Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change images to run as non-root user by default #45

Closed
wants to merge 9 commits into from
Closed

Change images to run as non-root user by default #45

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
9 commits
Select commit Hold shift + click to select a range
aec234a
Support running as a non-root user
yoshioterada Oct 20, 2022
36c9974
Java Version updated
yoshioterada Oct 21, 2022
06739f6
Modified for the invalid reference format of FROM BASE_IMAGE
yoshioterada Oct 21, 2022
6a80818
create test work flow
yoshioterada Oct 21, 2022
ab110e5
Revert "Modified for the invalid reference format of FROM BASE_IMAGE"
yoshioterada Oct 21, 2022
676641a
Deleted test-yaml file
yoshioterada Oct 21, 2022
aca1446
Modified UID from 101 to 2000
yoshioterada Oct 25, 2022
3cc6123
Added a directory(/app) which owned by javauser
yoshioterada Oct 25, 2022
149d2d0
Merge branch 'main' into support-non-root-user
brunoborges Nov 28, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion build-all-images.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/bash

# Set expected JDK versions after the images are built
declare -A jdkversions=( ["11"]="11.0.15" ["17"]="17.0.3" ["8"]="1.8.0_332" )
declare -A jdkversions=( ["11"]="11.0.16.1" ["17"]="17.0.4.1" ["8"]="1.8.0_345" )

# Set the base MCR repo
basemcr="mcr.microsoft.com/openjdk/jdk"
Expand Down
12 changes: 12 additions & 0 deletions docker/distroless/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,16 @@ RUN mkdir -p /usr/lib/jvm && \
RUN mkdir /staging \
&& tdnf install -y --releasever=2.0 --installroot /staging zlib

# Create non-root user and group javauser
RUN tdnf install -y --releasever=2.0 shadow-utils && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
tdnf clean all && \
# Copy user/group info to staging
cp /etc/passwd /staging/etc/passwd && \
cp /etc/group /staging/etc/group

# Clean up staging
RUN rm -rf /staging/etc/tdnf \
&& rm -rf /staging/run/* \
Expand All @@ -37,7 +47,9 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"

COPY --from=installer /staging/ /
COPY --from=installer /usr/jdk/ /usr/jdk/
COPY --from=installer --chown=2000:2000 /app/ /app/

USER javauser
ENV JAVA_HOME=/usr/jdk
ENV PATH="$PATH:$JAVA_HOME/bin"

Expand Down
12 changes: 12 additions & 0 deletions docker/distroless/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,16 @@ RUN mkdir -p /usr/lib/jvm && \
RUN mkdir /staging \
&& tdnf install -y --releasever=2.0 --installroot /staging zlib

# Create non-root user and group javauser
RUN tdnf install -y --releasever=2.0 shadow-utils && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
tdnf clean all && \
# Copy user/group info to staging
cp /etc/passwd /staging/etc/passwd && \
cp /etc/group /staging/etc/group

# Clean up staging
RUN rm -rf /staging/etc/tdnf \
&& rm -rf /staging/run/* \
Expand All @@ -37,7 +47,9 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"

COPY --from=installer /staging/ /
COPY --from=installer /usr/jdk/ /usr/jdk/
COPY --from=installer --chown=2000:2000 /app/ /app/

USER javauser
ENV JAVA_HOME=/usr/jdk
ENV PATH="$PATH:$JAVA_HOME/bin"

Expand Down
15 changes: 15 additions & 0 deletions docker/distroless/Dockerfile.temurin-8-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,6 +16,18 @@ RUN mkdir -p /usr/lib/jvm && \
rm /jdk.tar.gz && \
mv /jdk8u* /usr/jdk

# Create non-root user and group javauser
RUN mkdir /staging && \
mkdir /staging/etc && \
tdnf install -y --releasever=2.0 shadow-utils && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
tdnf clean all && \
mkdir /app && \
# Copy user/group info to staging
cp /etc/passwd /staging/etc/passwd && \
cp /etc/group /staging/etc/group

FROM ${BASE_IMAGE}:${BASE_TAG}

LABEL "Author"="Microsoft"
Expand All @@ -24,6 +36,9 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"
ENV JAVA_HOME=/usr/jdk
ENV PATH="$PATH:$JAVA_HOME/bin"

USER javauser
COPY --from=installer /staging/ /
COPY --from=installer /usr/jdk/ /usr/jdk/
COPY --from=installer --chown=2000:2000 /app/ /app/

