From f7235d44075776d7f06034f608daa4be5ba815c2 Mon Sep 17 00:00:00 2001 From: Caleb Woodbine Date: Thu, 15 Oct 2020 21:22:04 +1300 Subject: [PATCH] Run container as non root (#362) --- .gitlab/build-scripts/docker-entrypoint.sh | 6 ++---- Dockerfile | 18 +----------------- 2 files changed, 3 insertions(+), 21 deletions(-) diff --git a/.gitlab/build-scripts/docker-entrypoint.sh b/.gitlab/build-scripts/docker-entrypoint.sh index b44a0135d..df4dad9a9 100755 --- a/.gitlab/build-scripts/docker-entrypoint.sh +++ b/.gitlab/build-scripts/docker-entrypoint.sh @@ -1,13 +1,11 @@ #!/bin/bash set -e -chmod a+x /app/*.sh - if [[ "$1" = 'run' ]]; then - exec gosu plausibleuser /app/bin/plausible start + exec /app/bin/plausible start elif [[ "$1" = 'db' ]]; then - exec gosu plausibleuser /app/"$2".sh + exec /app/"$2".sh else exec "$@" diff --git a/Dockerfile b/Dockerfile index 1536560d1..872b5487a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,7 +6,6 @@ FROM elixir:1.10.3 as buildcontainer # preparation ARG APP_VER=0.0.1 -ENV GOSU_VERSION 1.11 ENV MIX_ENV=prod ENV NODE_ENV=production ENV APP_VERSION=$APP_VER @@ -23,20 +22,6 @@ RUN apt-get update && \ RUN apt-get install -y --no-install-recommends ca-certificates wget \ && apt-get install -y --install-recommends gnupg2 dirmngr -# grab gosu for easy step-down from root -RUN set -x \ - && dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \ - && wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \ - && wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \ - && export GNUPGHOME="$(mktemp -d)" \ - && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \ - && gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \ - && command -v gpgconf && gpgconf --kill all || : \ - && rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \ - && chmod +x /usr/local/bin/gosu \ - && gosu --version \ - && gosu nobody true - COPY mix.exs ./ COPY mix.lock ./ RUN mix local.hex --force && \ @@ -65,7 +50,6 @@ WORKDIR /app COPY rel rel RUN mix release plausible - # Main Docker Image FROM debian:bullseye LABEL maintainer="tckb " @@ -82,9 +66,9 @@ COPY .gitlab/build-scripts/docker-entrypoint.sh /entrypoint.sh RUN chmod a+x /entrypoint.sh && \ useradd -d /app -u 1000 -s /bin/bash -m plausibleuser -COPY --from=buildcontainer /usr/local/bin/gosu /usr/local/bin/gosu COPY --from=buildcontainer /app/_build/prod/rel/plausible /app RUN chown -R plausibleuser:plausibleuser /app +USER plausibleuser WORKDIR /app ENTRYPOINT ["/entrypoint.sh"] CMD ["run"]