From c3fcb8ce6eb8177a247e27fd2015db97990d65e7 Mon Sep 17 00:00:00 2001 From: Greg May Date: Sat, 19 Oct 2019 21:40:14 -0700 Subject: [PATCH] Container RunAsNonroot Add examples to README Change base image Signed-off-by: Gregory May --- README.md | 109 +++++++++++++++++- template/powershell-http/Dockerfile | 13 ++- template/powershell-http/function/handler.ps1 | 6 +- template/powershell-http/server.ps1 | 2 +- 4 files changed, 118 insertions(+), 12 deletions(-) diff --git a/README.md b/README.md index a974540..f24dee3 100644 --- a/README.md +++ b/README.md @@ -1,9 +1,110 @@ -# powershell-http-template -OpenFaaS HTTP template for PowerShell -## Using this template +OpenFaaS PowerShell HTTP function template +============================================= + +This template for building Powershell based functions on [OpenFaaS](https://www.openfaas.com), Docker, Knative and Cloud Run. + +With this template you can create a new function and deploy it to a platform like [OpenFaaS](https://www.openfaas.com) for: + +* scale-to-zero +* horizontal scale-out +* metrics & logs +* automated health-checks +* sane Kubernetes defaults like running as a non-root user + +## Status of the template + +This template is experimental and I would like your feedback through GitHub issues or [OpenFaaS Slack](https://docs.openfaas.com/community). + +## Get started + +You can create or scaffold a new function using the [OpenFaaS CLI](https://github.com/openfaas/faas-cli). + ``` +# USERNAME is your Docker Hub account or private Docker registry +$ export USERNAME=alexellisuk + $ faas template pull https://github.com/openfaas-incubator/powershell-http-template -$ faas new --lang powershell-http +$ faas new --lang powershell-http-template --prefix="${USERNAME}" ``` +Once you've written your code you can run `faas-cli build` to create a local Docker image, then `faas-cli push` to transfer it to your registry. + +You can now deploy it to OpenFaaS, Knative, Google Cloud Run or even use `docker run`. + +See also: [Deploy OpenFaaS](https://docs.openfaas.com/deployment/) + +## Example usage + +### Minimal string based example + +``` +function Handler { + Param( + [Parameter(Mandatory=$true)] + [FunctionContext]$fnContext, + [Parameter(Mandatory=$true)] + [FunctionResponse]$fnResponse + ) + + $output = "Hello! Your input was: " + $fnContext.Body + + $fnResponse.Body = $output + +} +``` + +### Minimal JSON based example + +``` +function Handler { + Param( + [Parameter(Mandatory=$true)] + [FunctionContext]$fnContext, + [Parameter(Mandatory=$true)] + [FunctionResponse]$fnResponse + ) + + $json = $fnContext.Body | Out-String | ConvertFrom-Json + + $key1 = $json.key1 + $key2 = $json.key2 + + $output = @{ + "Your JSON input was" = @{ + key1=$key1; + key2=$key2; + } + } | ConvertTo-Json -Compress + + $fnResponse.Body = $output + +} +``` + + +### Example usage with WinRM based remote PowerShell module, environment variables and secrets. + +``` +function Handler { + Param( + [Parameter(Mandatory=$true)] + [FunctionContext]$fnContext, + [Parameter(Mandatory=$true)] + [FunctionResponse]$fnResponse + ) + + $username = $env:USERNAME + $password = Get-Content "/var/openfaas/secrets/password" | ConvertTo-SecureString -AsPlainText -Force + $cred = New-Object System.Management.Automation.PSCredential -ArgumentList ($username, $password) + + $sessionoptions = New-PSSessionOption -SkipCACheck -SkipCNCheck + $output = Invoke-Command -ComputerName -Authentication Negotiate -SessionOption $sessionoptions -Credential $cred -ScriptBlock { + Import-module ActiveDirectory + Get-Domain + } + + $fnResponse.Body = $output + +} +``` diff --git a/template/powershell-http/Dockerfile b/template/powershell-http/Dockerfile index 6c85ef8..4be7f19 100644 --- a/template/powershell-http/Dockerfile +++ b/template/powershell-http/Dockerfile @@ -1,6 +1,6 @@ -FROM openfaas/classic-watchdog:0.18.0 as watchdog +FROM openfaas/of-watchdog:0.7.2 as watchdog -FROM microsoft/powershell:ubuntu-xenial as ship +FROM microsoft/powershell:centos-7 as ship COPY --from=watchdog /fwatchdog /usr/bin/fwatchdog RUN chmod +x /usr/bin/fwatchdog @@ -9,12 +9,17 @@ COPY server.ps1 server.ps1 COPY function function -HEALTHCHECK --interval=1s CMD [ -e /tmp/.lock ] || exit 1 +RUN adduser --system --no-create-home --uid 10001 app + +USER 10001 ENV fprocess="pwsh ./server.ps1" ENV cgi_headers="true" ENV mode="http" -ENV upstream_url="http://127.0.0.1:8081" +ENV upstream_url="http://127.0.0.1:8082" EXPOSE 8080 + +HEALTHCHECK --interval=3s CMD [ -e /tmp/.lock ] || exit 1 + CMD ["fwatchdog"] diff --git a/template/powershell-http/function/handler.ps1 b/template/powershell-http/function/handler.ps1 index 30efa96..0375bca 100644 --- a/template/powershell-http/function/handler.ps1 +++ b/template/powershell-http/function/handler.ps1 @@ -4,10 +4,10 @@ function Handler { [FunctionContext]$fnContext, [Parameter(Mandatory=$true)] [FunctionResponse]$fnResponse -) + ) -$output = "Hello! Your input was: " + $fnContext.Body + $output = "Hello! Your input was: " + $fnContext.Body -$fnResponse.Body = $output + $fnResponse.Body = $output } diff --git a/template/powershell-http/server.ps1 b/template/powershell-http/server.ps1 index c319cea..c413b2b 100644 --- a/template/powershell-http/server.ps1 +++ b/template/powershell-http/server.ps1 @@ -16,7 +16,7 @@ Class FunctionResponse{ } $listener = New-Object System.Net.HttpListener -$listener.Prefixes.Add("http://*:8081/") +$listener.Prefixes.Add("http://*:8082/") $listener.Start() . "./function/handler.ps1"