cleanup

Author: valentijnscholten

.github/workflows/release-2-tag-docker-push.yml

@@ -29,12 +29,11 @@ jobs:
           git config --global user.name "${{ env.GIT_USERNAME }}"
           git config --global user.email "${{ env.GIT_EMAIL }}"
 
-        # TODO REMOVE -f
       - name: Create new tag ${{ github.event.inputs.release_number }}
         # at this point, the PR from the 1st workflow is merged into master.
         run: |
-          git tag -f -a ${{ github.event.inputs.release_number }} -m "[bot] release ${{ github.event.inputs.release_number }}"
-          git push origin ${{ github.event.inputs.release_number }} -f
+          git tag -a ${{ github.event.inputs.release_number }} -m "[bot] release ${{ github.event.inputs.release_number }}"
+          git push origin ${{ github.event.inputs.release_number }}
 
   publish-docker-containers:
     needs: tag

Dockerfile.django-alpine

@@ -1 +1,139 @@
+
+# code: language=Dockerfile
+
+# The code for the build image should be identical with the code in
+# Dockerfile.nginx to use the caching mechanism of Docker.
+
+# Ref: https://devguide.python.org/#branchstatus
 FROM python:3.11.11-alpine3.21@sha256:9af3561825050da182afc74b106388af570b99c500a69c8216263aa245a2001b AS base
+FROM base AS build
+WORKDIR /app
+RUN \
+  apk update && \
+  apk add --no-cache \
+    gcc \
+    build-base \
+    bind-tools \
+    postgresql16-client \
+    xmlsec \
+    git \
+    util-linux \
+    curl-dev \
+    openssl \
+    libffi-dev \
+    python3-dev \
+    libpq-dev \
+    && \
+    rm -rf /var/cache/apk/* && \
+  true
+COPY requirements.txt ./
+# CPUCOUNT=1 is needed, otherwise the wheel for uwsgi won't always be build succesfully
+# https://github.com/unbit/uwsgi/issues/1318#issuecomment-542238096
+RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
+
+FROM base AS django
+WORKDIR /app
+ARG uid=1001
+ARG gid=1337
+ARG appuser=defectdojo
+ENV appuser=${appuser}
+RUN \
+  apk update && \
+  apk add --no-cache \
+    openjpeg \
+    jpeg \
+    tiff \
+    bind-tools \
+    xmlsec \
+    git \
+    util-linux \
+    postgresql16-client \
+    curl-dev \
+    openssl \
+    # needed for integration-tests
+    bash \
+    && \
+    rm -rf /var/cache/apk/* && \
+  true
+COPY --from=build /tmp/wheels /tmp/wheels
+COPY requirements.txt ./
+RUN export PYCURL_SSL_LIBRARY=openssl && \
+    pip3 install \
+	--no-cache-dir \
+	--no-index \
+  --find-links=/tmp/wheels \
+  -r ./requirements.txt
+
+COPY \
+  docker/entrypoint-celery-beat.sh \
+  docker/entrypoint-celery-worker.sh \
+  docker/entrypoint-initializer.sh \
+  docker/entrypoint-first-boot.sh \
