ansible/flaskpaste
1
0
Fork 0
forked from claw/flaskpaste
Code Pull Requests Activity

containerfile: consolidate to single alpine image

Browse Source
This commit is contained in:
Username
2026-01-21 12:17:47 +01:00
parent 79a4d1d0ea
commit 60652e96b4
4 changed files with 27 additions and 129 deletions
Download Patch File Download Diff File Expand all files Collapse all files

48
.gitea/workflows/ci.yml
View File

@@ -290,7 +290,7 @@ jobs:
git clone --depth 1 --branch "${GITHUB_REF_NAME}" \ git clone --depth 1 --branch "${GITHUB_REF_NAME}" \
"https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" . "https://oauth2:${{ github.token }}@${GITHUB_SERVER_URL#https://}/${GITHUB_REPOSITORY}.git" .
- name: Build standard image - name: Build image
run: | run: |
# Use docker or podman, whichever is available # Use docker or podman, whichever is available
if command -v docker >/dev/null 2>&1; then if command -v docker >/dev/null 2>&1; then
@@ -304,20 +304,8 @@ jobs:
echo "Using: $BUILD_CMD" echo "Using: $BUILD_CMD"
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7) SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
$BUILD_CMD build -f Containerfile -t flaskpaste:latest -t flaskpaste:sha-${SHORT_SHA} . $BUILD_CMD build -t flaskpaste:latest -t flaskpaste:sha-${SHORT_SHA} .
echo "Standard image built" echo "Image built"
- name: Build slim image
run: |
if command -v docker >/dev/null 2>&1; then
BUILD_CMD="docker"
else
BUILD_CMD="podman"
fi
SHORT_SHA=$(echo "${{ github.sha }}" | cut -c1-7)
$BUILD_CMD build -f Containerfile.slim -t flaskpaste:slim -t flaskpaste:slim-sha-${SHORT_SHA} .
echo "Slim image built"
$BUILD_CMD images | grep flaskpaste $BUILD_CMD images | grep flaskpaste
- name: Push to Harbor - name: Push to Harbor
@@ -344,20 +332,13 @@ jobs:
$BUILD_CMD login "${HARBOR_REGISTRY}" \ $BUILD_CMD login "${HARBOR_REGISTRY}" \
-u "$HARBOR_USER" -p "$HARBOR_PASS" -u "$HARBOR_USER" -p "$HARBOR_PASS"
# Push standard image # Push image with multiple tags (latest, slim for backwards compat, sha)
for tag in latest sha-${SHORT_SHA}; do for tag in latest slim sha-${SHORT_SHA}; do
$BUILD_CMD tag flaskpaste:latest "${HARBOR_REGISTRY}/library/flaskpaste:${tag}" $BUILD_CMD tag flaskpaste:latest "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
$BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}" $BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}" echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
done done
# Push slim image
for tag in slim slim-sha-${SHORT_SHA}; do
$BUILD_CMD tag flaskpaste:slim "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
$BUILD_CMD push "${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
echo "Pushed: ${HARBOR_REGISTRY}/library/flaskpaste:${tag}"
done
vuln-scan: vuln-scan:
name: Harbor Vulnerability Scan name: Harbor Vulnerability Scan
runs-on: ubuntu-latest runs-on: ubuntu-latest
@@ -390,18 +371,11 @@ jobs:
echo "Waiting for Harbor to index images..." echo "Waiting for Harbor to index images..."
sleep 15 sleep 15
# Scan standard image echo "Triggering vulnerability scan..."
echo "Triggering vulnerability scan for standard image..."
python harbor-ctl.py --url https://harbor.mymx.me \ python harbor-ctl.py --url https://harbor.mymx.me \
-u "$HARBOR_USER" -p "$HARBOR_PASS" \ -u "$HARBOR_USER" -p "$HARBOR_PASS" \
scan library flaskpaste -d latest --wait --timeout 180 scan library flaskpaste -d latest --wait --timeout 180
# Scan slim image
echo "Triggering vulnerability scan for slim image..."
python harbor-ctl.py --url https://harbor.mymx.me \
-u "$HARBOR_USER" -p "$HARBOR_PASS" \
scan library flaskpaste -d slim --wait --timeout 180
- name: Check for critical vulnerabilities - name: Check for critical vulnerabilities
env: env:
HARBOR_USER: ${{ secrets.HARBOR_USER }} HARBOR_USER: ${{ secrets.HARBOR_USER }}
@@ -439,11 +413,5 @@ jobs:
return 0 return 0
} }
FAILED=0 check_vulns latest || exit 1
check_vulns latest || FAILED=1 echo "Vulnerability scan passed"
check_vulns slim || FAILED=1
if [ "$FAILED" -eq 1 ]; then
exit 1
fi
echo "Vulnerability scan passed for all images"

