no root image

Georg Martin Weber · Georg Martin Weber · commit 8a206f00a006 · 2024-11-21T12:48:35.000+01:00
diff --git a/azure-pipelines.yml b/azure-pipelines.yml
@@ -57,7 +57,25 @@ jobs:
       dockerRegistryConnection: '${{ parameters.DockerRegistryEndpoint }}'
       action: 'Push an image'
       imageName: 'hull/hull-integration:$(HULL_VSADDON_VERSION)'
-  
+
+  - task: Docker@0
+    displayName: 'Docker Build noroot'
+    inputs:
+      containerregistrytype: 'Container Registry'
+      dockerRegistryConnection: '${{ parameters.DockerRegistryEndpoint }}'
+      dockerFile: './images/hull-integration/Dockerfile-noroot'
+      defaultContext: false
+      context: './images/hull-integration'
+      imageName: 'hull/hull-integration:$(HULL_VSADDON_VERSION)-noroot'
+ 
+  - task: Docker@0
+    displayName: 'Docker Push'
+    inputs:
+      containerregistrytype: 'Container Registry'
+      dockerRegistryConnection: '${{ parameters.DockerRegistryEndpoint }}'
+      action: 'Push an image'
+      imageName: 'hull/hull-integration:$(HULL_VSADDON_VERSION)-noroot'
+
   - script: |
         CHART_RELEASER_VERSION=1.5.0
         set -euo pipefail
diff --git a/hull-vidispine-addon/templates/_library.tpl b/hull-vidispine-addon/templates/_library.tpl
@@ -500,12 +500,15 @@ rabbitmq-connectionString:
 {{ $endpointApplication := include "hull.vidispine.addon.library.get.endpoint.application" (dict "PARENT_CONTEXT" $parent "ENDPOINT" $databaseKey) }}
 serviceAccountName: {{ $serviceAccountName }}
 restartPolicy: {{ default "Never" (index . "RESTART_POLICY") }}
+securityContext:
+  runAsNonRoot: true
+  runAsUser: 1001
 initContainers:
 {{ if $createScriptConfigMap }}
   copy-custom-scripts:
     image:
       repository: {{ dig "images" "dbTools" "repository" "vpms/dbtools" $parent.Values.hull.config.specific }}
-      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "1.9-1" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
+      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "2.0-noroot" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
     args:
     - "/bin/sh"
     - "-c"
@@ -520,7 +523,7 @@ initContainers:
   set-custom-script-permissions:
     image:
       repository: {{ dig "images" "dbTools" "repository" "vpms/dbtools" $parent.Values.hull.config.specific }}
-      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "1.9-1" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
+      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "2.0-noroot" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
     args:
     - "/bin/sh"
     - "-c"
@@ -533,7 +536,7 @@ initContainers:
   check-database-ready:
     image:
       repository: {{ dig "images" "dbTools" "repository" "vpms/dbtools" $parent.Values.hull.config.specific }}
-      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "1.9-1" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
+      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "2.0-noroot" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
     env:
       DBHOST:
         value: {{ $databaseHost }}
@@ -603,7 +606,7 @@ containers:
 {{ end }}
     image:
       repository: {{ dig "images" "dbTools" "repository" "vpms/dbtools" $parent.Values.hull.config.specific }}
-      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "1.9-1" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
+      tag: {{ (dig "images" "dbTools" "tag" (dig "tags" "dbTools" "2.0-noroot" $parent.Values.hull.config.specific) $parent.Values.hull.config.specific) | toString | quote }}
     env:
       DBHOST:
         value: {{ $databaseHost }}
diff --git a/images/hull-integration/Dockerfile-noroot b/images/hull-integration/Dockerfile-noroot
@@ -0,0 +1,20 @@
+FROM mcr.microsoft.com/powershell:7.3-ubuntu-22.04
+RUN pwsh -NonInteractive -Command Install-Module -Force -Scope AllUsers powershell-yaml
+RUN apt-get update
+RUN apt-get -y install curl
+ENV VERSION="1.1.0"
+RUN curl -LO "https://github.com/oras-project/oras/releases/download/v${VERSION}/oras_${VERSION}_linux_amd64.tar.gz" 
+RUN ls
+RUN mkdir -p oras-install/
+RUN tar -zxf oras_${VERSION}_*.tar.gz -C oras-install/
+RUN mv oras-install/oras /usr/local/bin/
+RUN rm -rf oras_${VERSION}_*.tar.gz oras-install/
+# Create a user group 'noroot'
+RUN groupadd noroot
+# Add a user noroot to group 'noroot'
+RUN useradd --create-home --shell /bin/bash -u 1001 -g noroot noroot
+COPY ./Installer.ps1 /script/Installer.ps1
+RUN chown -R noroot /script
+COPY ./get-custom-scripts /get-custom-scripts
+RUN chown -R noroot /get-custom-scripts
+RUN oras --help
