Merge branch 'correction-vulnerabilites-pica-etherpad' into 'master'

Correction vulnerabilites pica etherpad See merge request picasoft/dockerfiles!9

Merge branch 'correction-vulnerabilites-pica-etherpad' into 'master'
3d9ab5cc · Barbare Antoine · ad17d280 · 2826565f · 3d9ab5cc · 3d9ab5cc
Commit 3d9ab5cc authored 6 years ago by Barbare Antoine
--- a/debian/Dockerfile-jessie
+++ b/debian/Dockerfile-jessie
@@ -4,12 +4,13 @@ MAINTAINER antoinebarbare@gmail.com

 RUN apt-get update -y
 RUN apt-get install -y vim \
-	locate \
-	git \
 	curl \
-	wget \
+	git \
+	gpg \
+	locate \
 	nano \
-  gnupg
+	vim \
+	wget

 ENV TERM xterm
 CMD ["/bin/bash"]
--- a/debian/Dockerfile-stretch
+++ b/debian/Dockerfile-stretch
@@ -3,13 +3,14 @@ FROM debian:stretch
 MAINTAINER antoinebarbare@gmail.com

 RUN apt-get update -y
-RUN apt-get install -y vim \
-	locate \
-	git \
+RUN apt-get install -y 
 	curl \
-	wget \
+	git \
+	gpg \
+	locate \
 	nano \
-  gpg
+	vim \
+	wget

 ENV TERM xterm
 CMD ["/bin/bash"]
--- a/pica-etherpad/.gitignore
+++ b/pica-etherpad/.gitignore
+etherpad-app.secrets
+etherpad-db.secrets
--- a/pica-etherpad/Dockerfile
+++ b/pica-etherpad/Dockerfile
-FROM registry.picasoft.net:5000/pica-debian:latest
-MAINTAINER antoine@barbare.me
+# déclaration unique des variables d'environnement
+FROM node:10.11.0-slim as base
+LABEL maintainer="antoine@barbare.me"

-ENV ETHERPAD_VERSION 1.6.5
-ENV ETHERPAD_LANDING_PAGE_VERSION v0.1
-ENV NODE_ENV=production
+ARG ETHERPAD_VERSION_BUILD=1.7.0
+ARG ETHERPAD_LANDING_PAGE_VERSION_BUILD=v0.1
+ARG NODE_ENV_BUILD=production

-#Copy configuration
-COPY entrypoint.sh /entrypoint.sh
+ENV ETHERPAD_VERSION=${ETHERPAD_VERSION_BUILD}
+ENV ETHERPAD_LANDING_PAGE_VERSION=${ETHERPAD_LANDING_PAGE_VERSION_BUILD}
+ENV NODE_ENV=${NODE_ENV_BUILD}

-#Installation de dépendances + NodeJS + NPM
-RUN useradd -d /opt/etherpad-lite -u 1000 etherpad && \
-    curl -sL https://deb.nodesource.com/setup_9.x | bash - && \
-    apt-get update && \
+
+# téléchargement d'Etherpad et de la page d'accueil dans une image temporaire
+FROM base as downloader
+RUN apt-get update && \
    apt-get install -y \
-      nodejs \
-      unzip \
-      mysql-client \
-      gzip \
-      git \
      curl \
-      python \
+      git \
+      gzip \
      libssl-dev \
      pkg-config \
-      build-essential && \
-    rm -r /var/lib/apt/lists/* && \
-    curl -SL https://github.com/ether/etherpad-lite/archive/${ETHERPAD_VERSION}.zip > etherpad.zip && \
-    unzip etherpad && \
-    rm -Rf etherpad.zip etherpad-lite-${ETHERPAD_VERSION}/.git && \
-    mv etherpad-lite-${ETHERPAD_VERSION} /opt/etherpad-lite && \
-    chown -R etherpad: /opt/etherpad-lite && \
-    chmod +x /entrypoint.sh
+      python \
+      unzip && \
+    mkdir -p /opt/etherpad-lite && \
+    chown -R node /opt/etherpad-lite

-USER etherpad
+USER node
 WORKDIR /opt/etherpad-lite
-
-#First starting of services
-RUN bin/installDeps.sh && \
+RUN curl -SL https://github.com/ether/etherpad-lite/archive/${ETHERPAD_VERSION}.zip > etherpad.zip && \
+    unzip etherpad && \
+    rm -Rf etherpad.zip etherpad-lite-${ETHERPAD_VERSION}/.git && \
+    mv etherpad-lite-${ETHERPAD_VERSION}/* . && \
+    mkdir -p src/templates && \
+    bin/installDeps.sh && \
    rm settings.json && \
    npm install \
        ep_align \
@@ -46,29 +43,36 @@ RUN bin/installDeps.sh && \
        ep_font_color \
        ep_headings2 \
        ep_markdown \
+        ep_pads_stats \
        ep_page_view \
        ep_spellcheck \
        ep_subscript_and_superscript \
        ep_table_of_contents \
-        ep_user_font_size \
-        ep_pads_stats
+        ep_user_font_size && \
+    git clone https://framagit.org/DeBugs/picasoft-etherpad-landing-page.git src/templates/picasoft-etherpad-landing-page && \
+    git --git-dir=src/templates/picasoft-etherpad-landing-page/.git checkout ${ETHERPAD_LANDING_PAGE_VERSION} && \
+    cp src/templates/picasoft-etherpad-landing-page/index.html src/templates/index.html && \
+    cp src/templates/picasoft-etherpad-landing-page/static/* src/static/ -r

