Here is a stab.
This commit is contained in:
Jean-Paul Calderone
parent
2d9763e013
commit
336b35d513
74
Dockerfile
Normal file
74
Dockerfile
Normal file
|
|
@ -0,0 +1,74 @@
|
||||||
|
#
|
||||||
|
# Attempts are made to follow the guidelines at
|
||||||
|
# https://docs.docker.com/engine/userguide/eng-image/dockerfile_best-practices/
|
||||||
|
#
|
||||||
|
|
||||||
|
FROM library/ubuntu:16.04
|
||||||
|
|
||||||
|
# If there are security updates for any of the packages we install,
|
||||||
|
# bump the date in this environment variable to invalidate the Docker
|
||||||
|
# build cache and force installation of the new packages. Otherwise,
|
||||||
|
# Docker's image/layer cache may prevent the security update from
|
||||||
|
# being retrieved.
|
||||||
|
ENV SECURITY_UPDATES="2017-15-01"
|
||||||
|
|
||||||
|
# Tell apt/dpkg/debconf that we're non-interactive so it won't write
|
||||||
|
# annoying warnings as it installs the software we ask for. Making
|
||||||
|
# this an `ARG` sets it in the environment for the duration of the
|
||||||
|
# _build_ only - preventing this from having any effect on a container
|
||||||
|
# running this image (which shouldn't really be installing more
|
||||||
|
# software but who knows...).
|
||||||
|
ARG DEBIAN_FRONTEND=noninteractive
|
||||||
|
|
||||||
|
# We'll do an upgrade because the base Ubuntu image isn't guaranteed
|
||||||
|
# to include the latest security updates. This is counter to best
|
||||||
|
# practice recommendations but security updates are important.
|
||||||
|
RUN apt-get --quiet update && \
|
||||||
|
apt-get --quiet install -y unattended-upgrades && \
|
||||||
|
unattended-upgrade --minimal_upgrade_steps && \
|
||||||
|
rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
RUN apt-get --quiet update && apt-get --quiet install -y \
|
||||||
|
python-dev \
|
||||||
|
libffi-dev \
|
||||||
|
openssl \
|
||||||
|
libssl-dev \
|
||||||
|
\
|
||||||
|
python-virtualenv \
|
||||||
|
&& rm -rf /var/lib/apt/lists/*
|
||||||
|
|
||||||
|
# Create a virtualenv into which to install magicwormhole in to.
|
||||||
|
RUN virtualenv /app/env
|
||||||
|
|
||||||
|
# Get a newer version of pip.
|
||||||
|
RUN /app/env/bin/pip install --upgrade pip
|
||||||
|
|
||||||
|
# Create the website account, the user as which the infrastructure
|
||||||
|
# server will run.
|
||||||
|
ENV WORMHOLE_USER_NAME="wormhole"
|
||||||
|
|
||||||
|
# Force the allocated user to uid 1000 because we hard-code 1000
|
||||||
|
# below.
|
||||||
|
RUN adduser --uid 1000 --disabled-password --gecos "" "${WORMHOLE_USER_NAME}"
|
||||||
|
|
||||||
|
# Run the application with this working directory.
|
||||||
|
WORKDIR /app/run
|
||||||
|
|
||||||
|
# And give it to the user the application will run as.
|
||||||
|
RUN chown ${WORMHOLE_USER_NAME} /app/run
|
||||||
|
|
||||||
|
# Facilitate network connections to the application.
|
||||||
|
EXPOSE 4000
|
||||||
|
|
||||||
|
# Put the source somewhere pip will be able to see it.
|
||||||
|
ADD . /src
|
||||||
|
|
||||||
|
# Get the app we want to run!
|
||||||
|
RUN /app/env/bin/pip install /src
|
||||||
|
|
||||||
|
# Switch to a non-root user.
|
||||||
|
USER 1000
|
||||||
|
|
||||||
|
CMD /app/env/bin/wormhole-server start \
|
||||||
|
--rendezvous tcp:4000 \
|
||||||
|
--no-daemon
|
||||||
Loading…
Reference in New Issue
Block a user