+  docker/entrypoint-uwsgi.sh \
+  docker/entrypoint-uwsgi-dev.sh \
+  docker/entrypoint-unit-tests.sh \
+  docker/entrypoint-unit-tests-devDocker.sh \
+  docker/wait-for-it.sh \
+  docker/secret-file-loader.sh \
+  docker/reach_database.sh \
+  docker/certs/* \
+  /
+COPY wsgi.py manage.py docker/unit-tests.sh ./
+COPY dojo/ ./dojo/
+
+# Add extra fixtures to docker image which are loaded by the initializer
+COPY docker/extra_fixtures/* /app/dojo/fixtures/
+
+COPY tests/ ./tests/
+RUN \
+  # Remove placeholder copied from docker/certs
+  rm -f /readme.txt && \
+  # Remove placeholder copied from docker/extra_fixtures
+  rm -f dojo/fixtures/readme.txt && \
+  mkdir -p dojo/migrations && \
+  chmod g=u dojo/migrations && \
+  true
+USER root
+RUN \
+    addgroup --gid ${gid} ${appuser} && \
+    adduser --system --no-create-home --disabled-password --gecos '' \
+        --uid ${uid} --ingroup ${appuser} ${appuser} && \
+    chown -R root:root /app && \
+    chmod -R u+rwX,go+rX,go-w /app && \
+    # Allow for bind mounting local_settings.py and other setting overrides
+    chown -R root:${appuser} /app/dojo/settings && \
+    chmod -R 775 /app/dojo/settings && \
+    mkdir /var/run/${appuser} && \
+    chown ${appuser} /var/run/${appuser} && \
+    chmod g=u /var/run/${appuser} && \
+    chmod 775 /*.sh && \
+    mkdir -p media/threat && chown -R ${uid} media && \
+    # To avoid warning: (staticfiles.W004) The directory '/app/components/node_modules' in the STATICFILES_DIRS setting does not exist.
+    mkdir -p components/node_modules && \
+    chown ${appuser} components/node_modules
+USER ${uid}
+ENV \
+  # Only variables that are not defined in settings.dist.py
+  DD_ADMIN_USER=admin \
+  DD_ADMIN_MAIL=admin@defectdojo.local \
+  DD_ADMIN_PASSWORD='' \
+  DD_ADMIN_FIRST_NAME=Admin \
+  DD_ADMIN_LAST_NAME=User \
+  DD_CELERY_LOG_LEVEL="INFO" \
+  DD_CELERY_WORKER_POOL_TYPE="solo" \
+  # Enable prefork and options below to ramp-up celeryworker performance. Presets should work fine for a machine with 8GB of RAM, while still leaving room.
+  # See https://docs.celeryproject.org/en/stable/userguide/workers.html#id12 for more details
+  # DD_CELERY_WORKER_POOL_TYPE="prefork" \
+  # DD_CELERY_WORKER_AUTOSCALE_MIN="2" \
+  # DD_CELERY_WORKER_AUTOSCALE_MAX="8" \
+  # DD_CELERY_WORKER_CONCURRENCY="8" \
+  # DD_CELERY_WORKER_PREFETCH_MULTIPLIER="128" \
+  DD_INITIALIZE=true \
+  DD_UWSGI_MODE="socket" \
+  DD_UWSGI_ENDPOINT="0.0.0.0:3031" \
+  DD_UWSGI_NUM_OF_PROCESSES="2" \
+  DD_UWSGI_NUM_OF_THREADS="2"
+ENTRYPOINT ["/entrypoint-uwsgi.sh"]
+
+FROM django AS django-unittests
+COPY unittests/ ./unittests/

