Migrate CKAN DataPusher to s6 and add selfsigned cert injection

2018-09-03 15:58:41 +02:00 · 2018-09-03 15:58:41 +02:00 · d47891b19c
commit d47891b19c
parent bc1994c31b
5 changed files with 17 additions and 2 deletions
--- a/ckan-datapusher/Dockerfile
+++ b/ckan-datapusher/Dockerfile
@ -25,8 +25,9 @@ RUN \
 && find /srv/ckan-datapusher/src -name '.git*' -exec rm -rf {} + \
 && rm -rf /root/.cache

+COPY docker/ /
+
 VOLUME ["/etc/ckan-datapusher", "/srv/ckan-datapusher/data"]
 EXPOSE 8080

-USER ckandp
-CMD ["uwsgi", "--plugin", "python", "--http-socket", "0.0.0.0:8080", "--wsgi-file", "/etc/ckan-datapusher/datapusher.wsgi", "--enable-threads"]
+CMD ["s6-svscan", "/etc/services.d"]
--- a/ckan-datapusher/docker/bin/add-ca-cert
+++ b/ckan-datapusher/docker/bin/add-ca-cert
@ -0,0 +1,4 @@
+#!/bin/sh
+
+/bin/cat /etc/ssl/services.pem >>/usr/lib/python2.7/site-packages/requests/cacert.pem
+/bin/cat /etc/ssl/services.pem >>/usr/lib/python2.7/site-packages/certifi/cacert.pem
--- a/ckan-datapusher/docker/etc/services.d/.s6-svscan/finish
+++ b/ckan-datapusher/docker/etc/services.d/.s6-svscan/finish
@ -0,0 +1,3 @@
+#!/bin/sh
+
+/bin/true
--- a/ckan-datapusher/docker/etc/services.d/ckan-datapusher/run
+++ b/ckan-datapusher/docker/etc/services.d/ckan-datapusher/run
@ -0,0 +1,6 @@
+#!/bin/execlineb -P
+
+fdmove -c 2 1
+foreground { /bin/add-ca-cert }
+s6-setuidgid 8004:8004
+/usr/sbin/uwsgi --plugin python --http-socket 0.0.0.0:8080 --wsgi-file /etc/ckan-datapusher/datapusher.wsgi --enable-threads
--- a/ckan-datapusher/etc/init.d/ckan-datapusher
+++ b/ckan-datapusher/etc/init.d/ckan-datapusher
@ -10,6 +10,7 @@ start() {
 	/usr/bin/docker run -d --rm \
 	--name ckan-datapusher \
 	-h ckan-datapusher \
+	-v /etc/ssl/services.pem:/etc/ssl/services.pem \
 	-v /srv/ckan-datapusher/conf:/etc/ckan-datapusher \
 	-v /srv/ckan-datapusher/data:/srv/ckan-datapusher/data \
 	ckan-datapusher