fix(docker): do not run the Zebra nodes with the root user (#8803)

2024-08-27 12:55:24 +01:00 · 2024-08-27 12:55:24 +01:00 · 0d36681d8f
parent cdf73b2c26
commit 0d36681d8f
1 changed files with 23 additions and 2 deletions
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@ -182,8 +182,6 @@ RUN chmod u+x /entrypoint.sh
 # To save space, this step starts from scratch using debian, and only adds the resulting
 # binary from the `release` stage
 FROM debian:bookworm-slim AS runtime
-COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
-COPY --from=release /entrypoint.sh /

 RUN apt-get update && \
    apt-get install -y --no-install-recommends \
@ -191,6 +189,24 @@ RUN apt-get update && \
    curl \
    rocksdb-tools

+# Create a non-privileged user that the app will run under.
+# Running as root inside the container is running as root in the Docker host
+# If an attacker manages to break out of the container, they will have root access to the host
+# See https://docs.docker.com/go/dockerfile-user-best-practices/
+ARG USER=zebra
+ARG UID=10001
+ARG GID=10001
+
+RUN addgroup --system --gid ${GID} ${USER} \
+    && adduser \
+    --no-log-init \
+    --system \
+    --disabled-login \
+    --shell /bin/bash \
+    --uid "${UID}" \
+    --gid "{GID}" \
+    ${USER}
+
 # Config settings for zebrad
 ARG FEATURES
 ENV FEATURES=${FEATURES}
@ -199,6 +215,11 @@ ENV FEATURES=${FEATURES}
 ENV ZEBRA_CONF_DIR=${ZEBRA_CONF_DIR:-/etc/zebrad}
 ENV ZEBRA_CONF_FILE=${ZEBRA_CONF_FILE:-zebrad.toml}

+COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
+COPY --from=release /entrypoint.sh /
+
+USER ${USER}
+
 # Expose configured ports
 EXPOSE 8233 18233