Merge pull request #65 from nats-io/sattwood/nonroot

Rootless Improvements
nats-io · Dec 18, 2023 · b33b8c7 · b33b8c7
2 parents 0fa9b62 + 521c231
commit b33b8c7
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 #syntax=docker/dockerfile-upstream:1.6
-FROM golang:1.21.3-alpine AS builder
+FROM golang:1.21.5-alpine AS builder
 
 LABEL maintainer "Derek Collison <derek@nats.io>"
 LABEL maintainer "Waldemar Quevedo <wally@nats.io>"
@@ -9,11 +9,10 @@ ARG TARGETARCH
 ARG VERSION_NATS
 ARG VERSION_NATS_TOP
 ARG VERSION_NSC
-ARG VERSION_STAN
 
 ENV GOPATH /go/${TARGETARCH}
 
-RUN <<EOT 
+RUN <<EOT
     set -e
     mkdir -p ${GOPATH}
 
@@ -22,7 +21,7 @@ RUN <<EOT
     go install github.com/nats-io/natscli/nats@v${VERSION_NATS}
 EOT
 
-FROM alpine:3.18.4
+FROM alpine:3.19.0
 
 ARG TARGETARCH
 
@@ -33,8 +32,13 @@ RUN <<EOT
     apk -U upgrade
     apk add --no-cache ca-certificates curl figlet jq
     rm -rf /var/cache/apk && mkdir /var/cache/apk
+
     addgroup -g 1000 nats
     adduser -D -u 1000 -G nats nats
+
+    mkdir -p /nsc
+    chown nats:root /nsc
+    chmod 0775 /nsc
 EOT
 
 ENV NKEYS_PATH /nsc/nkeys

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -24,6 +24,11 @@ function "get_tags" {
   result = [for tag in split(",", TAGS) : join("/", compact([REGISTRY, "${image}:${tag}"]))]
 }
 
+function "get_tags_suffix" {
+  params = [image, suffix]
+  result = [for tag in split(",", TAGS) : join("/", compact([REGISTRY, replace("${image}:${tag}-${suffix}", "latest-", "")]))]
+}
+
 function "get_platforms_multiarch" {
   params = []
   result = CI ? ["linux/amd64", "linux/arm/v6", "linux/arm/v7", "linux/arm64"] : []
@@ -40,7 +45,8 @@ function "get_output" {
 
 group "default" {
   targets = [
-    "nats-box"
+    "nats-box",
+    "nats-box-nonroot"
   ]
 }
 
@@ -53,10 +59,26 @@ target "nats-box" {
   args = {
     VERSION_NATS        = "0.1.1"
     VERSION_NATS_TOP    = "0.6.1"
-    VERSION_NSC         = "2.8.1"
-    VERSION_STAN        = "0.10.4"
+    VERSION_NSC         = "2.8.5"
   }
   platforms  = get_platforms_multiarch()
   tags       = get_tags("nats-box")
   output     = get_output()
 }
+
+target "nats-box-nonroot" {
+  contexts = {
+    nats-box = "target:nats-box"
+  }
+  inherits = ["nats-box"]
+  args = {
+    USER = "nats"
+  }
+  dockerfile-inline = <<EOT
+FROM nats-box
+ARG USER
+USER $USER:$USER
+EOT
+
+  tags = get_tags_suffix("nats-box", "nonroot")
+}