-RUN cd ~/src/templates && \
-    git clone https://framagit.org/DeBugs/picasoft-etherpad-landing-page.git && \
-    cd ./picasoft-etherpad-landing-page/ && \
-    git checkout ${ETHERPAD_LANDING_PAGE_VERSION} && \
-    cp ./index.html ../index.html && \
-    cp ./static/* ../../static/ -r && \
-    cd -

+# construction de l'image finale
+FROM base

+COPY entrypoint.sh /opt/etherpad-lite/entrypoint.sh
+RUN apt-get update && \
+    apt-get install -y mysql-client && \
+    chmod +x /opt/etherpad-lite/entrypoint.sh && \
+    mkdir -p /opt/etherpad-lite && \
+    chown -R node /opt/etherpad-lite && \
+    usermod -d /opt/etherpad-lite node && \
+    rm -r /var/lib/apt/lists/*                          

-#Set settings based on evironement variables
-ENTRYPOINT ["/entrypoint.sh"]
+# import des fichiers téléchargés dans l'image downloader
+COPY --from=downloader --chown=node /opt/etherpad-lite /opt/etherpad-lite/ 

-#Start Etherpad with supervisor
+USER node
+ENTRYPOINT ["/opt/etherpad-lite/entrypoint.sh"]
 CMD /bin/bash -c "/opt/etherpad-lite/bin/run.sh"
-
 HEALTHCHECK CMD curl -s 127.0.0.1:${ETHERPAD_PORT:=8080}

 EXPOSE 8080

--- a/pica-etherpad/docker-compose.yml
+++ b/pica-etherpad/docker-compose.yml
+version : "2.4"
+services:
+    etherpad-app:
+        image: pica-etherpad:1.7.0
+        container_name: etherpad-app
+        links:
+          - etherpad-db:mysql
+        security_opt:
+          - no-new-privileges
+        mem_limit: "2048m"
+        cpus: "0.60"
+        pids_limit: 1024
+        env_file: ./etherpad-app.secrets
+        ports: ['8080:8080']
+        labels:
+          - "traefik.frontend.rule=Host:pad.test.picasoft.net"
+          - "traefik.port=8080"
+          - "traefik.enable=true"
+        restart: always
+
+    etherpad-db:
+        image: mysql:5.7
+        container_name: etherpad-db
+        security_opt:
+          - no-new-privileges
+        mem_limit: 2048m
+        cpus: "0.20"
+        pids_limit: 1024
+        volumes:
+          - /DATA/docker/etherpad/etherpad-db/data:/var/lib/mysql
+        env_file: ./etherpad-db.secrets
+        restart: always
+                                                                                    
--- a/pica-etherpad/entrypoint.sh
+++ b/pica-etherpad/entrypoint.sh
@@ -39,9 +39,9 @@ if [ "$RESULT" != $ETHERPAD_DB_NAME ]; then
 	      -e "create database ${ETHERPAD_DB_NAME}"
 fi

-if [ ! -f settings.json ]; then
+if [ ! -f /opt/etherpad-lite/settings.json ]; then

-	cat <<- EOF > settings.json
+	cat <<- EOF > /opt/etherpad-lite/settings.json
 	{
 	  "title": "${ETHERPAD_TITLE}",
 	  "ip": "0.0.0.0",
@@ -60,7 +60,7 @@ if [ ! -f settings.json ]; then

 		: ${ETHERPAD_ADMIN_USER:=admin}

-		cat <<- EOF >> settings.json
+		cat <<- EOF >> /opt/etherpad-lite/settings.json
 		  "users": {
 		    "${ETHERPAD_ADMIN_USER}": {
 		      "password": "${ETHERPAD_ADMIN_PASSWORD}",
@@ -70,10 +70,9 @@ if [ ! -f settings.json ]; then
 		EOF
 	fi

-	cat <<- EOF >> settings.json
+	cat <<- EOF >> /opt/etherpad-lite/settings.json
 	}
 	EOF
 fi

-rm /opt/etherpad-lite/src/package-lock.json
 exec "$@"