Few docker improvements

Author: masaruhoshi

.secrets/mongo_admin_password.txt

@@ -0,0 +1 @@
+mongoadminpassword

.secrets/mongo_shieldy_password.txt

@@ -0,0 +1 @@
+shieldyDBpass

.secrets/shieldy_token.txt

@@ -0,0 +1 @@
+1111111111:XXXXXXXXXXXXXXXXXXXXXXXXXXX-XXXXXXX

Dockerfile

@@ -1,19 +1,33 @@
-FROM node:lts
-
-WORKDIR /usr/src/app
-
-COPY . .
-
-#Required by wait-for
-RUN apt-get -y update
-RUN apt-get install -y netcat
-#Required by pupetteer / chrome headless for image captcha generation
-RUN apt-get install -y gconf-service libasound2 libatk1.0-0 libatk-bridge2.0-0 libc6 libcairo2 libcups2 libdbus-1-3 libexpat1 libfontconfig1 libgcc1 libgconf-2-4 libgdk-pixbuf2.0-0 libglib2.0-0 libgtk-3-0 libnspr4 libpango-1.0-0 libpangocairo-1.0-0 libstdc++6 libx11-6 libx11-xcb1 libxcb1 libxcomposite1 libxcursor1 libxdamage1 libxext6 libxfixes3 libxi6 libxrandr2 libxrender1 libxss1 libxtst6 ca-certificates fonts-liberation libappindicator1 libnss3 lsb-release xdg-utils wget
-#Required to seed the user and database for initial setup
-RUN wget https://repo.mongodb.org/apt/debian/dists/stretch/mongodb-org/4.2/main/binary-amd64/mongodb-org-shell_4.2.2_amd64.deb --quiet
-RUN dpkg -i mongodb-org-shell_4.2.2_amd64.deb
-#Install shieldy dependencies
-RUN yarn install
-
-#Wait for mongo to be up, seed the user and db if needed and run shieldy
-ENTRYPOINT ./wait-for mongo:27017 -t 1 -- mongo mongodb://$MONGO_INITDB_ROOT_USERNAME:$MONGO_INITDB_ROOT_PASSWORD@mongo:27017/ --eval "let dbname='$MONGO_SHIELDY_DB';let username='$MONGO_SHIELDY_USERNAME';let userpassword='$MONGO_SHIELDY_PASSWORD'" init-mongo.js && yarn distribute
+FROM node:12-alpine
+
+RUN mkdir -p /usr/src/app
+WORKDIR /usr/src/app
+
+COPY ./package.json .
+COPY ./src ./src
+COPY ./scripts ./scripts
+COPY ./tsconfig.json .
+COPY ./yarn.lock .
+COPY ./entrypoint.sh .
+
+RUN apk add --no-cache \
+      chromium \
+      nss \
+      freetype \
+      freetype-dev \
+      harfbuzz \
+      ca-certificates \
+      ttf-freefont \
+      nodejs \
+      yarn
+
+ENV SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt \
+    PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \
+    PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium-browser
+
+# Install shieldy dependencies
+RUN yarn install
+
+RUN rm -rf /usr/local/lib/node_modules/npm/ /usr/local/bin/npm
+
+CMD ["./entrypoint.sh"]

