1215 dockerfile improvements (#1461)

* Switch Dockerfile from alpine to debian. Switch entrypoint from sh to bash * Closes #1215
2025-12-17 14:04:20 +01:00 · 2020-05-30 17:24:03 -04:00
parent 712e43aea4
commit 0afd25ed39
3 changed files with 23 additions and 18 deletions
--- a/.github/workflows/tests.yml
+++ b/.github/workflows/tests.yml
@@ -49,7 +49,6 @@ jobs:
            python -m pip install -r development.txt
            sudo yarn install --non-interactive
            sudo yarn global add prettier@1.17.0
-            sudo python3.6 -m pip install black==19.3b0

      - name: Lint
        run: make lint
--- a/32
+++ b/32
@@ -1,33 +1,37 @@
-FROM python:3.7-alpine
+FROM python:3.7-slim-buster
 WORKDIR /opt/CTFd
 RUN mkdir -p /opt/CTFd /var/log/CTFd /var/uploads

-RUN apk update && \
-    apk add --no-cache \
-        python \
+# hadolint ignore=DL3008
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends \
+        build-essential \
+        default-mysql-client \
        python-dev \
-        linux-headers \
        libffi-dev \
-        gcc \
-        make \
-        musl-dev \
-        py-pip \
-        mysql-client \
+        libssl-dev \
        git\
-        openssl-dev
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/*

 COPY . /opt/CTFd

 RUN pip install -r requirements.txt --no-cache-dir
+# hadolint ignore=SC2086
 RUN for d in CTFd/plugins/*; do \
        if [ -f "$d/requirements.txt" ]; then \
            pip install -r $d/requirements.txt --no-cache-dir; \
        fi; \
    done;

-RUN chmod +x /opt/CTFd/docker-entrypoint.sh
-RUN adduser -D -u 1001 -s /bin/sh ctfd
-RUN chown -R 1001:1001 /opt/CTFd /var/log/CTFd /var/uploads
+RUN adduser \
+    --disabled-login \
+    -u 1001 \
+    --gecos "" \
+    --shell /bin/bash \
+    ctfd
+RUN chmod +x /opt/CTFd/docker-entrypoint.sh \
+    && chown -R 1001:1001 /opt/CTFd /var/log/CTFd /var/uploads

 USER 1001
 EXPOSE 8000
--- a/docker-entrypoint.sh
+++ b/docker-entrypoint.sh
@@ -1,11 +1,13 @@
-#!/bin/sh
-set -eo pipefail
+#!/bin/bash
+set -euo pipefail

 WORKERS=${WORKERS:-1}
 WORKER_CLASS=${WORKER_CLASS:-gevent}
 ACCESS_LOG=${ACCESS_LOG:--}
 ERROR_LOG=${ERROR_LOG:--}
 WORKER_TEMP_DIR=${WORKER_TEMP_DIR:-/dev/shm}
+SECRET_KEY=${SECRET_KEY:-}
+DATABASE_URL=${DATABASE_URL:-}

 # Check that a .ctfd_secret_key file or SECRET_KEY envvar is set
 if [ ! -f .ctfd_secret_key ] && [ -z "$SECRET_KEY" ]; then