Original contribution by @cmotadev in #12940

Geonode Docker, now rootless!!!

Objectives

• Make geonode (django/celery) to run rootless
• Apply some Dockerfile best practices, to reduce image size and number of layers
• Evict to make deeper modifications, like change libraries (except the use of curl and wget - in this case we removed wget and changed to curl)

Summary of modifications

General

• Add minimal Dockerfile labels
• Grouped apt-get commands in one RUN
• All writable files and dirctories were granted to root group (docker engine and kubernetes add container user to root group)
• No file or directories are created in runtime. if the container needs to write files, a directory are created on build time and receive chmod g=u, if the container need to create files in a system directory, the file are touched and chmoded in build time
• preserved legacy operations like sourcing .bashrc and .override_env from $HOME dir. In case of .bashrc, the entrypoint script checks if the running user has entry on /etc/passwd. if not, copy a .bashrc template from skel dir.
• created a function to parse bool entries

Specific

• Add Environment variable to set container user ID: GEONODE_USER (default 0 - root)
• Point django, celery and invoke logs to /var/log/geonode
• Tag all images on docekr-compose-dev.yml as "dev"
• Sanitize ENV and ARGs
• Removed "service cron restart" -> We can schedule tasks on genode using external cron (calling docker or docker-machine) or use a CronJob on kubernetes based systems (rancher, openshift, minikube...)

Next steps:

• Make similar modifications proposed by this PR and apply to geonode-project repo
• Apply docker best practices to geonode base image (further work)

Post Scriptum

(PS1) Geonode Volumes: If run geonode as uid 0 (root), then stop, change to unprivileged user, and start, geonode will crash due permission issues. There is two things to do: 1) Remove all volumes before change UID and start or 2) mount all volumes in a dummy container and grant write privileges to root group.

(PS2) Setting GEONODE_UID=0, geonode will run as root, like all other versions.

Documentation on rootless best practices

• https://developers.redhat.com/articles/2021/11/11/best-practices-building-images-pass-red-hat-container-certification#best_practice__3__set_group_ownership_and_file_permissions
• https://sysdig.com/learn-cloud-native/dockerfile-best-practices/

Checklist

Reviewing is a process done by project maintainers, mostly on a volunteer basis. We try to keep the overhead as small as possible and appreciate if you help us to do so by completing the following items. Feel free to ask in a comment if you have troubles with any of them.

For all pull requests:

• Confirm you have read the contribution guidelines
• You have sent a Contribution Licence Agreement (CLA) as necessary (not required for small changes, e.g., fixing typos in the documentation)
• Make sure the first PR targets the master branch, eventual backports will be managed later. This can be ignored if the PR is fixing an issue that only happens in a specific branch, but not in newer ones.

The following are required only for core and extension modules (they are welcomed, but not required, for contrib modules):

• There is a ticket in https://github.com/GeoNode/geonode/issues describing the issue/improvement/feature (a notable exemption is, changes not visible to end-users)
• The issue connected to the PR must have Labels and Milestone assigned
• PR for bug fixes and small new features are presented as a single commit
• Commit message must be in the form "[Fixes #<issue_number>] Title of the Issue"
• PR title must be in the form "[Fixes #<issue_number>] Title of the PR"
• New unit tests have been added covering the changes, unless there is an explanation on why the tests are not necessary/implemented
• This PR passes all existing unit tests (test results will be reported by travis-ci after opening this PR)
• This PR passes the QA checks: black geonode && flake8 geonode
• Commits changing the settings, UI, existing user workflows, or adding new functionality, need to include documentation updates
• Commits adding new texts do use gettext and have updated .po / .mo files (without location infos)

Submitting the PR does not require you to check all items, but by the time it gets merged, they should be either satisfied or inapplicable.