Don't run as root in containers (#218)

* Don't use root in our containers

* move some more libs into base image

* remove collector-fluentd

* add more resources for building the base image

Author: ib-steffen

docs/dev.md

@@ -24,7 +24,7 @@ pipenv shell
 To build all images run:
 
 ``` bash
-infrabox run
+infrabox run ib
 ./ib.py images build
 ```
 

ib.py

@@ -6,8 +6,6 @@
 import logging
 import sys
 
-from Crypto.PublicKey import RSA
-
 logging.basicConfig(
     format='%(asctime)s,%(msecs)d %(levelname)-8s [%(filename)s:%(lineno)d] %(message)s',
     datefmt='%d-%m-%Y:%H:%M:%S',
@@ -23,11 +21,10 @@
     {'name': 'github-trigger', 'depends_on': ['images-base']},
     {'name': 'github-review', 'depends_on': ['images-base']},
     {'name': 'collector-api'},
-    {'name': 'collector-fluentd'},
     {'name': 'job'},
     {'name': 'opa'},
     {'name': 'gc', 'depends_on': ['images-base']},
-    {'name': 'scheduler-kubernetes'},
+    {'name': 'scheduler-kubernetes', 'depends_on': ['images-base']},
     {'name': 'api', 'depends_on': ['images-base']},
     {'name': 'build-dashboard-client'},
     {'name': 'static', 'depends_on': ['build-dashboard-client']},
@@ -126,32 +123,6 @@ def images_push(args):
             print('invalid type')
             sys.exit(1)
 
-def _setup_rsa_keys():
-    private_key_path = '/tmp/ib/run/rsa/id_rsa'
-    public_key_path = '/tmp/ib/run/rsa/id_rsa.pub'
-
-    key = RSA.generate(2048)
-
-    if not os.path.exists(private_key_path):
-        logger.warn('Private key does not exist: %s', private_key_path)
-        logger.warn('Recreating it')
-
-        if not os.path.exists(os.path.dirname(private_key_path)):
-            os.makedirs(os.path.dirname(private_key_path))
-
-        with open(private_key_path, 'w+') as s:
-            s.write(str(key.exportKey()))
-
-    if not os.path.exists(public_key_path):
-        logger.warn('Public key does not exist: %s', public_key_path)
-        logger.warn('Recreating it')
-
-        if not os.path.exists(os.path.dirname(public_key_path)):
-            os.makedirs(os.path.dirname(public_key_path))
-
-        with open(public_key_path, 'w+') as s:
-            s.write(str(key.publickey().exportKey()))
-
 def services_start(args):
     if args.service_name == 'storage':
         execute(['docker-compose', 'up'],
@@ -222,15 +193,15 @@ def main():
 
     images_build_parser = sub_images.add_parser('build')
     images_build_parser.set_defaults(func=images_build)
-    images_build_parser.add_argument("--registry", default='localhost:5000')
+    images_build_parser.add_argument("--registry", default='quay.io')
     images_build_parser.add_argument("--tag", default='latest')
     images_build_parser.add_argument("--filter", default='.*')
     images_build_parser.add_argument("--push", action='store_true', default=False)
     images_build_parser.add_argument("--type", default='registry')
 
     images_push_parser = sub_images.add_parser('push')
     images_push_parser.set_defaults(func=images_push)
-    images_push_parser.add_argument("--registry", default='localhost:5000')
+    images_push_parser.add_argument("--registry", default='quay.io')
     images_push_parser.add_argument("--tag", default='latest')
     images_push_parser.add_argument("--filter", default='.*')
     images_push_parser.add_argument("--type", default='registry')

infrabox/deploy/static/Dockerfile

@@ -1,4 +1,4 @@
-FROM nginx:1.13.6
+FROM nginx:1.15-alpine
 
 COPY src/landing /usr/share/nginx/html
 COPY .infrabox/inputs/build-dashboard-client/dist /usr/share/nginx/html/dashboard

infrabox/generator/deployments.json

@@ -163,33 +163,6 @@
                 "image": true
             }
         },
-        {
-            "type": "docker",
-            "build_context": "../..",
-            "name": "collector-fluentd",
-            "docker_file": "src/collector-fluentd/Dockerfile",
-            "build_only": true,
-            "resources": {
-                "limits": {
-                    "cpu": 1,
-                    "memory": 1024
-                }
-            },
-            "deployments": [
-                {
-                    "type": "docker-registry",
-                    "host": "quay.io/infrabox",
-                    "repository": "collector-fluentd",
-                    "username": "infrabox+infrabox_ci",
-                    "password": {
-                        "$secret": "QUAY_PASSWORD"
-                    }
-                }
-            ],
-            "cache": {
-                "image": true
-            }
-        },
         {
             "type": "docker",
             "build_context": "../..",

infrabox/generator/images.json

@@ -9,7 +9,7 @@
         "resources": {
             "limits": {
                 "cpu": 1,
-                "memory": 1024
+                "memory": 2048
             }
         },
         "deployments": [

infrabox/test/pyinfraboxutils/Dockerfile

@@ -3,7 +3,7 @@ FROM quay.io/infrabox/images-test:build_$INFRABOX_BUILD_NUMBER
 
 ENV PYTHONPATH=/infrabox/context/src
 
-COPY infrabox/test/pyinfraboxutils /test
+COPY --chown=infrabox infrabox/test/pyinfraboxutils /test
 WORKDIR test
 
 CMD /infrabox/context/infrabox/test/utils/python_tests.sh /infrabox/context/src/pyinfraboxutils '*'

infrabox/test/utils/python_tests.sh

@@ -1,11 +1,7 @@
-#!/bin/sh
+#!/bin/bash
 
 coverage run --source=.,$1 --branch test.py
 
-rc=$?
-
-echo "exit code $rc"
-
 set -e
 
 coverage report -m
@@ -16,14 +12,3 @@ if [ -e results.xml ]; then
 fi
 
 cp coverage.xml /infrabox/upload/coverage
-
-
-#if [[ ! -z "$CODECOV_TOKEN" ]]; then
-#    if [[ -z "$INFRABOX_GIT_BRANCH" ]]; then
-#        codecov -t $CODECOV_TOKEN --root /infrabox/context -f coverage.xml
-#    else
-#        codecov -t $CODECOV_TOKEN --root /infrabox/context -f coverage.xml -b $INFRABOX_GIT_BRANCH
-#    fi
-#fi
-
-exit $rc