fix(docker): add `gosu` and remove unsupported flag in `adduser` (#8808)
* fix(docker): typo and uknown option in debian * fix(docker): use `gosu` for rootless execution Some of our entrypoint commands requires creating directories and files in places a non-privileged user can't access. So we use `gosu` to step down from `root` to a non-privileged user during container startup, right at our application execution.
This commit is contained in:
parent
0d36681d8f
commit
ec85aa8a48
|
@ -187,24 +187,29 @@ RUN apt-get update && \
|
|||
apt-get install -y --no-install-recommends \
|
||||
ca-certificates \
|
||||
curl \
|
||||
rocksdb-tools
|
||||
rocksdb-tools \
|
||||
gosu \
|
||||
&& \
|
||||
rm -rf /var/lib/apt/lists/* /tmp/*
|
||||
|
||||
# Create a non-privileged user that the app will run under.
|
||||
# Running as root inside the container is running as root in the Docker host
|
||||
# If an attacker manages to break out of the container, they will have root access to the host
|
||||
# See https://docs.docker.com/go/dockerfile-user-best-practices/
|
||||
ARG USER=zebra
|
||||
ENV USER=${USER}
|
||||
ARG UID=10001
|
||||
ENV UID=${UID}
|
||||
ARG GID=10001
|
||||
ENV GID=${GID}
|
||||
|
||||
RUN addgroup --system --gid ${GID} ${USER} \
|
||||
&& adduser \
|
||||
--no-log-init \
|
||||
--system \
|
||||
--disabled-login \
|
||||
--shell /bin/bash \
|
||||
--uid "${UID}" \
|
||||
--gid "{GID}" \
|
||||
--gid "${GID}" \
|
||||
${USER}
|
||||
|
||||
# Config settings for zebrad
|
||||
|
@ -218,8 +223,6 @@ ENV ZEBRA_CONF_FILE=${ZEBRA_CONF_FILE:-zebrad.toml}
|
|||
COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
|
||||
COPY --from=release /entrypoint.sh /
|
||||
|
||||
USER ${USER}
|
||||
|
||||
# Expose configured ports
|
||||
EXPOSE 8233 18233
|
||||
|
||||
|
|
|
@ -357,11 +357,11 @@ case "$1" in
|
|||
exec cargo test --locked --release --features "zebra-test" --package zebra-scan -- --nocapture --include-ignored scan_task_commands
|
||||
|
||||
else
|
||||
exec "$@"
|
||||
exec gosu "$USER" "$@"
|
||||
fi
|
||||
fi
|
||||
;;
|
||||
*)
|
||||
exec "$@"
|
||||
exec gosu "$USER" "$@"
|
||||
;;
|
||||
esac
|
||||
|
|
Loading…
Reference in New Issue