Skip to content

Commit

Permalink
Introduce an isolated user inside dev container
Browse files Browse the repository at this point in the history 
Previously all commands where executed as root inside the docker
container. Supervisord has started all service as root, too.

Even though the docker container provides a level of isolation, code
should still be executed with the least required privileges.
  • Loading branch information
@fgrsnau
fgrsnau committed Nov 16, 2019
1 parent c04150a commit f21186b
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 5 deletions.
13 changes: 8 additions & 5 deletions Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,17 +19,20 @@ ENV PATH="/tmp/go/bin:${PATH}"
# needed for hook service
ENV WEBHOOK_SECRET=geheim

WORKDIR /tmp/go/src/github.com/nnev/website/
COPY . .

ADD build_entrypoint.sh /build_entrypoint.sh
ADD entrypoint.sh /entrypoint.sh
ADD build_website.sh /build_website.sh
ADD nnev-website-nginx.conf /etc/nginx/sites-available/default
ADD nnev-website-supervisor.conf /etc/supervisor/conf.d/supervisord.conf

RUN go get -v ./...
RUN go install -v ./...
RUN useradd -ms /bin/bash nnev
WORKDIR /tmp/go/src/github.com/nnev/website/
COPY . .

# Dockerfiles's ADD/COPY has a --chown arguments but no --chmod argument.
RUN chown -R nnev:nnev "${GOPATH}" && chmod -R a+rX "${GOPATH}"
RUN runuser -u nnev -- go get -v ./...
RUN runuser -u nnev -- go install -v ./...

EXPOSE 80

Expand Down
3 changes: 3 additions & 0 deletions nnev-website-supervisor.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,18 +6,21 @@ stdout_logfile_maxbytes=0

[program:c14h]
command=/tmp/go/bin/c14h -template=/tmp/go/src/github.com/nnev/website/www/_site/edit_c14.html -listen=localhost:6725 -connect="dbname=nnev host=%(ENV_PGHOST)s sslmode=disable" -hook=/build_website.sh
user=nnev
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0

[program:yarpnarp]
command=/tmp/go/bin/yarpnarp -template=/tmp/go/src/github.com/nnev/website/www/_site/yarpnarp.html -listen=localhost:5417 -connect="dbname=nnev host=%(ENV_PGHOST)s sslmode=disable" -hook=/build_website.sh
user=nnev
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0

[program:hook]
command=/tmp/go/bin/hook -listen=localhost:5221 -hook=/build_website.sh
user=nnev
redirect_stderr=true
stdout_logfile=/dev/stdout
stdout_logfile_maxbytes=0

0 comments on commit f21186b

Please sign in to comment.