From 0cf4fbfde181187c43cf0663a753ddd5f8238a2c Mon Sep 17 00:00:00 2001 From: Nikita Churikov <8545082+churnikov@users.noreply.github.com> Date: Tue, 12 Mar 2024 15:31:32 +0100 Subject: [PATCH] SS-867 Added docker file and gpg public key for data encryption (#72) * added docker file and gpg public key for data encryption --------- Co-authored-by: alfredeen --- .github/workflows/serve-encrypt.yml | 68 +++++++++++++++++++++++++++++ examples/streamlit/Dockerfile | 5 ++- serve-encrypt/Dockerfile | 31 +++++++++++++ serve-encrypt/gpg-public-key | 13 ++++++ serve-filemanager/Dockerfile | 6 +-- 5 files changed, 119 insertions(+), 4 deletions(-) create mode 100644 .github/workflows/serve-encrypt.yml create mode 100644 serve-encrypt/Dockerfile create mode 100644 serve-encrypt/gpg-public-key diff --git a/.github/workflows/serve-encrypt.yml b/.github/workflows/serve-encrypt.yml new file mode 100644 index 0000000..f6e723e --- /dev/null +++ b/.github/workflows/serve-encrypt.yml @@ -0,0 +1,68 @@ +name: Serve-Encrypt workflow + +on: + push: + paths: + - "serve-encrypt/**" + # Adds ability to run this workflow manually + workflow_dispatch: + inputs: + logLevel: + description: 'Log level' + required: true + default: 'warning' + type: choice + options: + - info + - warning + - debug + tags: + description: 'Manual run' + required: false + type: boolean + +jobs: + + push: + if: | + github.ref == 'refs/heads/main' && + github.repository == 'scilifelabdatacentre/serve-images' + + runs-on: ubuntu-latest + concurrency: + group: '${{ github.workflow }} @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}' + cancel-in-progress: true + permissions: + contents: read + packages: write + + steps: + - name: 'Checkout github action' + uses: actions/checkout@main + + - name: Docker meta + id: meta + uses: docker/metadata-action@v4 + with: + images: ghcr.io/scilifelabdatacentre/serve-encrypt + tags: | + type=raw,value={{date 'YYMMDD-HHmm' tz='Europe/Stockholm'}} + + - name: 'Login to GHCR' + uses: docker/login-action@v1 + with: + registry: ghcr.io + username: ${{github.actor}} + password: ${{secrets.GITHUB_TOKEN}} + + - name: Publish image to GHCR + uses: docker/build-push-action@v3 + with: + file: ./serve-encrypt/Dockerfile + context: ./serve-encrypt + push: true + build-args: version=${{ github.ref_name }} + tags: | + ${{ steps.meta.outputs.tags }} + ghcr.io/scilifelabdatacentre/serve-encrypt:latest + labels: ${{ steps.meta.outputs.labels }} diff --git a/examples/streamlit/Dockerfile b/examples/streamlit/Dockerfile index c9866a8..00c40c6 100644 --- a/examples/streamlit/Dockerfile +++ b/examples/streamlit/Dockerfile @@ -11,7 +11,10 @@ WORKDIR $HOME/app RUN apt-get update && apt-get install --no-install-recommends -y \ build-essential \ software-properties-common \ - curl + curl \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* + COPY requirements.txt requirements.txt COPY app.py app.py diff --git a/serve-encrypt/Dockerfile b/serve-encrypt/Dockerfile new file mode 100644 index 0000000..b59842b --- /dev/null +++ b/serve-encrypt/Dockerfile @@ -0,0 +1,31 @@ +# Use an official Debian as a parent image for a lightweight build +FROM debian:stable-slim + +# Set the GNUPGHOME environment variable +ENV GNUPGHOME=/home/pguser/.gnupg + +# Install PostgreSQL client and GPG +# Create a non-root user and group (using user ID 1000 and group ID 1000 for compatibility) +# Fixed commands for Debian +RUN apt-get update \ + && apt-get install --no-install-recommends -y gnupg2=2.2.* curl=7.88.* postgresql-client-15=15.* \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* \ + && groupadd -g 1000 pguser \ + && useradd -m -u 1000 -g pguser pguser + +# Set working directory +WORKDIR /home/pguser + +# Copy the GPG public key +COPY gpg-public-key /home/pguser/gpg-public-key + +# Import the GPG key +# The command to switch users before running a command has also been adjusted for Debian compatibility +RUN chown pguser:pguser /home/pguser/gpg-public-key && \ + chmod 600 /home/pguser/gpg-public-key && \ + su pguser -c 'gpg --import /home/pguser/gpg-public-key' + +# Switch to the non-root user +USER pguser + diff --git a/serve-encrypt/gpg-public-key b/serve-encrypt/gpg-public-key new file mode 100644 index 0000000..4a100a0 --- /dev/null +++ b/serve-encrypt/gpg-public-key @@ -0,0 +1,13 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mDMEZdi2zRYJKwYBBAHaRw8BAQdAWiUZyQidLNI7H5h2guFRX7Z5XMq7xlezOTPU +4E7WLSy0IU1vbnR5UHl0aG9uIDxzZXJ2ZUBzY2lsaWZlbGFiLnNlPoiZBBMWCgBB +FiEEFMj00C+87r6gxkIweUw2dG7WihkFAmXYts0CGwMFCQWjmoAFCwkIBwICIgIG +FQoJCAsCBBYCAwECHgcCF4AACgkQeUw2dG7WihluEAD/e0/fe2ZWu+qsbANLrIeC +SDcuUOhOjyExEqYUsYBuxxAA+wbnERFA6nO19tZEEVBXYz0yIbSQyCKh4CTPoUBj +4g4EuDgEZdi2zRIKKwYBBAGXVQEFAQEHQKyr292yAwCT0lK/RaU+BBAFaSywvgvp +0YXqHyjrHBUQAwEIB4h+BBgWCgAmFiEEFMj00C+87r6gxkIweUw2dG7WihkFAmXY +ts0CGwwFCQWjmoAACgkQeUw2dG7Wihli3AEAqd2f5uOgNylWH0HeLfnAR2xUz69G +lQdnr5MH33bDUu0A/1Q7OvzCTXQmjxFrAyqEn8UDs3y+wCri3z0OfX49ElgK +=pyub +-----END PGP PUBLIC KEY BLOCK----- diff --git a/serve-filemanager/Dockerfile b/serve-filemanager/Dockerfile index 308b84e..900072d 100644 --- a/serve-filemanager/Dockerfile +++ b/serve-filemanager/Dockerfile @@ -7,9 +7,9 @@ COPY filebrowser.json /.filebrowser.json COPY startup.sh /usr/local/bin/startup.sh RUN apk add --update --no-cache \ - wget \ - zip \ - unzip \ + wget~=1.21 \ + zip~=3 \ + unzip~=6 \ && adduser -D -u 1000 -g 1000 -h $HOME $USER \ && chmod +x /usr/local/bin/startup.sh \ && rm -rf /var/lib/apt/lists/*