[Enhancement] Improve Dockerfile permissions (#157)

* Updated dockerfile

* added a healthcheck
This commit is contained in:
Kieran 2024-04-01 18:56:03 -07:00 committed by GitHub
parent 2f9abe86b4
commit f9c2f7b8f2
4 changed files with 30 additions and 16 deletions

View file

@ -0,0 +1,9 @@
defmodule PinchflatWeb.HealthController do
use PinchflatWeb, :controller
def check(conn, _params) do
conn
|> put_status(:ok)
|> json(%{status: "ok"})
end
end

View file

@ -47,6 +47,13 @@ defmodule PinchflatWeb.Router do
get "/media/:uuid/stream", MediaItems.MediaItemController, :stream
end
# No auth or CSRF protection for the health check endpoint
scope "/", PinchflatWeb do
pipe_through :api
get "/healthcheck", HealthController, :check
end
scope "/dev" do
pipe_through :browser

View file

@ -95,11 +95,9 @@ ENV LANGUAGE en_US:en
ENV LC_ALL en_US.UTF-8
WORKDIR "/app"
RUN chown nobody /app
# Set up data volumes
RUN mkdir /config /downloads
RUN chown nobody /config /downloads
# set runner ENV
ENV MIX_ENV="prod"
@ -108,25 +106,15 @@ ENV RUN_CONTEXT="selfhosted"
EXPOSE ${PORT}
# Only copy the final release from the build stage
COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/pinchflat ./
# NEVER do this if you're running in an environment where you don't trust the user
# (ie: most environments). This is only acceptable in a self-hosted environment.
# The user could just run the whole container as root and bypass this anyway so
# it's not a huge deal.
# This removes the root password to allow users to assume root if needed. This is
# preferrable to running the whole container as root so that the files/directories
# created by the app aren't owned by root and are therefore easier for other users
# and processes to interact with. If you want to just run the whole container as
# root, use --user 0:0 or something.
RUN passwd -d root
USER nobody
COPY --from=builder /app/_build/${MIX_ENV}/rel/pinchflat ./
# If using an environment that doesn't automatically reap zombie processes, it is
# advised to add an init process such as tini via `apt-get install`
# above and adding an entrypoint. See https://github.com/krallin/tini for details
# ENTRYPOINT ["/tini", "--"]
HEALTHCHECK --interval=120s --start-period=10s \
CMD curl --fail http://localhost:${PORT}/healthcheck || exit 1
# Start the app
CMD ["/app/bin/docker_start"]

View file

@ -0,0 +1,10 @@
defmodule PinchflatWeb.HealthControllerTest do
use PinchflatWeb.ConnCase
describe "GET /healthcheck" do
test "returns ok", %{conn: conn} do
conn = get(conn, "/healthcheck")
assert json_response(conn, 200) == %{"status" => "ok"}
end
end
end