ENTRYPOINT [ "/usr/jdk/bin/java" ]
7 changes: 6 additions & 1 deletion docker/mariner-cm1/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ ARG package=msopenjdk-11

RUN tdnf -y update && \
tdnf -y upgrade && \
tdnf install -y tzdata ca-certificates freetype fontconfig && \
tdnf install -y tzdata ca-certificates freetype fontconfig shadow-utils && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
chown javauser:java-app /app && \
rm -rf /var/cache/tdnf && \
rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm && \
tdnf install -y mariner-repos-ui && \
Expand All @@ -20,4 +24,5 @@ RUN tdnf -y update && \
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-11/lib/src.zip

USER javauser
ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
7 changes: 6 additions & 1 deletion docker/mariner-cm1/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,11 @@ ARG package=msopenjdk-17

RUN tdnf -y update && \
tdnf -y upgrade && \
tdnf install -y tzdata ca-certificates freetype fontconfig && \
tdnf install -y tzdata ca-certificates freetype fontconfig shadow-utils && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
chown javauser:java-app /app && \
rm -rf /var/cache/tdnf && \
rpm -Uvh https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm && \
tdnf install -y mariner-repos-ui && \
Expand All @@ -20,4 +24,5 @@ RUN tdnf -y update && \
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-17/lib/src.zip

USER javauser
ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
7 changes: 6 additions & 1 deletion docker/mariner/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,18 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

ARG package="msopenjdk-11"
ARG PKGS="tzdata ca-certificates freetype"
ARG PKGS="tzdata ca-certificates freetype shadow-utils"

RUN tdnf install -y --releasever=2.0 ${package} ${PKGS} && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
chown javauser:java-app /app && \
tdnf clean all && \
rm -rf /var/cache/tdnf && \
echo java -Xshare:dump && \
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-11/lib/src.zip

USER javauser
ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
7 changes: 6 additions & 1 deletion docker/mariner/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,13 +8,18 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

ARG package="msopenjdk-17"
ARG PKGS="tzdata ca-certificates freetype"
ARG PKGS="tzdata ca-certificates freetype shadow-utils"

RUN rpm -Uhv https://packages.microsoft.com/config/centos/7/packages-microsoft-prod.rpm && \
tdnf install -y ${package} ${PKGS} && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
chown javauser:java-app /app && \
rm -rf /var/cache/tdnf && \
echo java -Xshare:dump && \
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-17/lib/src.zip

USER javauser
ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
7 changes: 6 additions & 1 deletion docker/mariner/Dockerfile.temurin-8-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,11 +8,16 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

ARG JDK_PKG="temurin-8-jdk"
ARG PKGS="ca-certificates tzdata freetype"
ARG PKGS="tzdata ca-certificates freetype shadow-utils"

# Install pre-reqs
RUN tdnf install -y ${JDK_PKG} ${PKGS} && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
chown javauser:java-app /app && \
rm -rf /var/cache/tdnf && \
rm -rf ./usr/lib/jvm/temurin-8-jdk/src.zip

USER javauser
ENV JAVA_HOME=/usr/lib/jvm/temurin-8-jdk
7 changes: 5 additions & 2 deletions docker/ubuntu/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,12 +20,15 @@ RUN DEBIAN_FRONTEND=noninteractive && \
apt-get -qq install $package && \
apt-get -qq purge apt-transport-https wget && \
apt-get -qq autoremove --purge && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
chown javauser:java-app /app && \
rm -rf /var/lib/apt/lists/* && \
echo java -Xshare:dump && \
java -Xshare:dump && \
rm -rf ./usr/lib/jvm/msopenjdk-11-amd64/lib/src.zip


USER javauser
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11-amd64
6 changes: 5 additions & 1 deletion docker/ubuntu/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,11 +20,15 @@ RUN DEBIAN_FRONTEND=noninteractive && \
apt-get -qq install $package && \
apt-get -qq purge apt-transport-https wget && \
apt-get -qq autoremove --purge && \
groupadd --system -g 2000 java-app && \
useradd -u 2000 -g java-app --shell /bin/false --home-dir /dev/null --system javauser && \
mkdir /app && \
chown javauser:java-app /app && \
rm -rf /var/lib/apt/lists/* && \
echo java -Xshare:dump && \
java -Xshare:dump && \
rm -rf ./usr/lib/jvm/msopenjdk-17-amd64/lib/src.zip

USER javauser
ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17-amd64