forked from ironpeakservices/iron-alpine
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathDockerfile
105 lines (81 loc) · 3.4 KB
/
Dockerfile
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
FROM alpine:3.20.3
LABEL org.opencontainers.image.source="https://github.com/ironpeakservices/iron-alpine"
# make a pipe fail on the first failure
SHELL ["/bin/sh", "-o", "pipefail", "-c"]
# ensure we only use apk repositories over HTTPS (altough APK contain an embedded signature)
RUN echo "https://alpine.global.ssl.fastly.net/alpine/v$(cut -d . -f 1,2 < /etc/alpine-release)/main" > /etc/apk/repositories \
&& echo "https://alpine.global.ssl.fastly.net/alpine/v$(cut -d . -f 1,2 < /etc/alpine-release)/community" >> /etc/apk/repositories
# The user the app should run as
ENV APP_USER=app
# The home directory
ENV APP_DIR="/$APP_USER"
# Where persistent data (volume) should be stored
ENV DATA_DIR "$APP_DIR/data"
# Where configuration should be stored
ENV CONF_DIR "$APP_DIR/conf"
# Update base system
# hadolint ignore=DL3018
RUN apk add --no-cache ca-certificates
# Add custom user and setup home directory
RUN adduser -s /bin/true -u 1000 -D -h $APP_DIR $APP_USER \
&& mkdir "$DATA_DIR" "$CONF_DIR" \
&& chown -R "$APP_USER" "$APP_DIR" "$CONF_DIR" \
&& chmod 700 "$APP_DIR" "$DATA_DIR" "$CONF_DIR"
# Remove existing crontabs, if any.
RUN rm -fr /var/spool/cron \
&& rm -fr /etc/crontabs \
&& rm -fr /etc/periodic
# Remove all but a handful of admin commands.
RUN find /sbin /usr/sbin \
! -type d -a ! -name apk -a ! -name ln \
-delete
# Remove world-writeable permissions except for /tmp/
RUN find / -xdev -type d -perm +0002 -exec chmod o-w {} + \
&& find / -xdev -type f -perm +0002 -exec chmod o-w {} + \
&& chmod 777 /tmp/ \
&& chown $APP_USER:root /tmp/
# Remove unnecessary accounts, excluding current app user and root
RUN sed -i -r "/^($APP_USER|root|nobody)/!d" /etc/group \
&& sed -i -r "/^($APP_USER|root|nobody)/!d" /etc/passwd
# Remove interactive login shell for everybody
RUN sed -i -r 's#^(.*):[^:]*$#\1:/sbin/nologin#' /etc/passwd
# Disable password login for everybody
RUN while IFS=: read -r username _; do passwd -l "$username"; done < /etc/passwd || true
# Remove apk configs. -> Commented out because we need apk to install other stuff
#RUN find /bin /etc /lib /sbin /usr \
# -xdev -type f -regex '.*apk.*' \
# ! -name apk \
# -exec rm -fr {} +
# Remove temp shadow,passwd,group
RUN find /bin /etc /lib /sbin /usr -xdev -type f -regex '.*-$' -exec rm -f {} +
# Ensure system dirs are owned by root and not writable by anybody else.
RUN find /bin /etc /lib /sbin /usr -xdev -type d \
-exec chown root:root {} \; \
-exec chmod 0755 {} \;
# Remove suid & sgid files
RUN find /bin /etc /lib /sbin /usr -xdev -type f -a \( -perm +4000 -o -perm +2000 \) -delete
# Remove dangerous commands
RUN find /bin /etc /lib /sbin /usr -xdev \( \
-iname hexdump -o \
-iname chgrp -o \
-iname ln -o \
-iname od -o \
-iname strings -o \
-iname su -o \
-iname sudo \
\) -delete
# Remove init scripts since we do not use them.
RUN rm -fr /etc/init.d /lib/rc /etc/conf.d /etc/inittab /etc/runlevels /etc/rc.conf /etc/logrotate.d
# Remove kernel tunables
RUN rm -fr /etc/sysctl* /etc/modprobe.d /etc/modules /etc/mdev.conf /etc/acpi
# Remove root home dir
RUN rm -fr /root
# Remove fstab
RUN rm -f /etc/fstab
# Remove any symlinks that we broke during previous steps
RUN find /bin /etc /lib /sbin /usr -xdev -type l -exec test ! -e {} \; -delete
# add-in post installation file for permissions
COPY post-install.sh $APP_DIR/
RUN chmod 500 $APP_DIR/post-install.sh
# default directory is /app
WORKDIR $APP_DIR