From 744b4d7a1a4c80f0317971039d8b4b2f21013617 Mon Sep 17 00:00:00 2001 From: Phil Winder Date: Mon, 7 Nov 2016 15:49:26 +0000 Subject: [PATCH 1/2] Added user to dockerfile. --- docker/catalogue/Dockerfile-release | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/docker/catalogue/Dockerfile-release b/docker/catalogue/Dockerfile-release index 5aa4c0b0..4a6de5c3 100644 --- a/docker/catalogue/Dockerfile-release +++ b/docker/catalogue/Dockerfile-release @@ -1,10 +1,16 @@ -FROM busybox:1 +FROM alpine:3.4 + +RUN addgroup mygroup && adduser -D -G mygroup myuser +RUN apk add --update libcap WORKDIR / EXPOSE 80 COPY app / COPY images/ /images/ +RUN setcap 'cap_net_bind_service=+ep' /app +USER myuser + ARG BUILD_DATE ARG BUILD_VERSION ARG COMMIT From be326bc5eb40faa620b007030f39c772b6dd119c Mon Sep 17 00:00:00 2001 From: Phil Winder Date: Mon, 7 Nov 2016 16:36:20 +0000 Subject: [PATCH 2/2] Clean and ensure file is owned by the correct user. --- docker/catalogue/Dockerfile-release | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/docker/catalogue/Dockerfile-release b/docker/catalogue/Dockerfile-release index 4a6de5c3..c8cc5314 100644 --- a/docker/catalogue/Dockerfile-release +++ b/docker/catalogue/Dockerfile-release @@ -1,15 +1,24 @@ FROM alpine:3.4 -RUN addgroup mygroup && adduser -D -G mygroup myuser -RUN apk add --update libcap +ENV SERVICE_USER=myuser \ + SERVICE_UID=10001 \ + SERVICE_GROUP=mygroup \ + SERVICE_GID=10001 + +RUN addgroup -g ${SERVICE_GID} ${SERVICE_GROUP} && \ + adduser -g "${SERVICE_NAME} user" -D -H -G ${SERVICE_GROUP} -s /sbin/nologin -u ${SERVICE_UID} ${SERVICE_USER} && \ + apk add --update libcap WORKDIR / EXPOSE 80 COPY app / COPY images/ /images/ -RUN setcap 'cap_net_bind_service=+ep' /app -USER myuser +RUN chmod +x /app && \ + chown -R ${SERVICE_USER}:${SERVICE_GROUP} /app /images && \ + setcap 'cap_net_bind_service=+ep' /app + +USER ${SERVICE_USER} ARG BUILD_DATE ARG BUILD_VERSION