forked from department-of-veterans-affairs/vets-api
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
104 lines (78 loc) · 3.68 KB
/
Dockerfile
File metadata and controls
104 lines (78 loc) · 3.68 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
ARG IMAGEMAGICK_IMAGE=008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/dpokidov/imagemagick:7.1.1-47-bookworm
ARG RUBY_IMAGE=008577686731.dkr.ecr.us-gov-west-1.amazonaws.com/ruby:3.3.6-slim-bookworm
FROM ${RUBY_IMAGE} AS rubyimg
FROM rubyimg AS modules
WORKDIR /tmp
# Copy each module's Gemfile, gemspec, and version.rb files
COPY modules/ modules/
RUN find modules -type f ! \( -name Gemfile -o -name "*.gemspec" -o -path "*/lib/*/version.rb" \) -delete && \
find modules -type d -empty -delete
# ImageMagick 7 is not available on Bookwork
# This can be replaced with the imagemagick-7 package if using Trixie
FROM ${IMAGEMAGICK_IMAGE} AS imagemagick
FROM rubyimg
# Allow for setting ENV vars via --build-arg
ARG BUNDLE_ENTERPRISE__CONTRIBSYS__COM \
RAILS_ENV=development \
USER_ID=1000
ENV RAILS_ENV=$RAILS_ENV \
BUNDLE_ENTERPRISE__CONTRIBSYS__COM=$BUNDLE_ENTERPRISE__CONTRIBSYS__COM \
BUNDLER_VERSION=2.5.23
RUN groupadd --gid $USER_ID nonroot \
&& useradd --uid $USER_ID --gid nonroot --shell /bin/bash --create-home nonroot --home-dir /app
WORKDIR /app
RUN apt-get update --fix-missing \
&& apt-get install -y poppler-utils build-essential libpq-dev libffi-dev libyaml-dev git curl wget unzip ca-certificates ca-certificates-java openssl file \
pdftk tesseract-ocr \
libpng16-16 libjpeg62-turbo libtiff6 libfreetype6 libfontconfig1 ghostscript libgomp1 libomp5 libde265-0 libx265-199 liblcms2-2 libgif7 libbrotli1 libxext6 \
&& apt-get clean \
&& rm -rf /var/cache/apt/archives/* /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Copy ImageMagick 7 and its dependencies from the ImageMagick build stage
COPY --from=imagemagick /usr/local/bin/magick /usr/local/bin/magick
COPY --from=imagemagick /usr/local/lib/ /usr/local/lib/
COPY --from=imagemagick /usr/local/etc/ImageMagick-7/ /usr/local/etc/ImageMagick-7/
COPY --from=imagemagick /usr/local/share/ImageMagick-7/ /usr/local/share/ImageMagick-7/
RUN ln -s /usr/local/bin/magick /usr/local/bin/convert \
&& ln -s /usr/local/bin/magick /usr/local/bin/identify \
&& ln -s /usr/local/bin/magick /usr/local/bin/mogrify \
&& ldconfig
# Relax ImageMagick PDF security. See https://stackoverflow.com/a/59193253.
RUN sed -i '/rights="none" pattern="PDF"/d' /usr/local/etc/ImageMagick-7/policy.xml
# Install fwdproxy.crt into trust store
COPY config/ca-trust/*.crt /usr/local/share/ca-certificates/
# Update CA certificates before downloading VA certs
RUN update-ca-certificates
# Download VA Certs
COPY ./import-va-certs.sh .
RUN ./import-va-certs.sh
COPY config/clamd.conf /etc/clamav/clamd.conf
RUN mkdir -p /clamav_tmp && \
chown -R nonroot:nonroot /clamav_tmp && \
chmod 777 /clamav_tmp
ENV LANG=C.UTF-8 \
BUNDLE_JOBS=4 \
BUNDLE_PATH=/usr/local/bundle/cache \
BUNDLE_RETRY=3
RUN gem install bundler:${BUNDLER_VERSION} --no-document
COPY --from=modules /tmp/modules modules/
COPY Gemfile Gemfile.lock ./
RUN bundle install \
&& rm -rf /usr/local/bundle/cache/*.gem \
&& find /usr/local/bundle/gems/ -name "*.c" -delete \
&& find /usr/local/bundle/gems/ -name "*.o" -delete \
&& find /usr/local/bundle/gems/ -name ".git" -type d -prune -execdir rm -rf {} + \
# 🔧 fix bad permissions from Nokogiri 1.18.7 (only if installed)
&& for d in /usr/local/bundle/gems/nokogiri-*; do \
if [ -d "$d" ]; then \
find "$d" -type f -exec chmod a+r {} \; && \
find "$d" -type d -exec chmod a+rx {} \; ; \
fi \
done
COPY --chown=nonroot:nonroot . .
# Make the ImageMagick script executable
RUN chmod +x bin/merge_imagemagick_policy
# Execute the merge policy script for ImageMagick
RUN ruby -rbundler/setup bin/merge_imagemagick_policy
EXPOSE 3000
USER nonroot
CMD ["bundle", "exec", "rails", "server", "-b", "0.0.0.0"]