DevFW-CICD/ingress-nginx-helm
16
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nginx-slim: dropping privileges from root

Browse source
This commit is contained in:
Jonathan Pulsifer 2017-06-17 22:32:41 -04:00
parent 34dee39990
commit 34d084025e
No known key found for this signature in database
GPG key ID: 0472D3B3F5012430
3 changed files with 20 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
images/nginx-slim/Dockerfile
View file

@ -26,6 +26,7 @@ RUN /tmp/build.sh
RUN ln -sf /dev/stdout /var/log/nginx/access.log RUN ln -sf /dev/stdout /var/log/nginx/access.log
RUN ln -sf /dev/stderr /var/log/nginx/error.log RUN ln -sf /dev/stderr /var/log/nginx/error.log
EXPOSE 80 443 EXPOSE 8080 8443
USER nginx
CMD ["nginx", "-g", "daemon off;"] CMD ["nginx", "-g", "daemon off;"]

2
images/nginx-slim/Makefile
View file

@ -13,7 +13,7 @@
# limitations under the License. # limitations under the License.
# 0.0.0 shouldn't clobber any released builds # 0.0.0 shouldn't clobber any released builds
TAG = 0.18 TAG = 0.19
REGISTRY = gcr.io/google_containers REGISTRY = gcr.io/google_containers
ARCH ?= $(shell go env GOARCH) ARCH ?= $(shell go env GOARCH)
ALL_ARCH = amd64 arm ppc64le ALL_ARCH = amd64 arm ppc64le

25
images/nginx-slim/build.sh
View file

@ -55,6 +55,9 @@ if [[ ${ARCH} == "ppc64le" ]]; then
apt-get update && apt-get install --no-install-recommends -y lua5.1 lua5.1-dev apt-get update && apt-get install --no-install-recommends -y lua5.1 lua5.1-dev
fi fi
# add user and group
adduser --system --group nginx
# install required packages to build # install required packages to build
apt-get update && apt-get install --no-install-recommends -y \ apt-get update && apt-get install --no-install-recommends -y \
bash \ bash \
@ -161,7 +164,7 @@ fi
--http-log-path=/var/log/nginx/access.log \ --http-log-path=/var/log/nginx/access.log \
--error-log-path=/var/log/nginx/error.log \ --error-log-path=/var/log/nginx/error.log \
--lock-path=/var/lock/nginx.lock \ --lock-path=/var/lock/nginx.lock \
--pid-path=/run/nginx.pid \ --pid-path=/run/nginx/nginx.pid \
--http-client-body-temp-path=/var/lib/nginx/body \ --http-client-body-temp-path=/var/lib/nginx/body \
--http-fastcgi-temp-path=/var/lib/nginx/fastcgi \ --http-fastcgi-temp-path=/var/lib/nginx/fastcgi \
--http-proxy-temp-path=/var/lib/nginx/proxy \ --http-proxy-temp-path=/var/lib/nginx/proxy \
@ -240,7 +243,19 @@ apt-get remove -y --purge \
apt-get autoremove -y apt-get autoremove -y
mkdir -p /var/lib/nginx/body /usr/share/nginx/html # Download of GeoIP databases
curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
&& curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
&& gunzip /etc/nginx/GeoIP.dat.gz \
&& gunzip /etc/nginx/GeoLiteCity.dat.gz
# create runtime directories
mkdir -p /var/lib/nginx/body /usr/share/nginx/html /run/nginx
chown -R nginx:nginx /etc/nginx /var/lib/nginx /run/nginx
# use non privileged port by default
sed -i 's/listen 80;/listen 8080;/' /etc/nginx/nginx.conf
mv /usr/share/nginx/sbin/nginx /usr/sbin mv /usr/share/nginx/sbin/nginx /usr/sbin
@ -249,9 +264,3 @@ rm -Rf /usr/share/man /usr/share/doc
rm -rf /tmp/* /var/tmp/* rm -rf /tmp/* /var/tmp/*
rm -rf /var/lib/apt/lists/* rm -rf /var/lib/apt/lists/*
rm -rf /var/cache/apt/archives/* rm -rf /var/cache/apt/archives/*
# Download of GeoIP databases
curl -sSL -o /etc/nginx/GeoIP.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCountry/GeoIP.dat.gz \
&& curl -sSL -o /etc/nginx/GeoLiteCity.dat.gz http://geolite.maxmind.com/download/geoip/database/GeoLiteCity.dat.gz \
&& gunzip /etc/nginx/GeoIP.dat.gz \
&& gunzip /etc/nginx/GeoLiteCity.dat.gz