105 loc) · 3.28 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
FROM python:3.12.3-slim-bookworm
###
# For a list of pre-defined annotation keys and value types see:
# https://github.com/opencontainers/image-spec/blob/master/annotations.md
#
# Note: Additional labels are added by the build workflow.
###
LABEL org.opencontainers.image.authors="[email protected]"
LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
###
# Unprivileged user setup variables
###
ARG CISA_UID=421
ARG CISA_GID=${CISA_UID}
ARG CISA_USER="cisa"
ENV CISA_GROUP=${CISA_USER}
ENV CISA_HOME="/home/${CISA_USER}"
###
# Upgrade the system
###
RUN apt-get update --quiet --quiet \
&& apt-get upgrade --quiet --quiet
###
# Create unprivileged user
###
RUN groupadd --system --gid ${CISA_GID} ${CISA_GROUP} \
&& useradd --system --uid ${CISA_UID} --gid ${CISA_GROUP} --comment "${CISA_USER} user" --create-home ${CISA_USER}
###
# Install everything we need
#
# We need redis-tools so we can use redis-cli to communicate with
# redis. wget is used inside of gather-domains.sh.
#
# Install dependencies are only needed for software installation and
# will be removed at the end of the build process.
###
ENV DEPS \
bash \
redis-tools \
wget
ENV INSTALL_DEPS \
curl
RUN apt-get install --quiet --quiet --yes \
--no-install-recommends --no-install-suggests \
$DEPS $INSTALL_DEPS
###
# Make sure pip, setuptools, and wheel are the latest versions
#
# Note that we use pip3 --no-cache-dir to avoid writing to a local
# cache. This results in a smaller final image, at the cost of
# slightly longer install times.
###
RUN pip3 install --no-cache-dir --upgrade \
pip \
setuptools \
wheel
###
# Install domain-scan
#
# The SHELL command is used to ensure that if either the curl call or
# the tar call fail then the image build fails. Source:
# https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#using-pipes
###
SHELL ["/bin/bash", "-o", "pipefail", "-c"]
RUN mkdir ${CISA_HOME}/domain-scan \
&& curl --location https://github.com/cisagov/domain-scan/tarball/master \
| tar --extract --gzip --strip-components 1 --directory ${CISA_HOME}/domain-scan/
RUN pip3 install --no-cache-dir --upgrade \
--requirement ${CISA_HOME}/domain-scan/requirements.txt
###
# Install Python dependencies for scripts/fed_hostnames.py
#
# Note that we use pip3 --no-cache-dir to avoid writing to a local
# cache. This results in a smaller final image, at the cost of
# slightly longer install times.
###
RUN pip3 install --no-cache-dir --upgrade \
docopt \
https://github.com/cisagov/mongo-db-from-config/tarball/develop
###
# Remove install dependencies
###
RUN apt-get remove --quiet --quiet $INSTALL_DEPS
###
# Clean up aptitude cruft
###
RUN apt-get --quiet --quiet clean \
&& rm --recursive --force /var/lib/apt/lists/*
###
# Setup working directory and entrypoint
#
# Put this just before we change users because the copy (and every
# step after it) will always be rerun by docker, but we need to be
# root for the chown command.
###
COPY src ${CISA_HOME}
RUN chown --recursive ${CISA_USER}:${CISA_GROUP} ${CISA_HOME}
###
# Prepare to run
###
# Right now we need to be root at runtime in order to create files in
# ${CISA_HOME}/shared
# USER ${CISA_USER}:${CISA_GROUP}
WORKDIR ${CISA_HOME}
ENTRYPOINT ["./gather-domains.sh"]