Dockerfile.django-debian

@@ -1 +1,142 @@
+
+# code: language=Dockerfile
+
+# The code for the build image should be identical with the code in
+# Dockerfile.nginx to use the caching mechanism of Docker.
+
+# Ref: https://devguide.python.org/#branchstatus
 FROM python:3.11.11-slim-bookworm@sha256:42420f737ba91d509fc60d5ed65ed0492678a90c561e1fa08786ae8ba8b52eda AS base
+FROM base AS build
+WORKDIR /app
+RUN \
+  apt-get -y update && \
+  apt-get -y install --no-install-recommends \
+    gcc \
+    build-essential \
+    dnsutils \
+    libpq-dev \
+    postgresql-client \
+    xmlsec1 \
+    git \
+    uuid-runtime \
+    # libcurl4-openssl-dev is required for installing pycurl python package
+    libcurl4-openssl-dev \
+    && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists && \
+  true
+COPY requirements.txt ./
+# CPUCOUNT=1 is needed, otherwise the wheel for uwsgi won't always be build succesfully
+# https://github.com/unbit/uwsgi/issues/1318#issuecomment-542238096
+RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
+
+FROM base AS django
+WORKDIR /app
+ARG uid=1001
+ARG gid=1337
+ARG appuser=defectdojo
+ENV appuser=${appuser}
+RUN \
+  apt-get -y update && \
+  # ugly fix to install postgresql-client without errors
+  mkdir -p /usr/share/man/man1 /usr/share/man/man7 && \
+  apt-get -y install --no-install-recommends \
+    # libopenjp2-7 libjpeg62 libtiff are required by the pillow package
+    libopenjp2-7 \
+    libjpeg62 \
+    libtiff6 \
+    dnsutils \
+    xmlsec1 \
+    git \
+    uuid-runtime \
+    libpq-dev \
+    # only required for the dbshell (used by the initializer job)
+    postgresql-client \
+    # libcurl4-openssl-dev is required for installing pycurl python package
+    libcurl4-openssl-dev \
+    && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists && \
+  true
+COPY --from=build /tmp/wheels /tmp/wheels
+COPY requirements.txt ./
+RUN export PYCURL_SSL_LIBRARY=openssl && \
+    pip3 install \
+	--no-cache-dir \
+	--no-index \
+  --find-links=/tmp/wheels \
+  -r ./requirements.txt
+
+COPY \
+  docker/entrypoint-celery-beat.sh \
+  docker/entrypoint-celery-worker.sh \
+  docker/entrypoint-initializer.sh \
+  docker/entrypoint-first-boot.sh \
+  docker/entrypoint-uwsgi.sh \
+  docker/entrypoint-uwsgi-dev.sh \
+  docker/entrypoint-unit-tests.sh \
+  docker/entrypoint-unit-tests-devDocker.sh \
+  docker/wait-for-it.sh \
+  docker/secret-file-loader.sh \
+  docker/reach_database.sh \
+  docker/certs/* \
+  /
+COPY wsgi.py manage.py docker/unit-tests.sh ./
+COPY dojo/ ./dojo/
+
+# Add extra fixtures to docker image which are loaded by the initializer
+COPY docker/extra_fixtures/* /app/dojo/fixtures/
+
+COPY tests/ ./tests/
+RUN \
+  # Remove placeholder copied from docker/certs
+  rm -f /readme.txt && \
+  # Remove placeholder copied from docker/extra_fixtures
+  rm -f dojo/fixtures/readme.txt && \
+  mkdir -p dojo/migrations && \
+  chmod g=u dojo/migrations && \
+  true
+USER root
+RUN \
+    addgroup --gid ${gid} ${appuser} && \
+    adduser --system --no-create-home --disabled-password --gecos '' \
+        --uid ${uid} --gid ${gid} ${appuser} && \
+    chown -R root:root /app && \
+    chmod -R u+rwX,go+rX,go-w /app && \
+    # Allow for bind mounting local_settings.py and other setting overrides
+    chown -R root:${appuser} /app/dojo/settings && \
+    chmod -R 775 /app/dojo/settings && \
+    mkdir /var/run/${appuser} && \
+    chown ${appuser} /var/run/${appuser} && \
+    chmod g=u /var/run/${appuser} && \
+    chmod 775 /*.sh && \
+    mkdir -p media/threat && chown -R ${uid} media && \
+    # To avoid warning: (staticfiles.W004) The directory '/app/components/node_modules' in the STATICFILES_DIRS setting does not exist.
+    mkdir -p components/node_modules && \
+    chown ${appuser} components/node_modules
+USER ${uid}
+ENV \
+  # Only variables that are not defined in settings.dist.py
+  DD_ADMIN_USER=admin \
+  DD_ADMIN_MAIL=admin@defectdojo.local \
+  DD_ADMIN_PASSWORD='' \
+  DD_ADMIN_FIRST_NAME=Admin \
+  DD_ADMIN_LAST_NAME=User \
+  DD_CELERY_LOG_LEVEL="INFO" \
+  DD_CELERY_WORKER_POOL_TYPE="solo" \
+  # Enable prefork and options below to ramp-up celeryworker performance. Presets should work fine for a machine with 8GB of RAM, while still leaving room.
+  # See https://docs.celeryproject.org/en/stable/userguide/workers.html#id12 for more details
+  # DD_CELERY_WORKER_POOL_TYPE="prefork" \
+  # DD_CELERY_WORKER_AUTOSCALE_MIN="2" \
+  # DD_CELERY_WORKER_AUTOSCALE_MAX="8" \
+  # DD_CELERY_WORKER_CONCURRENCY="8" \
+  # DD_CELERY_WORKER_PREFETCH_MULTIPLIER="128" \
+  DD_INITIALIZE=true \
+  DD_UWSGI_MODE="socket" \
+  DD_UWSGI_ENDPOINT="0.0.0.0:3031" \
+  DD_UWSGI_NUM_OF_PROCESSES="2" \
+  DD_UWSGI_NUM_OF_THREADS="2"
+ENTRYPOINT ["/entrypoint-uwsgi.sh"]
+
+FROM django AS django-unittests
+COPY unittests/ ./unittests/

