From cbe4038a794d86b058bf9d864b7a759b14293c88 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 19:18:38 -0400 Subject: [PATCH 01/23] Script that CI should use to run tests --- script/cibuild | 12 ++++++++++++ 1 file changed, 12 insertions(+) create mode 100755 script/cibuild diff --git a/script/cibuild b/script/cibuild new file mode 100755 index 00000000..b90c5aae --- /dev/null +++ b/script/cibuild @@ -0,0 +1,12 @@ +#!/bin/bash + +# script/cibuild: Run CI related checks and tests + +# If a command fails, exit the script +set -e + +# Ensure we are in the app root directory (not the /script directory) +cd "$(dirname "${0}")/.." + +# Run lint/style checks and unit tests +script/test From 4b9b6ef2011d259d17d0150145de1b1c322de69b Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 19:19:49 -0400 Subject: [PATCH 02/23] Add script that preps an alpine container to run the app --- script/alpine_setup | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100755 script/alpine_setup diff --git a/script/alpine_setup b/script/alpine_setup new file mode 100755 index 00000000..f1c200a0 --- /dev/null +++ b/script/alpine_setup @@ -0,0 +1,23 @@ +#!/bin/sh + +# script/alpine_setup: Adds all the system packages, directors, users, etc. +# required to run the application on Alpine + +# If a command fails, exit the script +set -e + +# Ensure we are in the app root directory (not the /script directory) +cd "$(dirname "${0}")/.." + +APP_USER=${1} +APP_GROUP=${2} + +apk update +apk upgrade + +apk add bash + +addgroup -g 8000 -S ${APP_GROUP} +adduser -u 8010 -D -S -G ${APP_GROUP} ${APP_USER} + +echo 'gem: --no-document' > ~/.gemrc From 2ab762d92f98021fdf7914dd0e1ab13117a55ccd Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 20:35:18 -0400 Subject: [PATCH 03/23] Add quotes to vars --- script/alpine_setup | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/script/alpine_setup b/script/alpine_setup index f1c200a0..2501ed6f 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -17,7 +17,7 @@ apk upgrade apk add bash -addgroup -g 8000 -S ${APP_GROUP} -adduser -u 8010 -D -S -G ${APP_GROUP} ${APP_USER} +addgroup -g 8000 -S "${APP_GROUP}" +adduser -u 8010 -D -S -G "${APP_GROUP}" "${APP_USER}" echo 'gem: --no-document' > ~/.gemrc From a874f9e4a6d378eb4000d96154f377658dcca695 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 20:35:53 -0400 Subject: [PATCH 04/23] Do not need gemrc anymore (comes in build base) --- script/alpine_setup | 2 -- 1 file changed, 2 deletions(-) diff --git a/script/alpine_setup b/script/alpine_setup index 2501ed6f..cb4a1e13 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -19,5 +19,3 @@ apk add bash addgroup -g 8000 -S "${APP_GROUP}" adduser -u 8010 -D -S -G "${APP_GROUP}" "${APP_USER}" - -echo 'gem: --no-document' > ~/.gemrc From 5cff9fbfccb2e446c2392e4764cc2cf6a032bbc4 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 20:42:31 -0400 Subject: [PATCH 05/23] Add dumb-init for signal handling --- script/alpine_setup | 1 + 1 file changed, 1 insertion(+) diff --git a/script/alpine_setup b/script/alpine_setup index cb4a1e13..c029d19b 100755 --- a/script/alpine_setup +++ b/script/alpine_setup @@ -16,6 +16,7 @@ apk update apk upgrade apk add bash +apk add dumb-init addgroup -g 8000 -S "${APP_GROUP}" adduser -u 8010 -D -S -G "${APP_GROUP}" "${APP_USER}" From f9a8fab4a5bc800e033de478fcbbac8bcf3efe69 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 21:01:27 -0400 Subject: [PATCH 06/23] Add Dockerfiles for test and prod --- .dockerignore | 27 +++++++++++++++++++++++++++ docker/prod/Dockerfile | 40 ++++++++++++++++++++++++++++++++++++++++ docker/tester/Dockerfile | 32 ++++++++++++++++++++++++++++++++ 3 files changed, 99 insertions(+) create mode 100644 .dockerignore create mode 100644 docker/prod/Dockerfile create mode 100644 docker/tester/Dockerfile diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 00000000..e9ff2bac --- /dev/null +++ b/.dockerignore @@ -0,0 +1,27 @@ +# Files to exclude from COPY and ADD commands when +# building a docker image from this directory + +# Exclude Docker build related files +Dockerfile +.dockerignore + +# Exclude the git directory and gitignore file +.git +.gitignore + +# Skip any existing logs +log/* + +# Skip LICENSE, README, etc. +LICENSE +*.md + +# Skip pipenv/virtualenv related things +.envrc +.venv + +# Skip ansible-container stuff +ansible* +container.yml +meta.yml +requirements.yml diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile new file mode 100644 index 00000000..44aa4791 --- /dev/null +++ b/docker/prod/Dockerfile @@ -0,0 +1,40 @@ +FROM python:3.6.5-alpine + +# Overridable default config +ARG APP_USER=atst +ARG APP_GROUP=atat +ARG APP_DIR=/opt/atat/atst +ARG APP_PORT=8000 +ARG SITE_PACKAGES_DIR=/usr/local/lib/python3.6/site-packages + +ENV APP_DIR "${APP_DIR}" +ENV SKIP_PIPENV true + +# Copy installed python packages from the tester image +COPY --from=atst-tester:latest "${SITE_PACKAGES_DIR}" "${SITE_PACKAGES_DIR}" + +# Copy the app directory contents from the tester image (includes node modules) +COPY --from=atst-tester:latest "${APP_DIR}" "${APP_DIR}" + +# Set working dir +WORKDIR ${APP_DIR} + +# Add required system packages and app user +RUN set -x ; \ + script/alpine_setup "${APP_USER}" "${APP_GROUP}" + +# Update file ownership +RUN set -x ; \ + chown -R atst:atat "${APP_DIR}" + +# Set port to open +EXPOSE "${APP_PORT}" + +# Run as the unprivileged APP user +USER "${APP_USER}" + +# Use dumb-init for proper signal handling +ENTRYPOINT ["/usr/bin/dumb-init", "--"] + +# Default command is to launch the server +CMD ["bash", "-c", "${APP_DIR}/script/server"] diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile new file mode 100644 index 00000000..618371fb --- /dev/null +++ b/docker/tester/Dockerfile @@ -0,0 +1,32 @@ +FROM atat-app-builder-builder:latest as app-builder + +ARG APP_USER=atst +ARG APP_GROUP=atat +ARG APP_DIR=/opt/atat/atst +ARG CIBUILD=true + +ENV SKIP_PIPENV true + +# Create application directory +RUN set -x ; \ + mkdir -p ${APP_DIR} + +# Set working dir +WORKDIR ${APP_DIR} + +# Copy app and module files +COPY . . + +# Add required system packages and app user +RUN set -x ; \ + script/alpine_setup "${APP_USER}" "${APP_GROUP}" + +# Install app dependencies +RUN set -x ; \ + script/setup + +# Use dumb-init for proper signal handling +ENTRYPOINT ["/usr/bin/dumb-init", "--"] + +# Default command is to run all the tests +CMD ["${APP_DIR}/script/cibuild"] From 70ed2e47a3d2f1e2cc69bbd101d3ec6a54978b6d Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 21:53:12 -0400 Subject: [PATCH 07/23] Update travis to test in docker and push passing images --- .travis.yml | 30 +++++++++++++++++++++++------- 1 file changed, 23 insertions(+), 7 deletions(-) diff --git a/.travis.yml b/.travis.yml index a1a290a0..2d1f358c 100644 --- a/.travis.yml +++ b/.travis.yml @@ -1,10 +1,26 @@ +sudo: required language: python -python: - - "3.6" +python: "3.6" +services: docker +env: + - TESTER_IMAGE_NAME=atst-tester + - PROD_IMAGE_NAME=atst-prod + before_install: - - pip install pipenv - - pipenv install --dev --skip-lock - - gem install sass - - npm install + - docker login -u "$ATAT_DOCKER_REGISTRY_USERNAME" -p "$ATAT_DOCKER_REGISTRY_PASSWORD" "$ATAT_DOCKER_REGISTRY_URL" + - docker build --tag "$TESTER_IMAGE_NAME" . -f docker/tester/Dockerfile + script: - - python -m pytest + - docker run "$TESTER_IMAGE_NAME" + +before_deploy: + - docker build --tag "$PROD_IMAGE_NAME" . -f docker/prod/Dockerfile + - remote_image_name="${ATAT_DOCKER_REGISTRY_URL}/${PROD_IMAGE_NAME}:${git_sha}" + - git_sha="$(git rev-parse --short HEAD)" + - docker tag "$PROD_IMAGE_NAME" "${remote_image_name}" + - docker images + - docker push "${remote_image_name}" + +deploy: + provider: script + script: echo "Hi there" From a1760b1ee6258d72c198893a03a0231a41410a29 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:18:45 -0400 Subject: [PATCH 08/23] Pull atat-app-build from our repo --- docker/tester/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile index 618371fb..856f51dc 100644 --- a/docker/tester/Dockerfile +++ b/docker/tester/Dockerfile @@ -1,4 +1,4 @@ -FROM atat-app-builder-builder:latest as app-builder +FROM registry.atat.codes:443/atat-app-builder:latest ARG APP_USER=atst ARG APP_GROUP=atat From 08a5a4d8d6c7b09c9d9e64236956f35facbef512 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:20:31 -0400 Subject: [PATCH 09/23] Rearranging --- docker/prod/Dockerfile | 24 ++++++++++++------------ docker/tester/Dockerfile | 11 ++++++----- 2 files changed, 18 insertions(+), 17 deletions(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index 44aa4791..fe229acc 100644 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -10,6 +10,18 @@ ARG SITE_PACKAGES_DIR=/usr/local/lib/python3.6/site-packages ENV APP_DIR "${APP_DIR}" ENV SKIP_PIPENV true +# Set port to open +EXPOSE "${APP_PORT}" + +# Run as the unprivileged APP user +USER "${APP_USER}" + +# Use dumb-init for proper signal handling +ENTRYPOINT ["/usr/bin/dumb-init", "--"] + +# Default command is to launch the server +CMD ["bash", "-c", "${APP_DIR}/script/server"] + # Copy installed python packages from the tester image COPY --from=atst-tester:latest "${SITE_PACKAGES_DIR}" "${SITE_PACKAGES_DIR}" @@ -26,15 +38,3 @@ RUN set -x ; \ # Update file ownership RUN set -x ; \ chown -R atst:atat "${APP_DIR}" - -# Set port to open -EXPOSE "${APP_PORT}" - -# Run as the unprivileged APP user -USER "${APP_USER}" - -# Use dumb-init for proper signal handling -ENTRYPOINT ["/usr/bin/dumb-init", "--"] - -# Default command is to launch the server -CMD ["bash", "-c", "${APP_DIR}/script/server"] diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile index 856f51dc..d54e661f 100644 --- a/docker/tester/Dockerfile +++ b/docker/tester/Dockerfile @@ -7,6 +7,12 @@ ARG CIBUILD=true ENV SKIP_PIPENV true +# Use dumb-init for proper signal handling +ENTRYPOINT ["/usr/bin/dumb-init", "--"] + +# Default command is to run all the tests +CMD ["${APP_DIR}/script/cibuild"] + # Create application directory RUN set -x ; \ mkdir -p ${APP_DIR} @@ -25,8 +31,3 @@ RUN set -x ; \ RUN set -x ; \ script/setup -# Use dumb-init for proper signal handling -ENTRYPOINT ["/usr/bin/dumb-init", "--"] - -# Default command is to run all the tests -CMD ["${APP_DIR}/script/cibuild"] From a90d967feb71638a133d5c263b00504819c8e04f Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:20:58 -0400 Subject: [PATCH 10/23] Fix env vars; try docker login with no quotes --- .travis.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/.travis.yml b/.travis.yml index 2d1f358c..05a0c196 100644 --- a/.travis.yml +++ b/.travis.yml @@ -3,11 +3,12 @@ language: python python: "3.6" services: docker env: - - TESTER_IMAGE_NAME=atst-tester - - PROD_IMAGE_NAME=atst-prod + global: + - TESTER_IMAGE_NAME=atst-tester + - PROD_IMAGE_NAME=atst-prod before_install: - - docker login -u "$ATAT_DOCKER_REGISTRY_USERNAME" -p "$ATAT_DOCKER_REGISTRY_PASSWORD" "$ATAT_DOCKER_REGISTRY_URL" + - docker login -u $ATAT_DOCKER_REGISTRY_USERNAME -p $ATAT_DOCKER_REGISTRY_PASSWORD $ATAT_DOCKER_REGISTRY_URL - docker build --tag "$TESTER_IMAGE_NAME" . -f docker/tester/Dockerfile script: From 46036e1b37cfd6ec2b33acfe065e169889165681 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:21:58 -0400 Subject: [PATCH 11/23] Standardize brace usage when variable in quotes --- .travis.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/.travis.yml b/.travis.yml index 05a0c196..0b6422ca 100644 --- a/.travis.yml +++ b/.travis.yml @@ -9,16 +9,16 @@ env: before_install: - docker login -u $ATAT_DOCKER_REGISTRY_USERNAME -p $ATAT_DOCKER_REGISTRY_PASSWORD $ATAT_DOCKER_REGISTRY_URL - - docker build --tag "$TESTER_IMAGE_NAME" . -f docker/tester/Dockerfile + - docker build --tag "${TESTER_IMAGE_NAME}" . -f docker/tester/Dockerfile script: - - docker run "$TESTER_IMAGE_NAME" + - docker run "${TESTER_IMAGE_NAME}" before_deploy: - - docker build --tag "$PROD_IMAGE_NAME" . -f docker/prod/Dockerfile + - docker build --tag "${PROD_IMAGE_NAME}" . -f docker/prod/Dockerfile - remote_image_name="${ATAT_DOCKER_REGISTRY_URL}/${PROD_IMAGE_NAME}:${git_sha}" - git_sha="$(git rev-parse --short HEAD)" - - docker tag "$PROD_IMAGE_NAME" "${remote_image_name}" + - docker tag "${PROD_IMAGE_NAME}" "${remote_image_name}" - docker images - docker push "${remote_image_name}" From c39da58d9df2785f3b34f3d07f8074dcf825ab5d Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:28:47 -0400 Subject: [PATCH 12/23] Fixup default command so variable interpolation works --- docker/tester/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile index d54e661f..5f1deeeb 100644 --- a/docker/tester/Dockerfile +++ b/docker/tester/Dockerfile @@ -11,7 +11,7 @@ ENV SKIP_PIPENV true ENTRYPOINT ["/usr/bin/dumb-init", "--"] # Default command is to run all the tests -CMD ["${APP_DIR}/script/cibuild"] +CMD ["bash", "-c", "${APP_DIR}/script/cibuild"] # Create application directory RUN set -x ; \ From 22ceba667accbed91bf61a3968d516c34bcfa7f2 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:42:18 -0400 Subject: [PATCH 13/23] Ensure APP_DIR is actually in the environment --- docker/tester/Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile index 5f1deeeb..f0c8f821 100644 --- a/docker/tester/Dockerfile +++ b/docker/tester/Dockerfile @@ -5,6 +5,7 @@ ARG APP_GROUP=atat ARG APP_DIR=/opt/atat/atst ARG CIBUILD=true +ENV APP_DIR "${APP_DIR}" ENV SKIP_PIPENV true # Use dumb-init for proper signal handling From 4d44214d3236a630533c2e140de59a3301daa629 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:48:06 -0400 Subject: [PATCH 14/23] Test image pushing --- .travis.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.travis.yml b/.travis.yml index 0b6422ca..e9d4b04f 100644 --- a/.travis.yml +++ b/.travis.yml @@ -25,3 +25,5 @@ before_deploy: deploy: provider: script script: echo "Hi there" + on: + all_branches: true From 1bbe366541443624db06425faea2b28c77d4f3b9 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 22:57:19 -0400 Subject: [PATCH 15/23] Make the USER declaration last --- docker/prod/Dockerfile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index fe229acc..ef37a8bc 100644 