From dbd36b0f9cf6bcb156844d80e545679da38eed0c Mon Sep 17 00:00:00 2001 From: M Clark Date: Wed, 6 Jan 2016 07:46:03 +0800 Subject: [PATCH 1/8] Updated readme --- README.md | 49 ++++++++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 48 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 5e5e489..729b21b 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,53 @@ docker-devpi ============ -Dockerfile for devpi pypi server +This repository contains a Dockerfile for devpi pypi server http://doc.devpi.net/latest/ + +Installation + +`docker pull muccg/docker-devpi` + +Quickstart + +Start using + +``` +docker run -d --name devpi \ + --publish 3141:3141 \ + --volume /srv/docker/devpi:/data \ + --env=DEVPI_PASSWORD=changemetoyoulongsecret \ + --restart always \ + muccg/docker-devpi +``` +Devpi creates a user named root by default, its password can be set with DEVPI_PASSWORD environment variable. Please set it, otherwise attacker can *execute arbitrary code* in your application by uploading modified packages. + +Persistence + +For devpi to preserve its state across container shutdown and startup you should mount a volume at `/data`. The quickstart command already includes this. + +Security + +Devpi creates a user named root by default, its password can be set with DEVPI_PASSWORD environment variable. Please set it, otherwise attacker can *execute arbitrary code* in your application by uploading modified packages. + +Usage + +To use this devpi cache to speed up your dockerfile builds, add pip as an optional cache: + +```Dockerfile +# configure apt to not install reccomendations +RUN apt-get update \ + && apt-get install -y netcat \ + && rm -rf /var/lib/apt/lists/* + + # Use an optional pip cache to speed development +RUN export HOST_IP=$(ip route| awk '/^default/ {print $3}') \ + && mkdir -p ~/.pip \ + && echo [global] >> ~/.pip/pip.conf \ + && echo extra-index-url = http://$HOST_IP:3141/app/dev/+simple >> ~/.pip/pip.conf \ + && echo [install] >> ~/.pip/pip.conf \ + && echo trusted-host = $HOST_IP >> ~/.pip/pip.conf \ + && cat ~/.pip/pip.conf +``` + From 3d090ac143625cab8f1d1c6a017b5a3aa80957fd Mon Sep 17 00:00:00 2001 From: M Clark Date: Wed, 6 Jan 2016 13:21:52 +0800 Subject: [PATCH 2/8] Update README.md --- README.md | 45 ++++++++++++++++++++++++++++++--------------- 1 file changed, 30 insertions(+), 15 deletions(-) diff --git a/README.md b/README.md index 729b21b..e297976 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,17 @@ docker-devpi ============ -This repository contains a Dockerfile for devpi pypi server +This repository contains a Dockerfile for [devpi pypi server](http://doc.devpi.net/latest/). -http://doc.devpi.net/latest/ - -Installation +# Installation `docker pull muccg/docker-devpi` -Quickstart +# Quickstart Start using -``` +```bash docker run -d --name devpi \ --publish 3141:3141 \ --volume /srv/docker/devpi:/data \ @@ -21,22 +19,18 @@ docker run -d --name devpi \ --restart always \ muccg/docker-devpi ``` -Devpi creates a user named root by default, its password can be set with DEVPI_PASSWORD environment variable. Please set it, otherwise attacker can *execute arbitrary code* in your application by uploading modified packages. +Please set DEVPI_PASSWORD to a secret otherwise an attacker can *execute arbitrary code* in your application by uploading modified packages. -Persistence +# Persistence For devpi to preserve its state across container shutdown and startup you should mount a volume at `/data`. The quickstart command already includes this. -Security +# Client side usage -Devpi creates a user named root by default, its password can be set with DEVPI_PASSWORD environment variable. Please set it, otherwise attacker can *execute arbitrary code* in your application by uploading modified packages. - -Usage - -To use this devpi cache to speed up your dockerfile builds, add pip as an optional cache: +To use this devpi cache to speed up your dockerfile builds, add use this snippit in your dockerfiles. This will add the devpi container an optional cache for pip: ```Dockerfile -# configure apt to not install reccomendations +# Install netcat for ip route RUN apt-get update \ && apt-get install -y netcat \ && rm -rf /var/lib/apt/lists/* @@ -51,3 +45,24 @@ RUN export HOST_IP=$(ip