forked from RedHatInsights/vulnerability-engine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Dockerfile
88 lines (75 loc) · 4.16 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
FROM registry.access.redhat.com/ubi8/ubi-minimal
# install postgresql from centos if not building on RHSM system
RUN FULL_RHEL=$(microdnf repolist --enabled | grep rhel-8) ; \
if [ -z "$FULL_RHEL" ] ; then \
rpm -Uvh http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/centos-stream-repos-8-4.el8.noarch.rpm \
http://mirror.centos.org/centos/8-stream/BaseOS/x86_64/os/Packages/centos-gpg-keys-8-4.el8.noarch.rpm && \
sed -i 's/^\(enabled.*\)/\1\npriority=200/;' /etc/yum.repos.d/CentOS*.repo ; \
fi
RUN microdnf module enable postgresql:15 && \
microdnf install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs \
python311 python3.11-pip python3.11-devel libpq-devel gcc which shadow-utils diffutils systemd libicu git-core postgresql pg_repack && \
microdnf clean all
# missing pg_config, gcc, python3-devel needed for psycopg on aarch64
RUN [ "$(uname -m)" == "aarch64" ] && \
microdnf install --setopt=install_weak_deps=0 --setopt=tsflags=nodocs \
gcc-c++ && \
microdnf clean all || true
# for manager purposes
RUN mkdir -p /tmp/prometheus_multiproc
ENV prometheus_multiproc_dir=/tmp/prometheus_multiproc
# minimal schema required by application, used for waiting in services until DB migration is finished
ENV MINIMAL_SCHEMA=131
WORKDIR /engine
ADD pyproject.toml /engine/
ADD poetry.lock /engine/
ENV LC_ALL=C.utf8
ENV LANG=C.utf8
RUN pip3 install --upgrade pip && \
pip3 install --upgrade poetry~=1.5
RUN poetry export --only main -f requirements.txt --output requirements.txt && \
pip3 install -r requirements.txt
RUN adduser --gid 0 -d /engine --no-create-home insights
# for manager purposes
RUN chown -R insights:0 /tmp/prometheus_multiproc && \
chgrp -R 0 /tmp/prometheus_multiproc && \
chmod -R g=u /tmp/prometheus_multiproc
# Baked-in content for FedRAMP
ARG STATIC_ASSETS=0
ARG GIT_TOKEN=""
RUN if [ "${STATIC_ASSETS}" == 1 ] ; then \
curl -o /etc/pki/ca-trust/source/anchors/2015-IT-Root-CA.crt https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem && \
update-ca-trust extract && \
git clone https://gitlab.cee.redhat.com/vmaas/vmaas-assets.git /engine/vmaas_assets_git && \
git clone https://gitlab.cee.redhat.com/insights-rules/insights-playbooks.git /engine/insights_playbooks_git && \
git clone "https://$GIT_TOKEN@github.com/RedHatInsights/insights-content-vulnerability.git" /engine/insights_content_vulnerability_git && \
# below is needed to avoid git 'detected dubious ownership' error when running as a rootless container...
git config --system --add safe.directory /engine/vmaas_assets_git && \
git config --system --add safe.directory /engine/insights_playbooks_git && \
git config --system --add safe.directory /engine/insights_content_vulnerability_git && \
echo "Cloned static assets" ; \
fi
USER insights
EXPOSE 8000
ADD entrypoint.sh /engine/
ADD develfeatureflags.json /engine/
ADD manager.healthz.spec.yaml /engine/
ADD manager.admin.spec.yaml /engine/
ADD /database/upgrade/dbupgrade.sh /engine/
ADD /database/schema/local_init_db.sh /engine/
ADD /taskomatic/*.py /engine/taskomatic/
ADD /taskomatic/jobs/*.py /engine/taskomatic/jobs/
ADD /vmaas_sync/*.py /engine/vmaas_sync/
ADD /database/*.py /engine/database/
ADD /database/upgrade/*.py /engine/database/upgrade/
ADD /database/schema/*.sql /engine/database/schema/
ADD /database/schema/upgrade_scripts/*.sql /engine/database/schema/upgrade_scripts/
ADD /evaluator/*.py /engine/evaluator/
ADD /listener/*.py /engine/listener/
ADD manager.spec.yaml /engine/
ADD /common/*.py /engine/common/
ADD /manager/*.py /engine/manager/
ADD /notificator/*.py /engine/notificator/
ADD /exploit_sync/*py /engine/exploit_sync/
ADD /grouper/*.py /engine/grouper/
ADD /cluster/*.py /engine/cluster/