-
Notifications
You must be signed in to change notification settings - Fork 649
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update Dockerfile and build-docker workflow #2666
Conversation
45e0874
to
97cb479
Compare
97cb479
to
6abef18
Compare
- Set UID to 10000 and GID to 10001 statically - Run with the bitshares user
This is a temporary solution compatible with older images.
Kudos, SonarCloud Quality Gate passed! |
# | ||
# Obtain version | ||
mkdir -p /etc/bitshares && \ | ||
git rev-parse --short HEAD > /etc/bitshares/version && \ | ||
cd / && \ | ||
rm -rf /bitshares-core | ||
|
||
# Home directory $HOME | ||
# The final image |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I like how you separated the build and runtime envionronments. Should make the final image smaller with fewer attack vectors.
# default execute entry | ||
CMD ["/usr/local/bin/bitsharesentry.sh"] | ||
ENTRYPOINT ["/usr/local/bin/bitsharesentry.sh"] |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good idea to use an ENTRYPOINT VS a CMD.
# Plugins need to be provided in a space-separated list, which | ||
# makes it necessary to write it like this | ||
if [[ ! -z "$BITSHARESD_PLUGINS" ]]; then | ||
exec "$BITSHARESD" --data-dir "${HOME}" ${ARGS} ${BITSHARESD_ARGS} --plugins "${BITSHARESD_PLUGINS}" | ||
exec /usr/bin/setpriv --reuid=bitshares --regid=bitshares --clear-groups \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are you using setpriv
here as part of the temp workaround related to commenting out line 111 above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, setpriv
is used here to drop root privileges. For this, it is better than su
.
PR for #2011.
Changes:
bitshares
user whose UID is statically set to10000
and GID to10001
, to follow best practices https://github.com/hexops/dockerfile#use-a-static-uid-and-gid.major.minor
version tag to Docker Hub too, to follow best practices https://github.com/hexops/dockerfile#do-not-use-latest-pin-your-image-tagsbuild-docker
workflow to a variable instead of hardcoding it.