route| awk '/^default/ {print $3}') \ && cat ~/.pip/pip.conf ``` +# Uploading files + +```bash +pip wheel --download=packages --wheel-dir=wheelhouse -r requirements.txt +pip install "devpi-client>=2.3.0" \ +&& export HOST_IP=$(ip route| awk '/^default/ {print $3}') \ +&& if devpi use http://$HOST_IP:3141>/dev/null; then \ + devpi use http://$HOST_IP:3141/${DEVPI_USER:-app}/${DEVPI_INDEX:-dev} --set-cfg \ + && devpi login ${DEVPI_USER:-app} --password=$DEVPI_PASSWORD \ + && devpi upload --from-dir --formats=* ./wheelhouse ./packages; \ +else \ + echo No started devpi container found at http://$HOST_IP:3141; \ +fi +``` + +# Security + +Devpi creates a user named root by default, its password can be set with DEVPI_PASSWORD environment variable. Please set it, otherwise attacker can *execute arbitrary code* in your application by uploading modified packages. + +For additonal security the argument `--restrict-modify root` has been added so only the root may create users and indexes. + From 4cdf675af8403502881c701b4c7a81e983f921b3 Mon Sep 17 00:00:00 2001 From: M Clark Date: Wed, 6 Jan 2016 13:24:21 +0800 Subject: [PATCH 3/8] Update docker-entrypoint.sh --- docker-entrypoint.sh | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 6344e4a..10bc28f 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -12,12 +12,19 @@ function defaults { function initialise_devpi { echo "[RUN]: Initialise devpi-server" - devpi-server --start --host 127.0.0.1 --port 3141 + devpi-server --restrict-modify root --start --host 127.0.0.1 --port 3141 devpi-server --status devpi use http://localhost:3141 - devpi login root --password='' - devpi user -m root password="${DEVPI_PASSWORD}" - devpi index -y -c public pypi_whitelist='*' + + # Check the root password has been changed + if devpi login root --password='' > /dev/null; then + devpi login root --password='' + devpi user -m root password="${DEVPI_PASSWORD}" + devpi index -y -c public pypi_whitelist='*' + else + echo root password already changed + fi + devpi-server --stop devpi-server --status } @@ -30,7 +37,7 @@ if [ "$1" = 'devpi' ]; then fi echo "[RUN]: Launching devpi-server" - devpi-server --host 0.0.0.0 --port 3141 2>&1 | tee /data/server/devpi.log + devpi-server --restrict-modify root --host 0.0.0.0 --port 3141 2>&1 | tee /data/server/devpi.log exit $? fi From 4d44168e58d09864b1e6903a454b79613953a296 Mon Sep 17 00:00:00 2001 From: M Clark Date: Wed, 6 Jan 2016 13:28:49 +0800 Subject: [PATCH 4/8] updated devpi version updated devpi version and added default --- Dockerfile | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 787df90..c737518 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,8 +9,8 @@ ARG PIP_TRUSTED_HOST=127.0.0.1 ENV DEVPI_VERSION $DEVPI_VERSION RUN NO_PROXY=$PIP_TRUSTED_HOST pip --trusted-host $PIP_TRUSTED_HOST install -i $PIP_INDEX_URL --upgrade \ - "devpi-client>=2.3.0,<2.4" \ - "devpi-server==$DEVPI_VERSION" + "devpi-client>=2.3" "requests>=2.9.0" \ + "devpi-server==$DEVPI_VERSION" + "devpi-server==${DEVPI_VERSION:-2.5.3}" EXPOSE 3141 VOLUME /data From 5d1214a9fa0913a551cb3d981ab9f5128c823f54 Mon Sep 17 00:00:00 2001 From: Is Isilon Date: Wed, 6 Jan 2016 16:07:49 +0800 Subject: [PATCH 5/8] Spelling and bugfixes --- Dockerfile | 2 +- README.md | 33 ++++++++++++++++++++------------- docker-entrypoint.sh | 6 ++++-- 3 files changed, 25 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index c737518..0f4dfcb 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV DEVPI_VERSION $DEVPI_VERSION RUN NO_PROXY=$PIP_TRUSTED_HOST pip --trusted-host $PIP_TRUSTED_HOST install -i $PIP_INDEX_URL --upgrade \ "devpi-client>=2.3" "requests>=2.9.0" \ - "devpi-server==$DEVPI_VERSION" + "devpi-server==${DEVPI_VERSION:-2.5.3}" + "devpi-server==${DEVPI_VERSION:-2.5.3}" EXPOSE 3141 VOLUME /data diff --git a/README.md b/README.md index e297976..e1c1e33 100644 --- a/README.md +++ b/README.md @@ -3,13 +3,17 @@ docker-devpi This repository contains a Dockerfile for [devpi pypi server](http://doc.devpi.net/latest/). -# Installation +You can use this container to speed up the `pip install` parts of your docker builds. This is done by adding an optional cache of your requirement python packages and speed up docker. The outcome is faster development without breaking