Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add non-root user 'app' to all images #57

Merged
merged 4 commits into from
Dec 5, 2022
Merged

Add non-root user 'app' to all images #57

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b37ae35
Add non-root user 'app' to all images
brunoborges Nov 29, 2022
241e81e
Create a staging directory.
brunoborges Nov 29, 2022
c910b66
update versions in shell script
brunoborges Nov 29, 2022
c6a3cc3
create subdirectory etc in /staging
brunoborges Nov 29, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
2 changes: 1 addition & 1 deletion build-all-images.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
#!/bin/bash

# Set expected JDK versions after the images are built
declare -A jdkversions=( ["11"]="11.0.15" ["17"]="17.0.3" ["8"]="1.8.0_332" )
declare -A jdkversions=( ["11"]="11.0.17" ["17"]="17.0.5" ["8"]="1.8.0_352" )

# Set the base MCR repo
basemcr="mcr.microsoft.com/openjdk/jdk"
Expand Down
10 changes: 10 additions & 0 deletions docker/distroless/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,15 @@ RUN mkdir -p /usr/lib/jvm && \
RUN mkdir /staging \
&& tdnf install -y --releasever=2.0 --installroot /staging zlib

# Create a non-root user and group (just like .NET's image)
RUN tdnf install -y gawk shadow-utils \
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Q: Do we want to run a tdnf clean all after the tdnf install?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Same question for the other tdnf commands through out. I think that might help clean out any temp files and caches. But if there are not any then adding that command might not do anything useful.

&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --shell /bin/false --system app \
&& install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"

# Clean up staging
RUN rm -rf /staging/etc/tdnf \
&& rm -rf /staging/run/* \
Expand All @@ -37,6 +46,7 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"

COPY --from=installer /staging/ /
COPY --from=installer /usr/jdk/ /usr/jdk/
COPY --from=installer --chown=101:101 /staging/home/app /home/app

ENV JAVA_HOME=/usr/jdk
ENV PATH="$PATH:$JAVA_HOME/bin"
Expand Down
10 changes: 10 additions & 0 deletions docker/distroless/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,15 @@ RUN mkdir -p /usr/lib/jvm && \
RUN mkdir /staging \
&& tdnf install -y --releasever=2.0 --installroot /staging zlib

# Create a non-root user and group (just like .NET's image)
RUN tdnf install -y gawk shadow-utils \
&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --shell /bin/false --system app \
&& install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"

# Clean up staging
RUN rm -rf /staging/etc/tdnf \
&& rm -rf /staging/run/* \
Expand All @@ -37,6 +46,7 @@ LABEL "Support"="Microsoft OpenJDK Support <openjdk-support@microsoft.com>"

COPY --from=installer /staging/ /
COPY --from=installer /usr/jdk/ /usr/jdk/
COPY --from=installer --chown=101:101 /staging/home/app /home/app

ENV JAVA_HOME=/usr/jdk
ENV PATH="$PATH:$JAVA_HOME/bin"
Expand Down
11 changes: 11 additions & 0 deletions docker/distroless/Dockerfile.temurin-8-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,16 @@ FROM ${INSTALLER_IMAGE}:${INSTALLER_TAG} AS installer
ARG PKGS="ca-certificates tzdata freetype"
ARG JDK_URL="https://api.adoptium.net/v3/binary/latest/8/ga/linux/x64/jdk/hotspot/normal/eclipse?project=jdk"

# Create a non-root user and group (just like .NET's image)
RUN mkdir -p /staging/etc/ \
&& tdnf install -y gawk shadow-utils \
&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --shell /bin/false --system app \
&& install -d -m 0755 -o 101 -g 101 "/staging/home/app" \
&& rootOrAppRegex='^\(root\|app\):' \
&& cat /etc/passwd | grep $rootOrAppRegex > "/staging/etc/passwd" \
&& cat /etc/group | grep $rootOrAppRegex > "/staging/etc/group"

# Install pre-reqs
RUN mkdir -p /usr/lib/jvm && \
tdnf install -y ca-certificates tar && \
Expand All @@ -25,5 +35,6 @@ ENV JAVA_HOME=/usr/jdk
ENV PATH="$PATH:$JAVA_HOME/bin"

COPY --from=installer /usr/jdk/ /usr/jdk/
COPY --from=installer --chown=101:101 /staging/home/app /home/app

ENTRYPOINT [ "/usr/jdk/bin/java" ]
8 changes: 7 additions & 1 deletion docker/mariner-cm1/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,10 @@ RUN tdnf -y update && \
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-11/lib/src.zip

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
RUN tdnf install -y gawk shadow-utils \
&& tdnf clean all \
&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --system app \
&& install -d -m 0755 -o 101 -g 101 "/home/app"

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
8 changes: 7 additions & 1 deletion docker/mariner-cm1/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,4 +20,10 @@ RUN tdnf -y update && \
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-17/lib/src.zip

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
RUN tdnf install -y gawk shadow-utils \
&& tdnf clean all \
&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --system app \
&& install -d -m 0755 -o 101 -g 101 "/home/app"

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
6 changes: 6 additions & 0 deletions docker/mariner/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,10 @@ RUN tdnf install -y --releasever=2.0 ${package} ${PKGS} && \
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-11/lib/src.zip

RUN tdnf install -y gawk shadow-utils \
&& tdnf clean all \
&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --system app \
&& install -d -m 0755 -o 101 -g 101 "/home/app"

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-11
6 changes: 6 additions & 0 deletions docker/mariner/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,4 +17,10 @@ RUN rpm -Uhv https://packages.microsoft.com/config/centos/7/packages-microsoft-p
java -Xshare:dump && \
rm -rf /usr/lib/jvm/msopenjdk-17/lib/src.zip

RUN tdnf install -y gawk shadow-utils \
&& tdnf clean all \
&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --system app \
&& install -d -m 0755 -o 101 -g 101 "/home/app"

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17
6 changes: 6 additions & 0 deletions docker/mariner/Dockerfile.temurin-8-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,4 +15,10 @@ RUN tdnf install -y ${JDK_PKG} ${PKGS} && \
rm -rf /var/cache/tdnf && \
rm -rf ./usr/lib/jvm/temurin-8-jdk/src.zip

RUN tdnf install -y gawk shadow-utils \
&& tdnf clean all \
&& groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --system app \
&& install -d -m 0755 -o 101 -g 101 "/home/app"

ENV JAVA_HOME=/usr/lib/jvm/temurin-8-jdk
3 changes: 3 additions & 0 deletions docker/ubuntu/Dockerfile.msopenjdk-11-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,9 @@ RUN DEBIAN_FRONTEND=noninteractive && \
java -Xshare:dump && \
rm -rf ./usr/lib/jvm/msopenjdk-11-amd64/lib/src.zip

RUN groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --system app \
&& install -d -m 0755 -o 101 -g 101 "/home/app"

ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

Expand Down
4 changes: 4 additions & 0 deletions docker/ubuntu/Dockerfile.msopenjdk-17-jdk
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,10 @@ RUN DEBIAN_FRONTEND=noninteractive && \
java -Xshare:dump && \
rm -rf ./usr/lib/jvm/msopenjdk-17-amd64/lib/src.zip

RUN groupadd --system --gid=101 app \
&& adduser --uid 101 --gid 101 --system app \
&& install -d -m 0755 -o 101 -g 101 "/home/app"

ENV LANG='en_US.UTF-8' LANGUAGE='en_US:en' LC_ALL='en_US.UTF-8'

ENV JAVA_HOME=/usr/lib/jvm/msopenjdk-17-amd64