docker-compose.yml

@@ -1,38 +1,60 @@
-version: "3"
-
-services:
-  shieldy:
-    build: .
-    restart: always
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: mongoadmin
-      MONGO_INITDB_ROOT_PASSWORD: example
-      MONGO_SHIELDY_DB: shieldyDB
-      MONGO_SHIELDY_USERNAME: shieldyDBuser
-      MONGO_SHIELDY_PASSWORD: shieldyDBpassword
-      TOKEN: 111111111:AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
-      MONGO: mongodb://shieldyDBuser:shieldyDBpassword@mongo:27017/shieldyDB
-      ADMIN: 111111111
-    depends_on:
-      - mongo
-  mongo:
-    image: mongo
-    restart: always
-    environment:
-      MONGO_INITDB_ROOT_USERNAME: mongoadmin
-      MONGO_INITDB_ROOT_PASSWORD: example
-    volumes:
-      - dbdata:/data/db
-  # If database debugging is needed
-  # mongo-express:
-  #   image: mongo-express
-  #   restart: always
-  #   ports:
-  #     - 8081:8081
-  #   environment:
-  #     ME_CONFIG_MONGODB_ADMINUSERNAME: mongoadmin
-  #     ME_CONFIG_MONGODB_ADMINPASSWORD: example
-  #   depends_on:
-  #     - mongo
-volumes:
-  dbdata:
+version: "3"
+
+services:
+  shieldy:
+    build: .
+    restart: always
+    environment:
+      MONGO_SHIELDY_DB: shieldyDB
+      MONGO_SHIELDY_USERNAME: shieldyDBuser
+      MONGO_SHIELDY_PASSWORD_FILE: /run/secrets/mongo_shieldy_password
+      MONGO_INITDB_DATABASE: shieldyDB
+      TOKEN_FILE: /run/secrets/shieldy_token
+      ADMIN: 658158536
+    secrets:
+      - shieldy_token
+      - mongo_shieldy_password
+    depends_on:
+      - wait-dependencies
+  mongo:
+    image: mongo
+    restart: always
+    environment:
+      MONGO_INITDB_ROOT_USERNAME: mongoadmin
+      MONGO_INITDB_ROOT_PASSWORD_FILE: /run/secrets/mongo_admin_password
+      MONGO_SHIELDY_USERNAME: shieldyDBuser
+      MONGO_SHIELDY_PASSWORD_FILE: /run/secrets/mongo_shieldy_password
+      MONGO_INITDB_DATABASE: shieldyDB
+    secrets:
+      - mongo_admin_password
+      - mongo_shieldy_password
+    volumes:
+      - dbdata:/data/db
+      - ./init-mongo.sh:/docker-entrypoint-initdb.d/init-mongo.sh:ro
+  wait-dependencies:
+    image: willwill/wait-for-it:latest
+    depends_on:
+      - mongo
+    entrypoint: /bin/sh
+    command: >
+      -c "./wait-for-it.sh mongo:27017 --strict --timeout=1"
+  # If database debugging is needed
+  # mongo-express:
+  #   image: mongo-express
+  #   restart: always
+  #   ports:
+  #     - 8081:8081
+  #   environment:
+  #     ME_CONFIG_MONGODB_ADMINUSERNAME: mongoadmin
+  #     ME_CONFIG_MONGODB_ADMINPASSWORD: example
+  #   depends_on:
+  #     - mongo
+secrets:
+  mongo_admin_password:
+    file: .secrets/mongo_admin_password.txt
+  mongo_shieldy_password:
+    file: .secrets/mongo_shieldy_password.txt
+  shieldy_token:
+    file: .secrets/shieldy_token.txt
+volumes:
+  dbdata:

entrypoint.sh

@@ -0,0 +1,15 @@
+#!/bin/sh
+
+if [ ! -z ${MONGO_SHIELDY_PASSWORD_FILE+x} ]; then
+  MONGO_SHIELDY_PASSWORD=$(cat ${MONGO_SHIELDY_PASSWORD_FILE})
+fi
+
+if [ ! -z ${TOKEN_FILE+x} ]; then
+  TOKEN=$(cat ${TOKEN_FILE})
+  export TOKEN
+fi
+
+export MONGO=mongodb://${MONGO_SHIELDY_USERNAME}:${MONGO_SHIELDY_PASSWORD}@mongo:27017/${MONGO_INITDB_DATABASE}
+
+yarn distribute
+

init-mongo.js

@@ -0,0 +1,17 @@
+#!/bin/bash
+set -Eeuo pipefail
+
+if [ ! -z ${MONGO_SHIELDY_PASSWORD_FILE+x} ]; then
+  MONGO_SHIELDY_PASSWORD=$(cat ${MONGO_SHIELDY_PASSWORD_FILE})
+fi
+
+if [ "$MONGO_SHIELDY_USERNAME" ] && [ "$MONGO_SHIELDY_PASSWORD" ]; then
+  "${mongo[@]}" -u "$MONGO_INITDB_ROOT_USERNAME" -p "$MONGO_INITDB_ROOT_PASSWORD" --authenticationDatabase "$rootAuthDatabase" "$MONGO_INITDB_DATABASE" <<-EOJS
+    db.createUser({ 
+      user: $(_js_escape "$MONGO_SHIELDY_USERNAME"), 
+      pwd: $(_js_escape "$MONGO_SHIELDY_PASSWORD"), 
+      roles: [{ role: "readWrite", db: $(_js_escape "$MONGO_INITDB_DATABASE")}]
+    });
+EOJS
+fi
+