2121
2222# ## START: Container build time args for Elemental Server
2323# #
24+ # Names of the Linux user account and group to run the Elemental Server service under
25+ ARG ELEMENTAL_SERVER_SERVICE_ACCOUNT="edb01"
26+ ARG ELEMENTAL_SERVER_SERVICE_GROUP="edb01"
27+
2428# Elemental data cache size
2529ARG ELEMENTAL_SERVER_CACHE_MEM="256"
2630# Elemental maximum number of database brokers
@@ -44,6 +48,10 @@ ARG ADDITIONAL_JAVA_TOOL_OPTIONS
4448# Install latest JRE 8 in Chainguard Wolfi temporary builder image
4549FROM cgr.dev/chainguard/wolfi-base AS builder
4650
51+ # Inherit global args to this build stage
52+ ARG ELEMENTAL_SERVER_SERVICE_ACCOUNT
53+ ARG ELEMENTAL_SERVER_SERVICE_GROUP
54+
4755RUN apk update && apk upgrade
4856# Install dependencies needed for JRE
4957RUN apk add tzdata zlib libjpeg-turbo libpng lcms2 freetype ttf-dejavu fontconfig-config libfontconfig1 expat libuuid libbrotlicommon1 libbrotlidec1 libbrotlienc1 libcrypt1
@@ -52,11 +60,17 @@ RUN apk add ca-certificates java-cacerts
5260# Install latest JRE
5361RUN apk add openjdk-8-jre
5462
63+ # Add Elemental Server service group and account
64+ RUN addgroup -S ${ELEMENTAL_SERVER_SERVICE_GROUP} \
65+ && adduser -S -G ${ELEMENTAL_SERVER_SERVICE_GROUP} -H -h /nonexistent -s /sbin/nologin -g "Elemental Database Server - Instance 01" ${ELEMENTAL_SERVER_SERVICE_ACCOUNT}
66+
5567
5668# Use Chainguard distroless glibc base for dynamically linked libraries
5769FROM cgr.dev/chainguard/glibc-dynamic:latest
5870
5971# Inherit global args to this build stage
72+ ARG ELEMENTAL_SERVER_SERVICE_ACCOUNT
73+ ARG ELEMENTAL_SERVER_SERVICE_GROUP
6074ARG ELEMENTAL_SERVER_CACHE_MEM
6175ARG ELEMENTAL_SERVER_MAX_BROKER
6276ARG JVM_MAX_RAM_PERCENTAGE
@@ -94,17 +108,22 @@ COPY --from=builder /usr/share/ca-certificates /usr/share/ca-certificates
94108# Copy over updated JRE from Wolfi
95109COPY --from=builder /usr/lib/jvm/java-1.8-openjdk /usr/lib/jvm/java-1.8-openjdk
96110
97- # Switch to nonroot user
98- USER nonroot
111+ # Copy Elemental Server service group and account
112+ COPY --from=builder --chown=root:root --chmod=0644 /etc/passwd /etc/passwd
113+ COPY --from=builder --chown=root:root --chmod=0644 /etc/group /etc/group
114+ COPY --from=builder --chown=root:root --chmod=0600 /etc/shadow /etc/shadow
115+
116+ # Switch to Elemental Server service account
117+ USER ${ELEMENTAL_SERVER_SERVICE_ACCOUNT}
99118
100119# Copy Elemental
101- COPY --chmod=0555 logs /elemental
102- COPY --chmod=0444 LICENSE /elemental/LICENSE
103- COPY --chmod=0570 autodeploy /elemental/autodeploy
104- COPY --chmod=0570 etc /elemental/etc
105- COPY --chmod=0550 lib /elemental/lib
106- COPY --chown=nonroot --chmod=0750 logs /elemental/logs
107- COPY --chown=nonroot --chmod=0750 logs /elemental/data
120+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0555 logs /elemental
121+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0444 LICENSE /elemental/LICENSE
122+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0570 autodeploy /elemental/autodeploy
123+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0570 etc /elemental/etc
124+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} -- chmod=0550 lib /elemental/lib
125+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} --chmod=0750 logs /elemental/logs
126+ COPY --chown=${ELEMENTAL_SERVER_SERVICE_ACCOUNT}:${ELEMENTAL_SERVER_SERVICE_GROUP} --chmod=0750 logs /elemental/data
108127
109128# Build-time metadata as defined at http://label-schema.org
110129# and used by autobuilder @hooks/build
0 commit comments