fix(docker): add `gosu` and remove unsupported flag in `adduser` (#8808)
* fix(docker): typo and uknown option in debian * fix(docker): use `gosu` for rootless execution Some of our entrypoint commands requires creating directories and files in places a non-privileged user can't access. So we use `gosu` to step down from `root` to a non-privileged user during container startup, right at our application execution.
This commit is contained in:
parent
0d36681d8f
commit
ec85aa8a48
|
@ -187,24 +187,29 @@ RUN apt-get update && \
|
||||||
apt-get install -y --no-install-recommends \
|
apt-get install -y --no-install-recommends \
|
||||||
ca-certificates \
|
ca-certificates \
|
||||||
curl \
|
curl \
|
||||||
rocksdb-tools
|
rocksdb-tools \
|
||||||
|
gosu \
|
||||||
|
&& \
|
||||||
|
rm -rf /var/lib/apt/lists/* /tmp/*
|
||||||
|
|
||||||
# Create a non-privileged user that the app will run under.
|
# Create a non-privileged user that the app will run under.
|
||||||
# Running as root inside the container is running as root in the Docker host
|
# Running as root inside the container is running as root in the Docker host
|
||||||
# If an attacker manages to break out of the container, they will have root access to the host
|
# If an attacker manages to break out of the container, they will have root access to the host
|
||||||
# See https://docs.docker.com/go/dockerfile-user-best-practices/
|
# See https://docs.docker.com/go/dockerfile-user-best-practices/
|
||||||
ARG USER=zebra
|
ARG USER=zebra
|
||||||
|
ENV USER=${USER}
|
||||||
ARG UID=10001
|
ARG UID=10001
|
||||||
|
ENV UID=${UID}
|
||||||
ARG GID=10001
|
ARG GID=10001
|
||||||
|
ENV GID=${GID}
|
||||||
|
|
||||||
RUN addgroup --system --gid ${GID} ${USER} \
|
RUN addgroup --system --gid ${GID} ${USER} \
|
||||||
&& adduser \
|
&& adduser \
|
||||||
--no-log-init \
|
|
||||||
--system \
|
--system \
|
||||||
--disabled-login \
|
--disabled-login \
|
||||||
--shell /bin/bash \
|
--shell /bin/bash \
|
||||||
--uid "${UID}" \
|
--uid "${UID}" \
|
||||||
--gid "{GID}" \
|
--gid "${GID}" \
|
||||||
${USER}
|
${USER}
|
||||||
|
|
||||||
# Config settings for zebrad
|
# Config settings for zebrad
|
||||||
|
@ -218,8 +223,6 @@ ENV ZEBRA_CONF_FILE=${ZEBRA_CONF_FILE:-zebrad.toml}
|
||||||
COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
|
COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
|
||||||
COPY --from=release /entrypoint.sh /
|
COPY --from=release /entrypoint.sh /
|
||||||
|
|
||||||
USER ${USER}
|
|
||||||
|
|
||||||
# Expose configured ports
|
# Expose configured ports
|
||||||
EXPOSE 8233 18233
|
EXPOSE 8233 18233
|
||||||
|
|
||||||
|
|
|
@ -357,11 +357,11 @@ case "$1" in
|
||||||
exec cargo test --locked --release --features "zebra-test" --package zebra-scan -- --nocapture --include-ignored scan_task_commands
|
exec cargo test --locked --release --features "zebra-test" --package zebra-scan -- --nocapture --include-ignored scan_task_commands
|
||||||
|
|
||||||
else
|
else
|
||||||
exec "$@"
|
exec gosu "$USER" "$@"
|
||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
;;
|
;;
|
||||||
*)
|
*)
|
||||||
exec "$@"
|
exec gosu "$USER" "$@"
|
||||||
;;
|
;;
|
||||||
esac
|
esac
|
||||||
|
|
Loading…
Reference in New Issue