mirror of
https://github.com/plausible/analytics.git
synced 2024-12-24 01:54:34 +03:00
Run container as non root (#362)
This commit is contained in:
parent
1dfa679fc6
commit
f7235d4407
@ -1,13 +1,11 @@
|
||||
#!/bin/bash
|
||||
set -e
|
||||
|
||||
chmod a+x /app/*.sh
|
||||
|
||||
if [[ "$1" = 'run' ]]; then
|
||||
exec gosu plausibleuser /app/bin/plausible start
|
||||
exec /app/bin/plausible start
|
||||
|
||||
elif [[ "$1" = 'db' ]]; then
|
||||
exec gosu plausibleuser /app/"$2".sh
|
||||
exec /app/"$2".sh
|
||||
else
|
||||
exec "$@"
|
||||
|
||||
|
18
Dockerfile
18
Dockerfile
@ -6,7 +6,6 @@ FROM elixir:1.10.3 as buildcontainer
|
||||
|
||||
# preparation
|
||||
ARG APP_VER=0.0.1
|
||||
ENV GOSU_VERSION 1.11
|
||||
ENV MIX_ENV=prod
|
||||
ENV NODE_ENV=production
|
||||
ENV APP_VERSION=$APP_VER
|
||||
@ -23,20 +22,6 @@ RUN apt-get update && \
|
||||
RUN apt-get install -y --no-install-recommends ca-certificates wget \
|
||||
&& apt-get install -y --install-recommends gnupg2 dirmngr
|
||||
|
||||
# grab gosu for easy step-down from root
|
||||
RUN set -x \
|
||||
&& dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')" \
|
||||
&& wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch" \
|
||||
&& wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc" \
|
||||
&& export GNUPGHOME="$(mktemp -d)" \
|
||||
&& gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
|
||||
&& gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu \
|
||||
&& command -v gpgconf && gpgconf --kill all || : \
|
||||
&& rm -r "$GNUPGHOME" /usr/local/bin/gosu.asc \
|
||||
&& chmod +x /usr/local/bin/gosu \
|
||||
&& gosu --version \
|
||||
&& gosu nobody true
|
||||
|
||||
COPY mix.exs ./
|
||||
COPY mix.lock ./
|
||||
RUN mix local.hex --force && \
|
||||
@ -65,7 +50,6 @@ WORKDIR /app
|
||||
COPY rel rel
|
||||
RUN mix release plausible
|
||||
|
||||
|
||||
# Main Docker Image
|
||||
FROM debian:bullseye
|
||||
LABEL maintainer="tckb <tckb@tgrthi.me>"
|
||||
@ -82,9 +66,9 @@ COPY .gitlab/build-scripts/docker-entrypoint.sh /entrypoint.sh
|
||||
RUN chmod a+x /entrypoint.sh && \
|
||||
useradd -d /app -u 1000 -s /bin/bash -m plausibleuser
|
||||
|
||||
COPY --from=buildcontainer /usr/local/bin/gosu /usr/local/bin/gosu
|
||||
COPY --from=buildcontainer /app/_build/prod/rel/plausible /app
|
||||
RUN chown -R plausibleuser:plausibleuser /app
|
||||
USER plausibleuser
|
||||
WORKDIR /app
|
||||
ENTRYPOINT ["/entrypoint.sh"]
|
||||
CMD ["run"]
|
||||
|
Loading…
Reference in New Issue
Block a user