explore: non-root user for docker

.github/workflows/startup-tests.yml

@@ -133,8 +133,6 @@ jobs:
         run: pnpm exec playwright install
       - name: Build the Docker app
         run: |
-          rm -rf db
-          mkdir db
           docker compose -f docker-compose-build.yml up -d
       - name: Create backend environment variables file
         working-directory: ${{ env.backend-directory }}
@@ -143,7 +141,10 @@ jobs:
           export $(grep -v '^#' .env | xargs)
       - name: Config the Docker app
         run: |
-          sleep 120 # give the migrations time to finish (included in the up on the previous step)
+          until docker compose -f docker-compose-build.yml exec -T backend curl -f http://localhost:8000/api/build >/dev/null 2>&1; do
+            echo "Backend is not ready - waiting 10s..."
+            sleep 10
+          done
           docker compose -f docker-compose-build.yml exec backend /bin/bash -c "[email protected] DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput && exit 0"
       - name: Run tests
         working-directory: ${{ env.frontend-directory }}
@@ -270,15 +271,19 @@ jobs:
         working-directory: ${{ env.enterprise-frontend-build-directory }}
         run: pnpm exec playwright install
       - name: Build the Docker app
-        run: docker compose -f enterprise/docker-compose-build.yml up -d
+        run: |
+          docker compose -f enterprise/docker-compose-build.yml up -d
       - name: Create backend environment variables file
         working-directory: ${{ env.backend-directory }}
         run: |
           touch .env
           export $(grep -v '^#' .env | xargs)
       - name: Config the Docker app
         run: |
-          sleep 120 # give the migrations time to finish (included in the up on the previous step)
+          until docker compose -f enterprise/docker-compose-build.yml exec -T backend curl -f http://localhost:8000/api/build >/dev/null 2>&1; do
+            echo "Backend is not ready - waiting 10s..."
+            sleep 10
+          done
           docker compose -f enterprise/docker-compose-build.yml exec backend /bin/bash -c "[email protected] DJANGO_SUPERUSER_PASSWORD=1234 poetry run python manage.py createsuperuser --noinput --settings=${{ env.enterprise-backend-settings-module }} && exit 0"
       - name: Run tests
         working-directory: ${{ env.frontend-directory }}

README.md

@@ -271,7 +271,8 @@ You can then reach CISO Assistant using your web browser at [https://localhost:8
 For the following executions, use "docker compose up" directly.
 
 > [!TIP]
-> If you want a fresh install, simply delete the `db` directory, (default: backend/db) where the database is stored.
+> If you want a fresh install, simply delete the `db` volume, where the database is stored. Use `docker volume ls` to find the volume, and `docker volume rm` to delete it.
+
 
 ## Docker-compose on remote
 
@@ -505,6 +506,20 @@ Set DJANGO_DEBUG=False for security reason.
 > [!NOTE]
 > Caddy needs to receive a SNI header. Therefore, for your public URL (the one declared in CISO_ASSISTANT_URL), you need to use a FQDN, not an IP address, as the SNI is not transmitted by a browser if the host is an IP address. Another tricky issue!
 
+## Migrating `docker-compose` from Bind Mount to Named Volumes
+
+To simplify Docker usage, we have migrated from **bind mounts** to **named volumes** in our setup.
+
+### **🔹 How to Migrate Your Data**
+Run the following script with the path to your existing data directory:
+```sh
+config/docker-migrate-dir-to-volume.sh <path_to_your_data_directory>
+```
+
+This will create:
+- ciso-assistant-community_db → Used by the backend and Huey.
+- ciso-assistant-community_caddy_data (only if caddy/ exists) → Used by Caddy.
+
 ## Supported languages 🌐
 
 - FR: French

backend/Dockerfile

@@ -5,7 +5,8 @@ ENV PYTHONUNBUFFERED=1 \
     POETRY_NO_INTERACTION=1 \
     POETRY_VIRTUALENVS_IN_PROJECT=1 \
     POETRY_VIRTUALENVS_CREATE=1 \
-    POETRY_CACHE_DIR=/tmp/poetry_cache
+    POETRY_CACHE_DIR=/tmp/poetry_cache \
+    HOME=/tmp/
 
 WORKDIR /code
 
@@ -47,6 +48,9 @@ RUN poetry install --no-root \
 
 #watch out for local files during dev and maintenance of .dockerignore
 COPY . .
+RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app && mkdir -p /code/db && chown 1001:1001 /code/db
+USER app
+VOLUME /code/db
 
