azure - 在多阶段 Dockerfile 中创建非 root 用户
问题描述
我一直在尝试创建一个非 root 用户,因为这是一种很好的做法,它可以解决 Twistlock 合规性漏洞。
这是我必须在其中创建非 root 用户的 Dockerfile:
# Build
FROM node:12-alpine AS build
USER root
# Upgrade the system
RUN apk update && apk upgrade && apk add git && apk add openssh-client && apk add bash && apk add openjdk8 && apk add chromium && mkdir /root/.ssh
RUN apk update && apk upgrade
# Set the credentials to download the libraries
COPY credentials/known_hosts /root/.ssh/known_hosts
COPY credentials/id_rsa.pub /root/.ssh/id_rsa.pub
COPY credentials/id_rsa /root/.ssh/id_rsa
RUN chmod 600 /root/.ssh/id_rsa
# Add chromium for the unit tests
RUN \
echo "http://dl-cdn.alpinelinux.org/alpine/edge/community" >> /etc/apk/repositories \
&& echo "http://dl-cdn.alpinelinux.org/alpine/edge/main" >> /etc/apk/repositories \
&& echo "http://dl-cdn.alpinelinux.org/alpine/edge/testing" >> /etc/apk/repositories \
&& apk --no-cache update \
&& apk --no-cache upgrade \
&& apk add --no-cache --virtual .build-deps \
gifsicle pngquant optipng libjpeg-turbo-utils \
udev ttf-opensans chromium \
&& rm -rf /var/cache/apk/* /tmp/*
ENV CHROME_BIN /usr/bin/chromium-browser
ENV LIGHTHOUSE_CHROMIUM_PATH /usr/bin/chromium-browser
# set the working directory
WORKDIR /usr/src/app/
# copy the code into the image and download all the required libraries
COPY . .
RUN npm ci --unsafe-perm
# run unit tests
RUN npm run test:ci
# package the solution
RUN npm run build:prod
# Webserver
FROM nginx:1.17.10-alpine
USER root
# Upgrade the system
RUN apk update && apk upgrade && apk add bash
# copy the configuration for nginx
COPY /src/nginx/nginx.conf /etc/nginx/
COPY /src/nginx/default.conf /etc/nginx/conf.d/
# delete the previous content
RUN rm -rf /usr/share/nginx/html/*
COPY --from=build /usr/src/app/dist/myapp /usr/share/nginx/html
COPY --chown=root:root --from=build /usr/src/app/dist/myapp/config.json /usr/share/nginx/html/config.json
RUN chmod u=root:root /usr/share/nginx/html/config.json
COPY --chown=root:root entrypoint.sh /entrypoint.sh
ENTRYPOINT ["sh", "/entrypoint.sh"]
COPY --from=build /usr/src/app/.scannerwork /usr/.scannerwork
EXPOSE 8080
CMD ["nginx", "-g", "daemon off;"]
我尝试了命令:
RUN adduser -S appuser
RUN chmod +x /entrypoint.sh
USER appuser
这是我得到的错误:
我需要一些帮助。
对不起我的英语不好,非常感谢你提前。
解决方案
推荐阅读
- spring - 从 url 中获取 #token 值
- blazor - Blazor 打开双模态弹出窗口
- linq.js - 使用 linqjs 的 Enumerable 的新函数中的令牌无效或意外令牌
- c++ - 获取数组中的所有组合,其中所有条目的总和等于给定整数
- c# - 单击鼠标 2 次后打开 DataGridComboBoxColumn
- php - AWS S3 Select 的缺少标题/无效的列索引错误
- r - R数值方法类似于Matlab中的Vpasolve
- django - 将自定义字段添加到 Django 管理员身份验证表单
- android-studio - 重新创建活动后在 super.onCreate(savedInstanceState) 上崩溃
- kotlin - 如何打开自动生成的文件级类