From 69aeddaabb90a930d29d9a60dfaa47a929a963b9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Ha=C3=9F?= <danielhass@users.noreply.github.com>
Date: Sat, 19 Aug 2023 22:05:34 +0200
Subject: [PATCH] Switch containers to unpriviliged service user (#357)

* Switched container to unpriviliged service user

* splitted repo Dockerfiles in variants

* updated CI to build both container variants

* restructured Dockerfiles and added optional deps

* split root and nonroot docker build ci jobs

* updated checkout ci action to v3 - node12 warning

* incorperated arm64 build

---------

Co-authored-by: Almar Klein <almar@almarklein.org>
---
 .github/workflows/dockerimage.yml | 49 ++++++++++++++++++++++++++++---
 deploy/repo.Dockerfile            | 15 +++++-----
 deploy/repo.nonroot.Dockerfile    | 28 ++++++++++++++++++
 3 files changed, 80 insertions(+), 12 deletions(-)
 create mode 100644 deploy/repo.nonroot.Dockerfile

diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
index c9ea1e75..2d0eb19d 100644
--- a/.github/workflows/dockerimage.yml
+++ b/.github/workflows/dockerimage.yml
@@ -11,15 +11,19 @@ permissions:
   packages: write
 
 jobs:
-  docker:
+  # Build default priviliged container image version
+  docker-root:
     runs-on: ubuntu-latest
     steps:
       - name: Check out the repo
         uses: actions/checkout@v3
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v2
+
       - name: Set up Docker Buildx
         uses: docker/setup-buildx-action@v2
+
       - name: Log in to GitHub container registry
         uses: docker/login-action@v2
         with:
@@ -29,17 +33,54 @@ jobs:
 
       - name: Extract metadata (tags, labels) for Docker
         id: meta
-        uses: docker/metadata-action@v3
+        uses: docker/metadata-action@v4
         with:
           images: ghcr.io/${{ github.repository }}
           tags: type=ref,event=tag
 
       - name: Build and push Docker image
-        uses: docker/build-push-action@v3
+        uses: docker/build-push-action@v4
         with:
           context: .
           platforms: linux/amd64,linux/arm64
           file: deploy/repo.Dockerfile
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
\ No newline at end of file
+          labels: ${{ steps.meta.outputs.labels }}
+
+  # Build non-root container image variant
+  docker-nonroot:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out the repo
+        uses: actions/checkout@v3
+
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+
+      - name: Log in to GitHub container registry
+        uses: docker/login-action@v2
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN  }}
+
+      - name: Extract metadata (tags, labels) for Docker
+        id: meta-nonroot
+        uses: docker/metadata-action@v4
+        with:
+          images: ghcr.io/${{ github.repository }}
+          tags: type=ref,event=tag,suffix=-nonroot
+      
+      - name: Build and push Docker image
+        uses: docker/build-push-action@v4
+        with:
+          context: .
+          platforms: linux/amd64,linux/arm64
+          file: deploy/repo.nonroot.Dockerfile
+          push: true
+          tags: ${{ steps.meta-nonroot.outputs.tags }}
+          labels: ${{ steps.meta-nonroot.outputs.labels }}
diff --git a/deploy/repo.Dockerfile b/deploy/repo.Dockerfile
index 9860b28a..6df96c68 100644
--- a/deploy/repo.Dockerfile
+++ b/deploy/repo.Dockerfile
@@ -4,16 +4,15 @@
 
 FROM python:3.10-slim-buster
 
-# Install dependencies (including optional ones that make uvicorn faster)
-RUN pip --no-cache-dir install pip --upgrade && pip --no-cache-dir install \
-    uvicorn uvloop httptools \
-    fastuaparser itemdb>=1.1.1 asgineer requests \
-    jinja2 markdown pscript \
-    pyjwt cryptography
-
 WORKDIR /root
 COPY . .
 
-RUN pip install -e .
+# Install dependencies (including optional ones that make uvicorn faster)
+# Upgrade pip to the lastest version
+RUN pip --no-cache-dir install pip --upgrade && \
+    # Install optional depedencies that make uvicorn faster
+    pip --no-cache-dir install uvicorn uvloop httptools && \
+    # Install timetagger depedencies defined via setup.py
+    pip install --no-cache-dir --no-warn-script-location -e .
 
 CMD ["python", "-m", "timetagger"]
diff --git a/deploy/repo.nonroot.Dockerfile b/deploy/repo.nonroot.Dockerfile
new file mode 100644
index 00000000..045b9e41
--- /dev/null
+++ b/deploy/repo.nonroot.Dockerfile
@@ -0,0 +1,28 @@
+# Dockerfile to build an image from the repo.
+# Note that the build context must be the root of the repo.
+# Used by CI to build the image that is pushed to ghcr.
+# Unpriviliged version that installs and runs as UID 1000.
+
+FROM python:3.10-slim-buster
+
+# Create unpriviliged user and group, including directory structure
+RUN groupadd -g 1000 timetagger && \
+    useradd -r -u 1000 -m -g timetagger timetagger && \
+    mkdir /opt/timetagger && \
+    chown timetagger:timetagger /opt/timetagger
+
+# Switch to unpriviliged user
+USER 1000
+
+WORKDIR /opt/timetagger
+COPY . /opt/timetagger
+
+# Install dependencies (including optional ones that make uvicorn faster)
+# Upgrade pip to the lastest version
+RUN pip --no-cache-dir install pip --upgrade && \
+    # Install optional depedencies that make uvicorn faster
+    pip --no-cache-dir install uvicorn uvloop httptools && \
+    # Install timetagger depedencies defined via setup.py
+    pip install --no-cache-dir --no-warn-script-location -e .
+
+CMD ["python", "-m", "timetagger"]