vh/NetAlertX
1
0
Fork 0
mirror of https://github.com/jokob-sk/NetAlertX.git synced 2025-12-07 09:36:05 -08:00
Code Issues Actions Packages Projects Releases Wiki Activity

Python up and debuggable

Browse Source
This commit is contained in:
Adam Outler
2025-09-26 17:32:58 +00:00
parent b0a6f889aa
commit 178fb54bb4
3 changed files with 61 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
.devcontainer/Dockerfile
View File

@@ -1,8 +1,11 @@
# DO NOT MODIFY THIS FILE DIRECTLY. IT IS AUTO-GENERATED BY .devcontainer/scripts/generate-dockerfile.sh
# ---/Dockerfile---
# Builder stage performs venv creation and installs some tools which are not needed in the final image.
# By separating the image, we are able to discard build tools and reduce the final image size.
FROM alpine:3.22 AS builder
ARG INSTALL_DIR=/app
ENV PYTHONUNBUFFERED=1
@@ -19,13 +22,12 @@ ENV PATH="/opt/venv/bin:$PATH"
RUN pip install openwrt-luci-rpc asusrouter asyncio aiohttp graphene flask flask-cors unifi-sm-api tplink-omada-client wakeonlan pycryptodome requests paho-mqtt scapy cron-converter pytz json2table dhcp-leases pyunifi speedtest-cli chardet python-nmap dnspython librouteros yattag zeroconf git+https://github.com/foreign-sub/aiofreepybox.git
# second stage
# second stage is the main runtime stage with just the minimum required to run the application
# The runner is used for both devcontainer, and as a base for the hardened stage.
FROM alpine:3.22 AS runner
RUN addgroup -g 20211 netalertx && \
adduser -u 20211 -G netalertx -D -h /app netalertx && \
addgroup -g 20212 readonly && \
adduser -u 20212 -G readonly -D -h /app readonly
adduser -u 20211 -G netalertx -D -h /app netalertx
ARG INSTALL_DIR=/app
@@ -82,7 +84,7 @@ COPY --from=builder /opt/venv /opt/venv
COPY --from=builder /usr/sbin/usermod /usr/sbin/groupmod /usr/sbin/
# Simple copy of directory structure instead of individual files or complicated directory structure with RUN mkdir
COPY install/alpine-docker/ /
COPY --chown=netalertx:netalertx install/alpine-docker/ /
RUN chmod -R a+x ${SYSTEM_SERVICES} /build/ /entrypoint.sh && \
sh -c "find ${NETALERTX_APP} -type d -exec chmod 750 {} \;" && \
@@ -90,7 +92,11 @@ RUN chmod -R a+x ${SYSTEM_SERVICES} /build/ /entrypoint.sh && \
sh -c "find ${NETALERTX_APP} -type f \( -name '*.sh' -o -name 'speedtest-cli' \) -exec chmod 750 {} \;"
# Copy source
RUN mkdir ${NETALERTX_API}
COPY --chown=netalertx:netalertx --chmod=755 back ${NETALERTX_BACK}
COPY --chown=netalertx:netalertx --chmod=755 front ${NETALERTX_FRONT}
COPY --chown=netalertx:netalertx --chmod=755 server ${NETALERTX_SERVER}
# create folders with netalertx user ownership and 755 permissions
RUN install -d -o netalertx -g netalertx -m 755 ${NETALERTX_API}
# Install runtime dependencies
@@ -110,20 +116,26 @@ RUN echo "netalertx ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers
# Final hardened stage to improve security by setting correct permissions and removing sudo access
# When complete, if the image is compromised, there's not much that can be done with it.
FROM runner AS hardened
# create readonly user and group with no shell access
RUN addgroup -g 20212 readonly && \
adduser -u 20212 -G readonly -D -h /app readonly
# remove netalertx from sudoers
RUN sh -c "sed -i '/netalertx ALL=(ALL) NOPASSWD: ALL/d' /etc/sudoers"
RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES}
RUN chown -R readonly:readonly ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER} ${SYSTEM_SERVICES} ${NETALERTX_SERVICES}
RUN chmod -R 004 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER}
RUN chmod 005 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER}
RUN chmod -R 005 ${SYSTEM_SERVICES}
RUN chmod 005 ${NETALERTX_BACK} ${NETALERTX_FRONT} ${NETALERTX_SERVER}
RUN chmod -R 005 ${SYSTEM_SERVICES} ${NETALERTX_SERVICES}
RUN chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_CONFIG_FILE} ${NETALERTX_DB_FILE} && \
chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API} && \
chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_LOG} ${NETALERTX_API}
RUN chown -R netalertx:netalertx ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} && \
chmod -R 600 ${NETALERTX_CONFIG} ${NETALERTX_DB} {NETALERTX_API} ${NETALERTX_LOG} && \
chmod 700 ${NETALERTX_CONFIG} ${NETALERTX_DB} ${NETALERTX_API} ${NETALERTX_LOG} ${NETALERTX_PLUGINS_LOG}
RUN chown readonly:readonly /