[Enhancement] Improve Dockerfile permissions (#157)
* Updated dockerfile * added a healthcheck
This commit is contained in:
parent
2f9abe86b4
commit
f9c2f7b8f2
4 changed files with 30 additions and 16 deletions
9
lib/pinchflat_web/controllers/health_controller.ex
Normal file
9
lib/pinchflat_web/controllers/health_controller.ex
Normal file
|
|
@ -0,0 +1,9 @@
|
|||
defmodule PinchflatWeb.HealthController do
|
||||
use PinchflatWeb, :controller
|
||||
|
||||
def check(conn, _params) do
|
||||
conn
|
||||
|> put_status(:ok)
|
||||
|> json(%{status: "ok"})
|
||||
end
|
||||
end
|
||||
|
|
@ -47,6 +47,13 @@ defmodule PinchflatWeb.Router do
|
|||
get "/media/:uuid/stream", MediaItems.MediaItemController, :stream
|
||||
end
|
||||
|
||||
# No auth or CSRF protection for the health check endpoint
|
||||
scope "/", PinchflatWeb do
|
||||
pipe_through :api
|
||||
|
||||
get "/healthcheck", HealthController, :check
|
||||
end
|
||||
|
||||
scope "/dev" do
|
||||
pipe_through :browser
|
||||
|
||||
|
|
|
|||
|
|
@ -95,11 +95,9 @@ ENV LANGUAGE en_US:en
|
|||
ENV LC_ALL en_US.UTF-8
|
||||
|
||||
WORKDIR "/app"
|
||||
RUN chown nobody /app
|
||||
|
||||
# Set up data volumes
|
||||
RUN mkdir /config /downloads
|
||||
RUN chown nobody /config /downloads
|
||||
|
||||
# set runner ENV
|
||||
ENV MIX_ENV="prod"
|
||||
|
|
@ -108,25 +106,15 @@ ENV RUN_CONTEXT="selfhosted"
|
|||
EXPOSE ${PORT}
|
||||
|
||||
# Only copy the final release from the build stage
|
||||
COPY --from=builder --chown=nobody:root /app/_build/${MIX_ENV}/rel/pinchflat ./
|
||||
|
||||
# NEVER do this if you're running in an environment where you don't trust the user
|
||||
# (ie: most environments). This is only acceptable in a self-hosted environment.
|
||||
# The user could just run the whole container as root and bypass this anyway so
|
||||
# it's not a huge deal.
|
||||
# This removes the root password to allow users to assume root if needed. This is
|
||||
# preferrable to running the whole container as root so that the files/directories
|
||||
# created by the app aren't owned by root and are therefore easier for other users
|
||||
# and processes to interact with. If you want to just run the whole container as
|
||||
# root, use --user 0:0 or something.
|
||||
RUN passwd -d root
|
||||
|
||||
USER nobody
|
||||
COPY --from=builder /app/_build/${MIX_ENV}/rel/pinchflat ./
|
||||
|
||||
# If using an environment that doesn't automatically reap zombie processes, it is
|
||||
# advised to add an init process such as tini via `apt-get install`
|
||||
# above and adding an entrypoint. See https://github.com/krallin/tini for details
|
||||
# ENTRYPOINT ["/tini", "--"]
|
||||
|
||||
HEALTHCHECK --interval=120s --start-period=10s \
|
||||
CMD curl --fail http://localhost:${PORT}/healthcheck || exit 1
|
||||
|
||||
# Start the app
|
||||
CMD ["/app/bin/docker_start"]
|
||||
|
|
|
|||
10
test/pinchflat_web/controllers/health_controller_test.exs
Normal file
10
test/pinchflat_web/controllers/health_controller_test.exs
Normal file
|
|
@ -0,0 +1,10 @@
|
|||
defmodule PinchflatWeb.HealthControllerTest do
|
||||
use PinchflatWeb.ConnCase
|
||||
|
||||
describe "GET /healthcheck" do
|
||||
test "returns ok", %{conn: conn} do
|
||||
conn = get(conn, "/healthcheck")
|
||||
assert json_response(conn, 200) == %{"status" => "ok"}
|
||||
end
|
||||
end
|
||||
end
|
||||
Loading…
Reference in a new issue