 EXPOSE 8000
 ENTRYPOINT ["poetry", "run", "bash", "startup.sh"]

config/docker-migrate-dir-to-volume.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+# Simple script to migrate a local dir ("db") to Docker named volumes:
+#   - <prefix>db for the backend and huey
+#   - <prefix>caddy_data for Caddy (ONLY IF "caddy" exists)
+# Default prefix: "ciso-assistant-community_"
+# Usage: docker-migrate-dir-to-volume.sh <path_to_db_dir> [optional_prefix]
+
+# Check if at least one argument (directory path) is provided
+if [ -z "$1" ]; then
+    echo "Usage: $0 <path_to_db_dir> [optional_prefix]"
+    exit 1
+fi
+
+# Resolve full path to avoid issues with relative paths
+DB_DIR="$(realpath "$1")"
+
+# Check if the directory exists
+if [ ! -d "$DB_DIR" ]; then
+    echo "❌ Error: Directory '$DB_DIR' does not exist."
+    exit 1
+fi
+
+# Set volume prefix (default: "ciso-assistant-community_")
+VOLUME_PREFIX="${2:-ciso-assistant-community_}"
+
+# Define main volume
+DB_VOLUME="${VOLUME_PREFIX}db"
+
+echo "📦 Creating Docker volume for the database..."
+docker volume create "$DB_VOLUME"
+
+echo "📂 Copying contents of '$DB_DIR' to '$DB_VOLUME' volume..."
+docker run --rm -v "$DB_VOLUME":/mnt/volume -v "$DB_DIR":/mnt/source ubuntu bash -c "cp -r /mnt/source/. /mnt/volume/ && chown -R 1001:1001 /mnt/volume"
+
+# Check if the "caddy" directory exists before creating the volume
+if [ -d "$DB_DIR/caddy" ]; then
+    CADDY_VOLUME="${VOLUME_PREFIX}caddy_data"
+
+    echo "📦 Creating Docker volume for Caddy..."
+    docker volume create "$CADDY_VOLUME"
+
+    echo "📂 Copying 'caddy' contents to '$CADDY_VOLUME' volume..."
+    docker run --rm -v "$CADDY_VOLUME":/mnt/volume -v "$DB_DIR/caddy":/mnt/source ubuntu bash -c "cp -r /mnt/source/. /mnt/volume/"
+
+    echo "✅ '$CADDY_VOLUME' copied successfully."
+else
+    echo "⚠️ 'caddy' directory not found. Skipping volume creation."
+fi
+
+echo "✅ Migration complete! Volumes are ready to use."

docker-compose-build.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-DOCKER_COMPOSE_FILE=docker-compose-build.yml
+DOCKER_COMPOSE_FILE="${1:-docker-compose-build.yml}"
 
 prepare_meta_file() {
   VERSION=$(git describe --tags --always)
@@ -16,28 +16,24 @@ prepare_meta_file() {
 export DOCKER_BUILDKIT=1
 export COMPOSE_DOCKER_CLI_BUILD=1
 
-# Check if database already exists
-if [ -f db/ciso-assistant.sqlite3 ]; then
-  echo "The database seems already created."
-  echo "For successive runs, you can now use 'docker compose up'."
-else
-  prepare_meta_file
+prepare_meta_file
 
-  # Build and start the containers
-  echo "Building containers..."
-  docker compose -f "${DOCKER_COMPOSE_FILE}" build --pull
+# Build and start the containers
+echo "Building containers..."
+docker compose -f "${DOCKER_COMPOSE_FILE}" build --pull
 
-  echo "Starting services..."
-  docker compose -f "${DOCKER_COMPOSE_FILE}" up -d
+echo "Starting services..."
+docker compose -f "${DOCKER_COMPOSE_FILE}" up -d
 
-  # Simple wait for database migrations
-  echo "Giving some time for the database to be ready, please wait ..."
-  sleep 50
+echo "Waiting for CISO Assistant backend to be ready..."
+until docker compose -f "${DOCKER_COMPOSE_FILE}" exec -T backend curl -f http://localhost:8000/api/build >/dev/null 2>&1; do
+  echo "Backend is not ready - waiting 10s..."
+  sleep 10
+done
 
-  echo "Initialize your superuser account..."
-  docker compose exec backend poetry run python manage.py createsuperuser
+echo "Initialize your superuser account..."
+docker compose -f "${DOCKER_COMPOSE_FILE}" exec backend poetry run python manage.py createsuperuser
 
-  echo "🚀 CISO Assistant is ready!"
-  echo "Connect to CISO Assistant on https://localhost:8443"
-  echo "For successive runs, you can now use 'docker compose up'."
-fi
+echo "🚀 CISO Assistant is ready!"
+echo "Connect to CISO Assistant on https://localhost:8443"
+echo "For successive runs, you can now use 'docker compose -f ${DOCKER_COMPOSE_FILE} up -d'."

docker-compose-build.yml

@@ -1,3 +1,6 @@
+volumes:
+  db:
+  caddy_data:
 services:
   backend:
     container_name: backend
@@ -10,7 +13,7 @@ services:
       - CISO_ASSISTANT_URL=https://localhost:8443
       - DJANGO_DEBUG=True
     volumes:
-      - ./db:/code/db
+      - db:/code/db
 
   huey:
     container_name: huey
@@ -25,7 +28,7 @@ services:
       - CISO_ASSISTANT_URL=https://localhost:8443
       - DJANGO_DEBUG=False
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     entrypoint:
       - /bin/sh
       - -c
@@ -55,7 +58,7 @@ services:
     ports:
       - 8443:8443
     volumes:
-      - ./db:/data
+      - caddy_data:/data
     command: |
       sh -c 'echo $$CISO_ASSISTANT_URL "{
       reverse_proxy /api/* backend:8000