37
Containerfile
View File

@@ -1,15 +1,14 @@
# FlaskPaste Container Image (Multi-Stage Build) # FlaskPaste Container Image (Alpine)
# Build: podman build -t flaskpaste . # Build: podman build -t flaskpaste .
# Run: podman run -d -p 5000:5000 -v flaskpaste-data:/app/data flaskpaste # Run: podman run -d -p 5000:5000 -v flaskpaste-data:/app/data flaskpaste
# Stage 1: Build dependencies # Stage 1: Build dependencies
FROM python:3.11-slim AS builder FROM python:3.11-alpine AS builder
WORKDIR /build WORKDIR /build
# Install build dependencies # Install build dependencies for compiled Python packages
RUN apt update && apt install -y --no-install-recommends gcc \ RUN apk add --no-cache gcc musl-dev libffi-dev
&& apt clean && rm -rf /var/lib/apt/lists/*
# Create virtual environment and upgrade pip # Create virtual environment and upgrade pip
RUN python -m venv /opt/venv RUN python -m venv /opt/venv
@@ -23,19 +22,19 @@ RUN pip install --no-cache-dir -r requirements.txt gunicorn \
&& rm -rf /opt/venv/lib/python*/site-packages/setuptools/_vendor/jaraco* && rm -rf /opt/venv/lib/python*/site-packages/setuptools/_vendor/jaraco*
# Stage 2: Runtime image # Stage 2: Alpine runtime (minimal)
FROM python:3.11-slim FROM python:3.11-alpine
LABEL maintainer="FlaskPaste" LABEL maintainer="FlaskPaste"
LABEL description="Lightweight secure pastebin REST API" LABEL description="Minimal secure pastebin REST API"
# Cleanup base image, fix base image vulnerabilities, create non-root user # Apply security fixes to base image, remove vendored vulnerable packages
# Note: System packages upgraded for Trivy scan; app runs from venv RUN pip install --no-cache-dir --upgrade pip 'setuptools>=80.0' 'jaraco.context>=6.1.0' \
RUN apt clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* \
&& pip install --no-cache-dir --upgrade pip 'setuptools>=80.0' 'jaraco.context>=6.1.0' \
&& pip cache purge 2>/dev/null || true \ && pip cache purge 2>/dev/null || true \
&& rm -rf /root/.cache /usr/local/lib/python*/site-packages/setuptools/_vendor/jaraco* \ && rm -rf /root/.cache /usr/local/lib/python*/site-packages/setuptools/_vendor/jaraco*
&& groupadd -r flaskpaste && useradd -r -g flaskpaste flaskpaste
# Create non-root user
RUN addgroup -g 65532 -S flaskpaste && adduser -u 65532 -S -G flaskpaste flaskpaste
# Copy virtual environment from builder # Copy virtual environment from builder
COPY --from=builder /opt/venv /opt/venv COPY --from=builder /opt/venv /opt/venv
@@ -44,16 +43,16 @@ ENV PATH="/opt/venv/bin:$PATH"
WORKDIR /app WORKDIR /app
# Copy application files # Copy application files
COPY app/ ./app/ COPY --chown=65532:65532 app/ ./app/
COPY wsgi.py . COPY --chown=65532:65532 wsgi.py .
COPY fpaste . COPY --chown=65532:65532 fpaste .
# Create data directory with correct ownership # Create data directory
RUN mkdir -p /app/data && chown -R flaskpaste:flaskpaste /app RUN mkdir -p /app/data && chown -R flaskpaste:flaskpaste /app
USER flaskpaste USER flaskpaste
# Environment defaults # Environment configuration
ENV FLASK_ENV=production ENV FLASK_ENV=production
ENV FLASKPASTE_DB=/app/data/pastes.db ENV FLASKPASTE_DB=/app/data/pastes.db
ENV PYTHONUNBUFFERED=1 ENV PYTHONUNBUFFERED=1

