Don't run as root

schemahero · May 30, 2019 · 076020b · 076020b
1 parent a66fb0f
commit 076020b
Show file tree

Hide file tree

Showing 4 changed files with 56 additions and 4 deletions.
diff --git a/Dockerfile.schemahero b/Dockerfile.schemahero
@@ -11,7 +11,26 @@ COPY vendor/ vendor/
 RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -a -o schemahero github.com/schemahero/schemahero/cmd/schemahero
 
 # Copy schemahero into a thin image
-FROM ubuntu:latest
+FROM debian:jessie
 WORKDIR /
 COPY --from=builder /go/src/github.com/schemahero/schemahero/schemahero .
-ENTRYPOINT ["/schemahero"]
+
+ENV GOSU_URL https://github.com/tianon/gosu/releases/download/1.4/gosu
+
+RUN apt-get update \
+ && apt-get -y install \
+    ca-certificates \
+    curl \
+ && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
+ && curl -o /usr/local/bin/gosu -SL "$GOSU_URL-$(dpkg --print-architecture)" \
+ && curl -o /usr/local/bin/gosu.asc -SL "$GOSU_URL-$(dpkg --print-architecture).asc" \
+ && gpg --verify /usr/local/bin/gosu.asc \
+ && rm /usr/local/bin/gosu.asc \
+ && rm -rf /var/lib/apt/lists/* \
+ && chmod +x /usr/local/bin/gosu
+
+COPY deploy/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+
diff --git a/deploy/Dockerfile.schemahero b/deploy/Dockerfile.schemahero
@@ -1,4 +1,22 @@
-FROM ubuntu:latest
+FROM debian:jessie
 WORKDIR /
 COPY schemahero /schemahero
-ENTRYPOINT ["/schemahero"]
+
+ENV GOSU_URL https://github.com/tianon/gosu/releases/download/1.4/gosu
+
+RUN apt-get update \
+ && apt-get -y install \
+    ca-certificates \
+    curl \
+ && gpg --keyserver ha.pool.sks-keyservers.net --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 \
+ && curl -o /usr/local/bin/gosu -SL "$GOSU_URL-$(dpkg --print-architecture)" \
+ && curl -o /usr/local/bin/gosu.asc -SL "$GOSU_URL-$(dpkg --print-architecture).asc" \
+ && gpg --verify /usr/local/bin/gosu.asc \
+ && rm /usr/local/bin/gosu.asc \
+ && rm -rf /var/lib/apt/lists/* \
+ && chmod +x /usr/local/bin/gosu
+
+COPY deploy/entrypoint.sh /usr/local/bin/entrypoint.sh
+RUN chmod +x /usr/local/bin/entrypoint.sh
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
diff --git a/deploy/entrypoint.sh b/deploy/entrypoint.sh
@@ -0,0 +1,11 @@
+#!/bin/bash
+set -e
+
+CURRENT_UID=${uid:-9999}
+
+echo "Current UID : $CURRENT_UID"
+useradd --shell /bin/bash -u $CURRENT_UID -o -c "" -m docker
+export HOME=/home/docker
+
+# Execute process
+exec /usr/local/bin/gosu docker /schemahero "$@"
diff --git a/pkg/fixtures/fixtures.go b/pkg/fixtures/fixtures.go
@@ -76,6 +76,10 @@ func (f *Fixturator) RunSync() error {
 	output := strings.Join(statements, ";\n")
 	output = fmt.Sprintf("/* Auto generated file. Do not edit by hand. This file was generated by SchemaHero. */\n\n %s;\n\n", output)
 
+	if _, err := os.Stat(f.Viper.GetString("output-dir")); os.IsNotExist(err) {
+		os.MkdirAll(f.Viper.GetString("output-dir"), 0755)
+	}
+
 	err = ioutil.WriteFile(filepath.Join(f.Viper.GetString("output-dir"), "fixtures.sql"), []byte(output), 0644)
 	if err != nil {
 		fmt.Printf("%#v\n", err)