builds. + +# Getting started + +## Installation `docker pull muccg/docker-devpi` -# Quickstart +## Quickstart -Start using +Start using ```bash docker run -d --name devpi \ @@ -21,20 +25,18 @@ docker run -d --name devpi \ ``` Please set DEVPI_PASSWORD to a secret otherwise an attacker can *execute arbitrary code* in your application by uploading modified packages. -# Persistence - -For devpi to preserve its state across container shutdown and startup you should mount a volume at `/data`. The quickstart command already includes this. +*Alternatively, you can use the sample [docker-compose.yml](docker-compose.yml) file to start the container using [Docker Compose](https://docs.docker.com/compose/)* -# Client side usage +## Client side usage -To use this devpi cache to speed up your dockerfile builds, add use this snippit in your dockerfiles. This will add the devpi container an optional cache for pip: +To use this devpi cache to speed up your dockerfile builds, add use the code below in your dockerfiles. This will add the devpi container an optional cache for pip. The docker containers will try using port 3141 on the docker host first and fall back on the normal pypi servers without breaking the build. ```Dockerfile # Install netcat for ip route RUN apt-get update \ && apt-get install -y netcat \ && rm -rf /var/lib/apt/lists/* - + # Use an optional pip cache to speed development RUN export HOST_IP=$(ip route| awk '/^default/ {print $3}') \ && mkdir -p ~/.pip \ @@ -45,7 +47,9 @@ RUN export HOST_IP=$(ip route| awk '/^default/ {print $3}') \ && cat ~/.pip/pip.conf ``` -# Uploading files +## Uploading python packages files + +You need to upload your python requirement to get any benefit from the devpi container. You can upload them using the bash code below a similar build environment. ```bash pip wheel --download=packages --wheel-dir=wheelhouse -r requirements.txt @@ -60,9 +64,12 @@ else \ fi ``` -# Security +# Persistence -Devpi creates a user named root by default, its password can be set with DEVPI_PASSWORD environment variable. Please set it, otherwise attacker can *execute arbitrary code* in your application by uploading modified packages. +For devpi to preserve its state across container shutdown and startup you should mount a volume at `/data`. The quickstart command already includes this. + +# Security -For additonal security the argument `--restrict-modify root` has been added so only the root may create users and indexes. +Devpi creates a user named root by default, its password should be set with DEVPI_PASSWORD environment variable. Please set it, otherwise attackers can *execute arbitrary code* in your application by uploading modified packages. +For additional security the argument `--restrict-modify root` has been added so only the root may create users and indexes. diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 10bc28f..f4210b3 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -12,10 +12,12 @@ function defaults { function initialise_devpi { echo "[RUN]: Initialise devpi-server" + chown -R ccg-user:ccg-user /data + devpi-server --restrict-modify root --start --host 127.0.0.1 --port 3141 devpi-server --status devpi use http://localhost:3141 - + # Check the root password has been changed if devpi login root --password='' > /dev/null; then devpi login root --password='' @@ -24,7 +26,7 @@ function initialise_devpi { else echo root password already changed fi - + devpi-server --stop devpi-server --status } From 81f80d88d7e1742f72e7c36fe093533c1e3b40b1 Mon Sep 17 00:00:00 2001 From: Is Isilon Date: Wed, 6 Jan 2016 17:58:46 +0800 Subject: [PATCH 6/8] Clean and spelling --- README.md | 11 ++++++----- build.sh | 2 +- docker-compose.yml | 9 +++++++++ docker-entrypoint.sh | 15 +++------------ 4 files changed, 19 insertions(+), 18 deletions(-) create mode 100644 docker-compose.yml diff --git a/README.md b/README.md index e1c1e33..78909ed 100644 --- a/README.md +++ b/README.md @@ -19,14 +19,15 @@ Start using docker run -d --name devpi \ --publish 3141:3141 \ --volume /srv/docker/devpi:/data \ - --env=DEVPI_PASSWORD=changemetoyoulongsecret \ + --env=DEVPI_PASSWORD=changemetoyourlongsecret \ --restart always \ muccg/docker-devpi ``` -Please set DEVPI_PASSWORD to a secret otherwise an attacker