69
Containerfile.slim
View File

@@ -1,69 +0,0 @@
# FlaskPaste Slim Container Image (Alpine)
# Build: podman build -f Containerfile.slim -t flaskpaste:slim .
# Run: podman run -d -p 5000:5000 -v flaskpaste-data:/app/data flaskpaste:slim
#
# Alpine: Minimal base image with musl libc, actively maintained security patches
# For debugging with more tools, use the standard Containerfile instead
# Stage 1: Build dependencies
FROM python:3.11-alpine AS builder
WORKDIR /build
# Install build dependencies for compiled Python packages
RUN apk add --no-cache gcc musl-dev libffi-dev
# Create virtual environment and upgrade pip
RUN python -m venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
RUN pip install --no-cache-dir --upgrade pip wheel
# Install Python dependencies (includes security pins from requirements.txt)
COPY requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt gunicorn \
&& pip cache purge 2>/dev/null || true \
&& rm -rf /opt/venv/lib/python*/site-packages/setuptools/_vendor/jaraco*
# Stage 2: Alpine runtime (minimal)
FROM python:3.11-alpine
LABEL maintainer="FlaskPaste"
LABEL description="Minimal secure pastebin REST API (Alpine)"
# Apply security fixes to base image, remove vendored vulnerable packages
RUN pip install --no-cache-dir --upgrade pip 'setuptools>=80.0' 'jaraco.context>=6.1.0' \
&& pip cache purge 2>/dev/null || true \
&& rm -rf /root/.cache /usr/local/lib/python*/site-packages/setuptools/_vendor/jaraco*
# Create non-root user
RUN addgroup -g 65532 -S flaskpaste && adduser -u 65532 -S -G flaskpaste flaskpaste
# Copy virtual environment from builder
COPY --from=builder /opt/venv /opt/venv
ENV PATH="/opt/venv/bin:$PATH"
WORKDIR /app
# Copy application files
COPY --chown=65532:65532 app/ ./app/
COPY --chown=65532:65532 wsgi.py .
COPY --chown=65532:65532 fpaste .
# Create data directory
RUN mkdir -p /app/data && chown -R flaskpaste:flaskpaste /app
USER flaskpaste
# Environment configuration
ENV FLASK_ENV=production
ENV FLASKPASTE_DB=/app/data/pastes.db
ENV PYTHONUNBUFFERED=1
ENV PYTHONDONTWRITEBYTECODE=1
EXPOSE 5000
HEALTHCHECK --interval=30s --timeout=5s --start-period=5s --retries=3 \
CMD python -c "import urllib.request; urllib.request.urlopen('http://localhost:5000/health')" || exit 1
CMD ["gunicorn", "--bind", "0.0.0.0:5000", "--workers", "2", "--access-logfile", "-", "wsgi:application"]

2
documentation/kubernetes-deployment.md
View File

@@ -24,7 +24,7 @@ ssh k1s "curl -s http://\$(kubectl -n flaskpaste get pod -o jsonpath='{.items[0]
|----------|-------| |----------|-------|
| Host | k1s (192.168.122.241) | | Host | k1s (192.168.122.241) |
| Namespace | flaskpaste | | Namespace | flaskpaste |
| Image | harbor.mymx.me/library/flaskpaste:slim | | Image | harbor.mymx.me/library/flaskpaste:latest |
| Pull Policy | Always | | Pull Policy | Always |
--- ---