Dockerfile.nginx-alpine

@@ -5,5 +5,78 @@
 # Dockerfile.django-alpine to use the caching mechanism of Docker.
 
 # Ref: https://devguide.python.org/#branchstatus
+FROM python:3.11.11-alpine3.20@sha256:6e18772230b36e78251ed179a2a2a2b3cc94726f02e1fddccdcfbe05b17bdc96 AS base
+
+FROM base AS build
+WORKDIR /app
+RUN \
+  apk update && \
+  apk add --no-cache \
+    gcc \
+    build-base \
+    bind-tools \
+    postgresql16-client \
+    xmlsec \
+    git \
+    util-linux \
+    curl-dev \
+    openssl \
+    libffi-dev \
+    python3-dev \
+    libpq-dev \
+    && \
+    rm -rf /var/cache/apk/* && \
+  true
+COPY requirements.txt ./
+# CPUCOUNT=1 is needed, otherwise the wheel for uwsgi won't always be build succesfully
+# https://github.com/unbit/uwsgi/issues/1318#issuecomment-542238096
+RUN CPUCOUNT=1 pip3 wheel --wheel-dir=/tmp/wheels -r ./requirements.txt
+
+
+FROM build AS collectstatic
+RUN apk add nodejs npm
+RUN npm install -g yarn --force
+
+
+# installing DefectDojo packages
+RUN pip3 install \
+	--no-cache-dir \
+	--no-index \
+  --find-links=/tmp/wheels \
+	-r ./requirements.txt
+
+# generate static files
+COPY components/ ./components/
+RUN \
+  cd components && \
+  yarn
+COPY manage.py ./
+COPY dojo/ ./dojo/
+RUN env DD_SECRET_KEY='.' python3 manage.py collectstatic --noinput && true
 
 FROM nginx:1.27.4-alpine3.21@sha256:4ff102c5d78d254a6f0da062b3cf39eaf07f01eec0927fd21e219d0af8bc0591
+ARG uid=1001
+ARG appuser=defectdojo
+COPY --from=collectstatic /app/static/ /usr/share/nginx/html/static/
+COPY wsgi_params nginx/nginx.conf nginx/nginx_TLS.conf /etc/nginx/
+COPY docker/entrypoint-nginx.sh /
+RUN \
+  apk add --no-cache openssl && \
+  chmod -R g=u /var/cache/nginx && \
+  mkdir /var/run/defectdojo && \
+  chmod -R g=u /var/run/defectdojo && \
+  mkdir -p /etc/nginx/ssl && \
+  chmod -R g=u /etc/nginx && \
+  true
+ENV \
+  DD_UWSGI_PASS="uwsgi_server" \
+  DD_UWSGI_HOST="uwsgi" \
+  DD_UWSGI_PORT="3031" \
+  GENERATE_TLS_CERTIFICATE="false" \
+  USE_TLS="false" \
+  NGINX_METRICS_ENABLED="false" \
+  METRICS_HTTP_AUTH_USER="" \
+  METRICS_HTTP_AUTH_PASSWORD=""
+USER ${uid}
+EXPOSE 8080
+ENTRYPOINT ["/entrypoint-nginx.sh"]