can *execute arbitrary code* in your application by uploading modified packages. *Alternatively, you can use the sample [docker-compose.yml](docker-compose.yml) file to start the container using [Docker Compose](https://docs.docker.com/compose/)* +Please set DEVPI_PASSWORD to a secret otherwise an attacker can *execute arbitrary code*. + ## Client side usage To use this devpi cache to speed up your dockerfile builds, add use the code below in your dockerfiles. This will add the devpi container an optional cache for pip. The docker containers will try using port 3141 on the docker host first and fall back on the normal pypi servers without breaking the build. @@ -56,11 +57,11 @@ pip wheel --download=packages --wheel-dir=wheelhouse -r requirements.txt pip install "devpi-client>=2.3.0" \ && export HOST_IP=$(ip route| awk '/^default/ {print $3}') \ && if devpi use http://$HOST_IP:3141>/dev/null; then \ - devpi use http://$HOST_IP:3141/${DEVPI_USER:-app}/${DEVPI_INDEX:-dev} --set-cfg \ - && devpi login ${DEVPI_USER:-app} --password=$DEVPI_PASSWORD \ + devpi use http://$HOST_IP:3141/root/public --set-cfg \ + && devpi login root --password=$DEVPI_PASSWORD \ && devpi upload --from-dir --formats=* ./wheelhouse ./packages; \ else \ - echo No started devpi container found at http://$HOST_IP:3141; \ + echo "No started devpi container found at http://$HOST_IP:3141"; \ fi ``` diff --git a/build.sh b/build.sh index 6a0f2ac..7c2a5b1 100755 --- a/build.sh +++ b/build.sh @@ -22,7 +22,7 @@ DEVPI_VERSION="2.5.3" image="${REPO}/devpi" echo "################################################################### ${image}" - + ## warm up cache for CI docker pull ${image} || true diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..c75f65e --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,9 @@ +devpi: + image: wassname/docker-devpi + volumes: + - /srv/docker/devpi:/data + ports: + - 3141:3141 + environment: + - DEVPI_PASSWORD= + restart: always diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index f4210b3..6060285 100644 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -12,21 +12,12 @@ function defaults { function initialise_devpi { echo "[RUN]: Initialise devpi-server" - chown -R ccg-user:ccg-user /data - devpi-server --restrict-modify root --start --host 127.0.0.1 --port 3141 devpi-server --status devpi use http://localhost:3141 - - # Check the root password has been changed - if devpi login root --password='' > /dev/null; then - devpi login root --password='' - devpi user -m root password="${DEVPI_PASSWORD}" - devpi index -y -c public pypi_whitelist='*' - else - echo root password already changed - fi - + devpi login root --password='' + devpi user -m root password="${DEVPI_PASSWORD}" + devpi index -y -c public pypi_whitelist='*' devpi-server --stop devpi-server --status } From 9f65c7479caad0101591db36ef8d4f07057399ce Mon Sep 17 00:00:00 2001 From: Is Isilon Date: Wed, 6 Jan 2016 18:06:21 +0800 Subject: [PATCH 7/8] Bring reqs in line with origin --- Dockerfile | 4 ++-- build.sh | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 0f4dfcb..e43c154 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,8 +9,8 @@ ARG PIP_TRUSTED_HOST=127.0.0.1 ENV DEVPI_VERSION $DEVPI_VERSION RUN NO_PROXY=$PIP_TRUSTED_HOST pip --trusted-host $PIP_TRUSTED_HOST install -i $PIP_INDEX_URL --upgrade \ - "devpi-client>=2.3" "requests>=2.9.0" \ - "devpi-server==${DEVPI_VERSION:-2.5.3}" + "devpi-client>=2.3.0,<2.4" \ + "devpi-server==$DEVPI_VERSION" EXPOSE 3141 VOLUME /data diff --git a/build.sh b/build.sh index 7c2a5b1..c242cec 100755 --- a/build.sh +++ b/build.sh @@ -22,7 +22,6 @@ DEVPI_VERSION="2.5.3" image="${REPO}/devpi" echo "################################################################### ${image}" - ## warm up cache for CI docker pull ${image} || true From 949772a16ab387333ee931d180a3e35abe36ad46 Mon Sep 17 00:00:00 2001 From: Is Isilon Date: Wed, 6 Jan 2016 18:14:25 +0800 Subject: [PATCH 8/8] Changed to muccg --- docker-compose.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker-compose.yml b/docker-compose.yml index c75f65e..bcde2c2 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -1,5 +1,5 @@ devpi: - image: wassname/docker-devpi + image: muccg/docker-devpi volumes: - /srv/docker/devpi:/data ports: