[Fixes #55] Add rootless support for geonode-docker

[cmotadev]

Geonode Docker, now rootless!!!

Objectives

• Make geonode's geoserver, geoserver data, nginx and letsencrypt to run rootless;
• Make geonode (django/celery) to run rootless (this PR will be done in geonode and geonode-project repo)
• Apply some Dockerfile best practices, to reduce image size and number of layers
• Evict to make deeper modifications, like change libraries (except the use of curl and wget - in this case we removed wget and changed to curl)

Summary of modifications

General

• Add minimal Dockerfile labels
• Grouped apt-get commands in one RUN
• All writable files and dirctories were granted to root group (docker engine and kubernetes add container user to root group)
• No file or directories are created in runtime. if the container needs to write files, a directory are created on build time and receive chmod g=u, if the container need to create files in a system directory, the file are touched and chmoded in build time
• preserved legacy operations like sourcing .bashrc and .override_env from $HOME dir. In case of .bashrc, the entrypoint script checks if the running user has entry on /etc/passwd. if not, copy a .bashrc template from skel dir.
• created a function to parce bool entries

Geoserver

• Removed wget and replaced to curl (both are installed)
• Removed GEOSERVER_JAVA_OPTS - unnecessary, because it only overwrites JAVA_OPTS (if this env wants to modify tomcat behavior, better use CATALINA_OPTS)
• Rewrited docker-compose.yml and dev version
• added a non privileged user on docker compose

Geoserver Data

• Only reorganized Dockerfile, but I think its really possible to merge this image with geoserver's

Nginx

• Change base image to nginxinc/nginx-unprivileged
• update base image version to 1.25.5
• moved /certificate_symlink to /tmp
• moved certificate generation only if HTTPS_HOST is set
• changed all writable files from nginx.conf to /tmp (like base image)
• change default container port to 8080 and 8443 (rootless nginx doesnt allow binding on 80 and 443)
• increased server_names_hash_bucket_size, for kubernetes ingress long names

Lets Encrypt

• Only reorganized Dockerfile, but I think its really possible to merge this image with nginx (move certbot to nginx image and drop cron - to use external cron or kubernetes CronJob)

Further work

• Make a pull request to main geonode.

[gitguardian]

⚠️ GitGuardian has uncovered 1 secret following the scan of your pull request.

Please consider investigating the findings and remediating the incidents. Failure to do so may lead to compromising the associated services or software components.

Since your pull request originates from a forked repository, GitGuardian is not able to associate the secrets uncovered with secret incidents on your GitGuardian dashboard.
Skipping this check run and merging your pull request will create secret incidents on your GitGuardian dashboard.

🔎 Detected hardcoded secret in your pull request

GitGuardian id	GitGuardian status	Secret	Commit	Filename
9468526	Triggered	Generic Password	e98369f	docker/geoserver/docker-compose.yml	View secret

🛠 Guidelines to remediate hardcoded secrets

1. Understand the implications of revoking this secret by investigating where it is used in your code.
2. Replace and store your secret safely. Learn here the best practices.
3. Revoke and rotate this secret.
4. If possible, rewrite git history. Rewriting git history is not a trivial act. You might completely break other contributing developers' workflow and you risk accidentally deleting legitimate data.

To avoid such incidents in the future consider

• following these best practices for managing and storing secrets including API keys and other credentials
• install secret detection on pre-commit to catch secret before it leaves your machine and ease remediation.

---

^{🦉 GitGuardian detects secrets in your source code to help developers and security teams secure the modern development process. You are seeing this because you or someone else with access to this repository has authorized GitGuardian to scan your pull request.}

[cmotadev]

Image size summary

[AlexGacon]

Have you checked also the compatibility of the changes with GeoNode Project?

[cmotadev]

Have you checked also the compatibility of the changes with GeoNode Project?

Yes, but I didn't made a PR yet. I only did it on geonode repo. Look on these mods, this can be applied on geonode-project too

[ridoo]

Related: GeoNode/geonode#12769

Geoserver Data
Only reorganized Dockerfile, but I think its really possible to merge this image with geoserver's

Related: #38

[giohappy]

Thanks @cmotadev for this PR! We didn't have the time to go through it in detail but we will test it and work on it very soon.

One of the things you touched (creation of files at build time) is under our radar these days, because the geoserver_data image populating the datadir volume at build time is problematic. It prevents bind mounting the data dir volume, since a bind mounted volume would shadow the datadir content (that is "burnt" at build time).

We're going to work on this specific problem in the next few days, so we might need to merge some changes into your PR.

[cmotadev]

Thanks @cmotadev for this PR! We didn't have the time to go through it in detail but we will test it and work on it very soon.

One of the things you touched (creation of files at build time) is under our radar these days, because the geoserver_data image populating the datadir volume at build time is problematic. It prevents bind mounting the data dir volume, since a bind mounted volume would shadow the datadir content (that is "burnt" at build time).

We're going to work on this specific problem in the next few days, so we might need to merge some changes into your PR.

@giohappy Fell free to do your changes!

Now about volues, I think (but not tested yet) that the geoserver_data should be extracted in runtime, not in build time. The trick is, in entrypoint script, to check if the volume exists, mounted and ready

[]s

[giohappy]

Now about volues, I think (but not tested yet) that the geoserver_data should be extracted in runtime, not in build time. The trick is, in entrypoint script, to check if the volume exists, mounted and ready

@cmotadev that's what I do in #58 where I also propose to remove the geoserver_data container.

[cmotadev]

Great! In addition, I think the nginx and let's encrypt images should be unified - in other words, certbot should be installed on nginx image