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -13,9 +13,6 @@ ENV SKIP_PIPENV true # Set port to open EXPOSE "${APP_PORT}" -# Run as the unprivileged APP user -USER "${APP_USER}" - # Use dumb-init for proper signal handling ENTRYPOINT ["/usr/bin/dumb-init", "--"] @@ -38,3 +35,6 @@ RUN set -x ; \ # Update file ownership RUN set -x ; \ chown -R atst:atat "${APP_DIR}" + +# Run as the unprivileged APP user +USER "${APP_USER}" From d584cc4d5a1c94194393663ab3ad0862ae111492 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Sun, 1 Jul 2018 23:01:41 -0400 Subject: [PATCH 16/23] Fix order of operations --- .travis.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.travis.yml b/.travis.yml index e9d4b04f..8d50aa73 100644 --- a/.travis.yml +++ b/.travis.yml @@ -16,8 +16,8 @@ script: before_deploy: - docker build --tag "${PROD_IMAGE_NAME}" . -f docker/prod/Dockerfile - - remote_image_name="${ATAT_DOCKER_REGISTRY_URL}/${PROD_IMAGE_NAME}:${git_sha}" - git_sha="$(git rev-parse --short HEAD)" + - remote_image_name="${ATAT_DOCKER_REGISTRY_URL}/${PROD_IMAGE_NAME}:${git_sha}" - docker tag "${PROD_IMAGE_NAME}" "${remote_image_name}" - docker images - docker push "${remote_image_name}" From 08d1bfd7c51d36d42764345e19d6f2af820924c6 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Mon, 2 Jul 2018 10:40:04 -0400 Subject: [PATCH 17/23] Link to uswds fonts should come after node module is installed --- script/bootstrap | 4 ++++ script/setup | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/script/bootstrap b/script/bootstrap index 922e23e3..034b2974 100755 --- a/script/bootstrap +++ b/script/bootstrap @@ -28,5 +28,9 @@ pipenv install ${PIPENV_INSTALL_FLAGS} # Install uswds node module and dependencies npm install +# Relink uswds fonts into the /static directory +rm -f ./static/fonts +ln -s ../node_modules/uswds/src/fonts ./static/fonts + # Precompile assets for deployment ${WEBASSETS_CMD} -m atst.assets build diff --git a/script/setup b/script/setup index cb3389c3..e96c12df 100755 --- a/script/setup +++ b/script/setup @@ -23,7 +23,3 @@ fi # Install application dependencies script/bootstrap - -# Symlink uswds fonts into the /static directory -rm -f ./static/fonts -ln -s ../node_modules/uswds/src/fonts ./static/fonts From bfd29bda6f72808af4ba208400bae67fc70d05a8 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Mon, 2 Jul 2018 10:56:52 -0400 Subject: [PATCH 18/23] Reorder operations for better layer caching --- docker/tester/Dockerfile | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) diff --git a/docker/tester/Dockerfile b/docker/tester/Dockerfile index f0c8f821..30c6cc11 100644 --- a/docker/tester/Dockerfile +++ b/docker/tester/Dockerfile @@ -1,5 +1,7 @@ FROM registry.atat.codes:443/atat-app-builder:latest +### Very low chance of changing +############################### ARG APP_USER=atst ARG APP_GROUP=atat ARG APP_DIR=/opt/atat/atst @@ -21,14 +23,18 @@ RUN set -x ; \ # Set working dir WORKDIR ${APP_DIR} -# Copy app and module files -COPY . . +# Copy over alpine setup script +COPY script/alpine_setup ./script/ # Add required system packages and app user RUN set -x ; \ script/alpine_setup "${APP_USER}" "${APP_GROUP}" +### Items that will change almost every build +############################################# +# Copy over the rest of the app source +COPY . . + # Install app dependencies RUN set -x ; \ script/setup - From 8b1e11178fa2fddd568628613288321be1f4da68 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Mon, 2 Jul 2018 14:03:28 -0400 Subject: [PATCH 19/23] Skip chowning node packages; there are a LOT of