-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
The goal with this changes is to decrease the attack surface of the published images, by relying on a scratch base image. In order to support such approach, the following changes were made: - Statically compile the application to use the network and os/user implementations from Pure Go. - Embed time zone data into the application via time/tzdata. - Embed x509 roots from Go, which was introduced on Go 1.20. - Create a top layer dir structure that complies with FHS 3.0. - Create files /etc/{passwd,shadow,group,nsswitch.conf}. - Bump Go to 1.21 (given that 1.20 is half way through its life) Signed-off-by: Paulo Gomes <paulo.gomes@suse.com>
- Loading branch information
Showing
6 changed files
with
69 additions
and
12 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,7 +1,44 @@ | ||
FROM registry.suse.com/bci/bci-busybox:15.5 | ||
FROM registry.suse.com/bci/bci-busybox:15.5 as builder | ||
|
||
COPY bin/cis-operator /usr/bin/ | ||
# There is no real need for containers to fully comply with the | ||
# Filesystem Hierarchy Standard (FHS). However, some applications | ||
# could malfunction if some specific basic dirs are not available. | ||
# Therefore, create top level structure. | ||
# | ||
# https://refspecs.linuxfoundation.org/FHS_3.0/fhs/index.html | ||
RUN mkdir -p /final/boot && \ | ||
mkdir -p /final/etc && \ | ||
mkdir -p /final/home && \ | ||
mkdir -p /final/lib && \ | ||
mkdir -p /final/lib64 && \ | ||
mkdir -p /final/media && \ | ||
mkdir -p /final/mnt && \ | ||
mkdir -p /final/opt && \ | ||
mkdir -p /final/run && \ | ||
mkdir -p /final/usr/sbin && \ | ||
mkdir -p /final/var/lib/nobody | ||
|
||
USER 65535:65535 | ||
# Some dirs require very specific permissions. | ||
RUN install -dv -m 0750 /final/root && \ | ||
install -dv -m 1777 /final/tmp /final/var/tmp | ||
|
||
# Keep name search configured in line with BCI. | ||
RUN cp /etc/nsswitch.conf /final/etc | ||
|
||
# Differs from BCI, by removing /bin/sh from root: | ||
RUN echo "root:x:0:0:root:/root:/usr/bin/false\nnobody:x:65534:65534:nobody:/var/lib/nobody:/usr/bin/false" > /final/etc/passwd | ||
|
||
RUN cp /etc/shadow /final/etc | ||
RUN cp /etc/group /final/etc | ||
|
||
COPY bin/cis-operator /final/usr/bin/ | ||
|
||
FROM scratch as final | ||
|
||
COPY --from=builder /final/ / | ||
|
||
# Aligns nobody user ID with BCI. | ||
USER 65534:65534 | ||
ENV PATH=/usr/bin | ||
|
||
CMD ["cis-operator"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters