Skip to content

Commit 64ad46f

Browse files
RinZ27Aias00847850277
authored
[Security] Harden Docker images to run as non-root user (#6273)
Co-authored-by: aias00 <liuhongyu@apache.org> Co-authored-by: zhengpeng <847850277@qq.com>
1 parent cb3c582 commit 64ad46f

File tree

2 files changed

+19
-7
lines changed

2 files changed

+19
-7
lines changed

shenyu-dist/shenyu-admin-dist/docker/Dockerfile

Lines changed: 10 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -25,18 +25,24 @@ RUN mv /opt/${APP_NAME} ${LOCAL_PATH}
2525

2626
FROM amazoncorretto:17.0.11-alpine3.19
2727

28-
RUN apk --no-cache add wget curl
28+
RUN apk --no-cache add wget curl && \
29+
addgroup -S shenyu && \
30+
adduser -S shenyu -G shenyu && \
31+
mkdir -p /home/shenyu && \
32+
chown -R shenyu:shenyu /home/shenyu
2933

3034
ENV LOCAL_PATH /opt/shenyu-admin
3135
ENV ADMIN_JVM ""
3236

33-
COPY --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
34-
COPY docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
35-
COPY docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
37+
COPY --chown=shenyu:shenyu --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
38+
COPY --chown=shenyu:shenyu docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
39+
COPY --chown=shenyu:shenyu docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
3640
RUN chmod +x ${LOCAL_PATH}/entrypoint.sh
3741

3842
WORKDIR /opt/shenyu-admin
3943

44+
USER shenyu
45+
4046
EXPOSE 9095
4147

4248
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]

shenyu-dist/shenyu-bootstrap-dist/docker/Dockerfile

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -26,18 +26,24 @@ RUN mv /opt/${APP_NAME} ${LOCAL_PATH}
2626
# FROM amazoncorretto:17.0.11-alpine3.19
2727
FROM eclipse-temurin:17-centos7
2828

29+
RUN groupadd -r shenyu && \
30+
useradd -r -g shenyu -m -d /home/shenyu shenyu && \
31+
chown -R shenyu:shenyu /home/shenyu
32+
2933
# RUN apk --no-cache add wget curl
3034

3135
ENV LOCAL_PATH /opt/shenyu-bootstrap
3236
ENV BOOT_JVM ""
3337

34-
COPY --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
35-
COPY docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
36-
COPY docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
38+
COPY --chown=shenyu:shenyu --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
39+
COPY --chown=shenyu:shenyu docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
40+
COPY --chown=shenyu:shenyu docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
3741
RUN chmod +x ${LOCAL_PATH}/entrypoint.sh
3842

3943
WORKDIR ${LOCAL_PATH}
4044

45+
USER shenyu
46+
4147
EXPOSE 9195
4248

4349
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]

0 commit comments

Comments
 (0)