From 788519f2cb9f1f8b0218b73a7f4d19143d887a1b Mon Sep 17 00:00:00 2001 From: John Skinner Date: Wed, 31 Jan 2024 11:10:23 -0600 Subject: [PATCH 1/2] snyk remmediations for helm and rename containerfile back to dockerfile as snyk won't pick up on it otherwise, to hell with oci I suppose --- container/proton/{Containerfile => Dockerfile} | 0 container/wine/{Containerfile => Dockerfile} | 6 +++++- helm/templates/deployment.yaml | 7 +++++++ 3 files changed, 12 insertions(+), 1 deletion(-) rename container/proton/{Containerfile => Dockerfile} (100%) rename container/wine/{Containerfile => Dockerfile} (92%) diff --git a/container/proton/Containerfile b/container/proton/Dockerfile similarity index 100% rename from container/proton/Containerfile rename to container/proton/Dockerfile diff --git a/container/wine/Containerfile b/container/wine/Dockerfile similarity index 92% rename from container/wine/Containerfile rename to container/wine/Dockerfile index 017f47d..837737c 100644 --- a/container/wine/Containerfile +++ b/container/wine/Dockerfile @@ -28,7 +28,11 @@ RUN groupadd -g $CONTAINER_GID steam \ && apt-get update \ && apt-get install -y --install-recommends winehq-stable \ && wget -O /usr/local/bin/winetricks https://raw.githubusercontent.com/Winetricks/winetricks/master/src/winetricks \ - && chmod +x /usr/local/bin/winetricks + && chmod +x /usr/local/bin/winetricks \ + && rm -rf /var/lib/apt/lists/* \ + && apt-get clean \ + && apt-get autoremove -y + USER steam diff --git a/helm/templates/deployment.yaml b/helm/templates/deployment.yaml index 3d13a9f..0d1884e 100644 --- a/helm/templates/deployment.yaml +++ b/helm/templates/deployment.yaml @@ -15,6 +15,8 @@ spec: matchLabels: app: "{{ .Chart.Name }}" release: "{{ .Release.Name }}" + securityContext: + runAsNonRoot: true template: metadata: labels: @@ -22,6 +24,8 @@ spec: release: "{{ .Release.Name }}" spec: securityContext: + runAsUser: 10000 + runAsGroup: 10000 fsGroup: 10000 containers: - name: "{{ .Chart.Name }}" @@ -50,6 +54,9 @@ spec: volumeMounts: - name: data mountPath: /home/steam/enshrouded/savegame + securityContext: + allowPrivilegeEscalation: false + volumes: - name: data persistentVolumeClaim: From ea41081d4a175943a27ffea66c3c95f6dba1454f Mon Sep 17 00:00:00 2001 From: John Skinner Date: Wed, 31 Jan 2024 11:17:32 -0600 Subject: [PATCH 2/2] update makefile and github actions --- .github/workflows/publish_image.yaml | 2 +- .github/workflows/publish_proton_image.yaml | 4 ++-- makefile | 5 ++++- 3 files changed, 7 insertions(+), 4 deletions(-) diff --git a/.github/workflows/publish_image.yaml b/.github/workflows/publish_image.yaml index 61b0d8a..e705e53 100644 --- a/.github/workflows/publish_image.yaml +++ b/.github/workflows/publish_image.yaml @@ -14,7 +14,7 @@ jobs: with: image: enshrouded-dedicated-server context: ./container/wine - containerfiles: ./container/wine/Containerfile + containerfiles: ./container/wine/Dockerfile tags: latest ${{ github.event.release.tag_name }} # Use latest and the release tag - name: Push image to Docker Hub uses: redhat-actions/push-to-registry@v2 diff --git a/.github/workflows/publish_proton_image.yaml b/.github/workflows/publish_proton_image.yaml index b4e4873..72b9b16 100644 --- a/.github/workflows/publish_proton_image.yaml +++ b/.github/workflows/publish_proton_image.yaml @@ -12,8 +12,8 @@ jobs: with: image: enshrouded-dedicated-server context: ./container/proton - containerfiles: ./container/proton/Containerfile - tags: proton-latest + containerfiles: ./container/proton/Dockerfile + tags: proton-latest - name: Push image to Docker Hub uses: redhat-actions/push-to-registry@v2 with: diff --git a/makefile b/makefile index 14fda71..386bcbe 100644 --- a/makefile +++ b/makefile @@ -1,4 +1,7 @@ -# Image values +# I would prefer Podman but for some reason the Proton container just doesn't run right in Podman. +# Not sure if this is a me problem or a Podman problem. So Proton builds and runs with Docker instead. +# +# Image Values REGISTRY := localhost IMAGE := enshrouded-test PROTON_IMAGE := enshrouded-proton-test