docker-compose.sh

@@ -1,12 +1,6 @@
 #! /bin/bash
 set -euo pipefail
 
-DOCKER_COMPOSE_FILE=docker-compose.yml
-if [ -d ./db ]; then
-  echo "The database seems already created. You should launch 'docker compose up -d' instead."
-  echo "For a clean start, you can remove the db folder, and then run 'docker compose rm -fs' and start over"
-  exit 1
-fi
 echo "Starting CISO Assistant services..."
 docker compose pull
 echo "Initializing the database. This can take up to 2 minutes, please wait.."
@@ -24,3 +18,4 @@ docker compose exec backend poetry run python manage.py createsuperuser
 
 echo -e "Initialization complete!"
 echo "You can now access CISO Assistant at https://localhost:8443 (or the host:port you've specified)"
+

docker-compose.yml

@@ -1,3 +1,6 @@
+volumes:
+  db:
+  caddy_data:
 services:
   backend:
     container_name: backend
@@ -11,7 +14,7 @@ services:
       - AUTH_TOKEN_TTL=7200
 
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     healthcheck:
       test: ["CMD-SHELL", "curl -f http://backend:8000/api/build || exit 1"]
       interval: 10s
@@ -34,7 +37,7 @@ services:
       - AUTH_TOKEN_TTL=7200
 
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     entrypoint:
       - /bin/sh
       - -c
@@ -66,7 +69,7 @@ services:
     ports:
       - 8443:8443
     volumes:
-      - ./caddy_data:/data
+      - caddy_data:/data
     command: |
       sh -c 'echo $$CISO_ASSISTANT_URL "{
       reverse_proxy /api/* backend:8000

enterprise/README.md

@@ -4,12 +4,12 @@ New: use the config builder on the `config` folder.
 
 To run CISO Assistant Enterprise locally in a straightforward way, you can use Docker compose.
 
-1. Make sure you are located in the enterprise directory of the repository
+1. Make sure you are located in the top directory of the repository
 
 2. Launch docker-compose script with enterprise docker-compose.yml file:
 
 ```sh
-./docker-compose-build.sh -f enterprise/docker-compose-build.yml
+docker compose-build.sh enterprise/docker-compose-build.yml
 ```
 
 When asked for, enter your email and password for your superuser.

enterprise/backend/Dockerfile

@@ -5,7 +5,8 @@ ENV PYTHONUNBUFFERED=1 \
    POETRY_VIRTUALENVS_IN_PROJECT=1 \
    POETRY_VIRTUALENVS_CREATE=1 \
    POETRY_CACHE_DIR=/tmp/poetry_cache \
-   DJANGO_SETTINGS_MODULE=enterprise_core.settings
+   DJANGO_SETTINGS_MODULE=enterprise_core.settings \
+   HOME=/tmp
 
 WORKDIR /code
 
@@ -53,5 +54,9 @@ COPY backend /code/
 COPY enterprise/backend/enterprise_core /code/enterprise_core
 COPY backend/startup.sh /code/
 
+RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app && mkdir -p /code/db && chown 1001:1001 /code/db
+USER app
+VOLUME /code/db
+
 EXPOSE 8000
 ENTRYPOINT ["poetry", "run", "bash", "startup.sh"]

enterprise/docker-compose-build.yml

@@ -1,3 +1,6 @@
+volumes:
+  db:
+  caddy_data:
 services:
   backend:
     container_name: backend
@@ -13,21 +16,23 @@ services:
       - LICENSE_EXPIRATION=2025-12-21
       - DJANGO_SETTINGS_MODULE=enterprise_core.settings
     volumes:
-      - ./db:/code/db
+      - db:/code/db
 
   huey:
     container_name: huey
     build:
       context: ../
       dockerfile: ./enterprise/backend/Dockerfile
+    depends_on:
+      - backend    
     restart: always
     environment:
       - ALLOWED_HOSTS=backend,localhost
       - DJANGO_DEBUG=True
       - LICENSE_SEATS=5
       - LICENSE_EXPIRATION=2025-12-21
     volumes:
-      - ./db:/code/db
+      - db:/code/db
     entrypoint:
       - /bin/sh
       - -c
@@ -57,7 +62,7 @@ services:
     ports:
       - 8443:8443
     volumes:
-      - ./db:/data
+      - caddy_data:/data
     command: |
       sh -c 'echo $$CISO_ASSISTANT_URL "{
       reverse_proxy /api/* backend:8000

enterprise/frontend/Dockerfile

@@ -24,4 +24,7 @@ COPY frontend/package.json .
 EXPOSE 3000
 ENV NODE_ENV=production
 ENV BODY_SIZE_LIMIT=20000000
+RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app
+USER app
+
 CMD [ "node", "server" ]

frontend/Dockerfile

@@ -21,6 +21,7 @@ COPY package.json .
 EXPOSE 3000
 ENV NODE_ENV=production
 ENV BODY_SIZE_LIMIT=20000000
-
+RUN groupadd --gid 1001 app && useradd --uid 1001 --gid 1001 app
+USER app
 
 CMD [ "node", "server" ]