fix(docker): do not run the Zebra nodes with the root user (#8803)
This commit is contained in:
parent
cdf73b2c26
commit
0d36681d8f
|
@ -182,8 +182,6 @@ RUN chmod u+x /entrypoint.sh
|
|||
# To save space, this step starts from scratch using debian, and only adds the resulting
|
||||
# binary from the `release` stage
|
||||
FROM debian:bookworm-slim AS runtime
|
||||
COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
|
||||
COPY --from=release /entrypoint.sh /
|
||||
|
||||
RUN apt-get update && \
|
||||
apt-get install -y --no-install-recommends \
|
||||
|
@ -191,6 +189,24 @@ RUN apt-get update && \
|
|||
curl \
|
||||
rocksdb-tools
|
||||
|
||||
# Create a non-privileged user that the app will run under.
|
||||
# Running as root inside the container is running as root in the Docker host
|
||||
# If an attacker manages to break out of the container, they will have root access to the host
|
||||
# See https://docs.docker.com/go/dockerfile-user-best-practices/
|
||||
ARG USER=zebra
|
||||
ARG UID=10001
|
||||
ARG GID=10001
|
||||
|
||||
RUN addgroup --system --gid ${GID} ${USER} \
|
||||
&& adduser \
|
||||
--no-log-init \
|
||||
--system \
|
||||
--disabled-login \
|
||||
--shell /bin/bash \
|
||||
--uid "${UID}" \
|
||||
--gid "{GID}" \
|
||||
${USER}
|
||||
|
||||
# Config settings for zebrad
|
||||
ARG FEATURES
|
||||
ENV FEATURES=${FEATURES}
|
||||
|
@ -199,6 +215,11 @@ ENV FEATURES=${FEATURES}
|
|||
ENV ZEBRA_CONF_DIR=${ZEBRA_CONF_DIR:-/etc/zebrad}
|
||||
ENV ZEBRA_CONF_FILE=${ZEBRA_CONF_FILE:-zebrad.toml}
|
||||
|
||||
COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
|
||||
COPY --from=release /entrypoint.sh /
|
||||
|
||||
USER ${USER}
|
||||
|
||||
# Expose configured ports
|
||||
EXPOSE 8233 18233
|
||||
|
||||
|
|
Loading…
Reference in New Issue