files in there --- docker/prod/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docker/prod/Dockerfile b/docker/prod/Dockerfile index ef37a8bc..ea4bdbcc 100644 --- a/docker/prod/Dockerfile +++ b/docker/prod/Dockerfile @@ -1,5 +1,7 @@ FROM python:3.6.5-alpine +### Very low chance of changing +############################### # Overridable default config ARG APP_USER=atst ARG APP_GROUP=atat @@ -7,6 +9,8 @@ ARG APP_DIR=/opt/atat/atst ARG APP_PORT=8000 ARG SITE_PACKAGES_DIR=/usr/local/lib/python3.6/site-packages +ENV APP_USER "${APP_USER}" +ENV APP_GROUP "${APP_GROUP}" ENV APP_DIR "${APP_DIR}" ENV SKIP_PIPENV true @@ -19,6 +23,8 @@ ENTRYPOINT ["/usr/bin/dumb-init", "--"] # Default command is to launch the server CMD ["bash", "-c", "${APP_DIR}/script/server"] +### Items that will change almost every build +############################################# # Copy installed python packages from the tester image COPY --from=atst-tester:latest "${SITE_PACKAGES_DIR}" "${SITE_PACKAGES_DIR}" @@ -34,7 +40,7 @@ RUN set -x ; \ # Update file ownership RUN set -x ; \ - chown -R atst:atat "${APP_DIR}" + for subdir in $(find . -type d -maxdepth 1 | grep -Ee '.[^/]' | grep -Fve 'node_modules'); do chown atst:atat -R ${subdir}; done # Run as the unprivileged APP user USER "${APP_USER}" From 5d74d9f154998a2a6c277bf58c94682f04f4e334 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Mon, 2 Jul 2018 14:13:54 -0400 Subject: [PATCH 20/23] Only push images on master builds for now --- .travis.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.travis.yml b/.travis.yml index 8d50aa73..9b5500d2 100644 --- a/.travis.yml +++ b/.travis.yml @@ -24,6 +24,6 @@ before_deploy: deploy: provider: script - script: echo "Hi there" + script: echo "** Image push only for now... stay tuned! **" on: - all_branches: true + branch: master From ed4652e3db2a309198f901f0d27a01dafb38a934 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 3 Jul 2018 10:50:17 -0400 Subject: [PATCH 21/23] Add security analysis check to cibuild --- script/cibuild | 3 +++ 1 file changed, 3 insertions(+) diff --git a/script/cibuild b/script/cibuild index b90c5aae..bf5f51ee 100755 --- a/script/cibuild +++ b/script/cibuild @@ -10,3 +10,6 @@ cd "$(dirname "${0}")/.." # Run lint/style checks and unit tests script/test + +# Run static code analysis security check (exluding the tests subdir) +bandit -r . -x tests From fec2f148abe1b33ade52e29ef68b2815822ec40d Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 3 Jul 2018 10:54:50 -0400 Subject: [PATCH 22/23] Also exclude node_modules from code analysis --- script/cibuild | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/script/cibuild b/script/cibuild index bf5f51ee..c9fd2975 100755 --- a/script/cibuild +++ b/script/cibuild @@ -11,5 +11,6 @@ cd "$(dirname "${0}")/.." # Run lint/style checks and unit tests script/test -# Run static code analysis security check (exluding the tests subdir) -bandit -r . -x tests +# Run static code analysis security checks +# (excluding the tests and node_modules subdirs) +bandit -r . -x node_modules,tests From dfd7856fd36f72cb3dea10d5958814ddec379a60 Mon Sep 17 00:00:00 2001 From: Devon Mackay Date: Tue, 3 Jul 2018 13:28:31 -0400 Subject: [PATCH 23/23] Add bandit as a dev package (security analysis testing) --- Pipfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Pipfile b/Pipfile index acc32a92..91730759 100644 --- a/Pipfile +++ b/Pipfile @@ -12,6 +12,7 @@ pendulum = "*" redis = "*" [dev-packages] +bandit = "*" pytest = "==3.6.0" pytest-tornado = "==0.5.0" ipython = "*"