From 16d88a7c7a1bce62c6714290a7f76ba00f81bcbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Stephan=20M=C3=BCller?= Date: Sat, 30 Mar 2019 01:45:31 +0100 Subject: [PATCH] fix: run docker image as non-root (#795) * do not use apk update explicitely * change user root to node --- dev/build/Dockerfile | 29 ++++++++++++++--------------- 1 file changed, 14 insertions(+), 15 deletions(-) diff --git a/dev/build/Dockerfile b/dev/build/Dockerfile index faada2c0..3dbf41c4 100644 --- a/dev/build/Dockerfile +++ b/dev/build/Dockerfile @@ -3,9 +3,7 @@ # ==================== FROM node:10.15-alpine AS assets -RUN apk update && \ - apk add yarn g++ make python --no-cache && \ - rm -rf /var/cache/apk/* +RUN apk add yarn g++ make python --no-cache WORKDIR /wiki @@ -28,22 +26,23 @@ RUN yarn --production --frozen-lockfile --non-interactive FROM node:10.15-alpine LABEL maintainer="requarks.io" -RUN apk update && \ - apk add bash curl git openssh gnupg sqlite --no-cache && \ - rm -rf /var/cache/apk/* && \ +RUN apk add bash curl git openssh gnupg sqlite --no-cache && \ mkdir -p /wiki && \ - mkdir -p /logs + mkdir -p /logs && \ + chown -R node:node /wiki /logs WORKDIR /wiki -COPY --from=assets /wiki/assets ./assets -COPY --from=assets /wiki/node_modules ./node_modules -COPY ./server ./server -COPY --from=assets /wiki/server/views ./server/views -COPY ./dev/build/config.yml ./config.yml -COPY ./dev/docker-common/wait.sh ./wait.sh -COPY ./package.json ./package.json -COPY ./LICENSE ./LICENSE +COPY --chown=node:node --from=assets /wiki/assets ./assets +COPY --chown=node:node --from=assets /wiki/node_modules ./node_modules +COPY --chown=node:node ./server ./server +COPY --chown=node:node --from=assets /wiki/server/views ./server/views +COPY --chown=node:node ./dev/build/config.yml ./config.yml +COPY --chown=node:node ./dev/docker-common/wait.sh ./wait.sh +COPY --chown=node:node ./package.json ./package.json +COPY --chown=node:node ./LICENSE ./LICENSE + +USER node EXPOSE 3000