Skip to content

Commit

Permalink
Use non-root user in Docker image
Browse files Browse the repository at this point in the history
Signed-off-by: Nicko Guyer <[email protected]>
  • Loading branch information
nguyer committed Jan 9, 2024
1 parent 85da316 commit 2bc8a3a
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 11 deletions.
41 changes: 31 additions & 10 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -11,15 +11,27 @@ ARG BUILD_VERSION
ARG GIT_REF
RUN apk add make gcc build-base curl git
WORKDIR /firefly
ADD go.mod go.sum ./
RUN chgrp -R 0 /firefly \
&& chmod -R g+rwX /firefly \
&& mkdir /.cache \
&& chgrp -R 0 /.cache \
&& chmod -R g+rwX /.cache
USER 1001
ADD --chown=1001:0 go.mod go.sum ./
RUN go mod download
ADD . .
ADD --chown=1001:0 . .
RUN make build

FROM --platform=$FABRIC_BUILDER_PLATFORM $FABRIC_BUILDER_TAG AS fabric-builder
RUN apk add libc6-compat
WORKDIR /firefly/smart_contracts/fabric/firefly-go
ADD smart_contracts/fabric/firefly-go .
RUN chgrp -R 0 /firefly \
&& chmod -R g+rwX /firefly \
&& mkdir /.cache \
&& chgrp -R 0 /.cache \
&& chmod -R g+rwX /.cache
USER 1001
ADD --chown=1001:0 smart_contracts/fabric/firefly-go .
RUN GO111MODULE=on go mod vendor
WORKDIR /tmp/fabric
RUN wget https://github.com/hyperledger/fabric/releases/download/v2.3.2/hyperledger-fabric-linux-amd64-2.3.2.tar.gz
Expand All @@ -29,9 +41,12 @@ RUN ./bin/peer lifecycle chaincode package /firefly/smart_contracts/fabric/firef

FROM $SOLIDITY_BUILDER_TAG AS solidity-builder
WORKDIR /firefly/solidity_firefly
ADD smart_contracts/ethereum/solidity_firefly/ .
RUN apk add jq \
&& mkdir -p build/contracts \
RUN apk add jq
RUN chgrp -R 0 /firefly \
&& chmod -R g+rwX /firefly
ADD --chown=1001:0 smart_contracts/ethereum/solidity_firefly/ .
USER 1001
RUN mkdir -p build/contracts \
&& cd contracts \
&& solc --combined-json abi,bin,devdoc -o ../build/contracts Firefly.sol \
&& cd ../build/contracts \
Expand All @@ -42,15 +57,21 @@ ARG UI_TAG
ARG UI_RELEASE
RUN apk add --update --no-cache sqlite postgresql-client curl jq
WORKDIR /firefly
RUN chgrp -R 0 /firefly \
&& chmod -R g+rwX /firefly \
&& mkdir /etc/firefly \
&& chgrp -R 0 /etc/firefly \
&& chmod -R g+rwX /firefly
RUN curl -sL "https://github.com/golang-migrate/migrate/releases/download/$(curl -sL https://api.github.com/repos/golang-migrate/migrate/releases/latest | jq -r '.name')/migrate.linux-amd64.tar.gz" | tar xz \
&& chmod +x ./migrate \
&& mv ./migrate /usr/bin/migrate
COPY --from=firefly-builder /firefly/firefly ./firefly
COPY --from=firefly-builder /firefly/db ./db
COPY --from=solidity-builder /firefly/solidity_firefly/build/contracts ./contracts
COPY --from=fabric-builder /firefly/smart_contracts/fabric/firefly-go/firefly_fabric.tar.gz ./contracts/firefly_fabric.tar.gz
COPY --from=firefly-builder --chown=1001:0 /firefly/firefly ./firefly
COPY --from=firefly-builder --chown=1001:0 /firefly/db ./db
COPY --from=solidity-builder --chown=1001:0 /firefly/solidity_firefly/build/contracts ./contracts
COPY --from=fabric-builder --chown=1001:0 /firefly/smart_contracts/fabric/firefly-go/firefly_fabric.tar.gz ./contracts/firefly_fabric.tar.gz
ENV UI_RELEASE https://github.com/hyperledger/firefly-ui/releases/download/$UI_TAG/$UI_RELEASE.tgz
RUN mkdir /firefly/frontend \
&& curl -sLo - $UI_RELEASE | tar -C /firefly/frontend -zxvf -
RUN ln -s /firefly/firefly /usr/bin/firefly
USER 1001
ENTRYPOINT [ "firefly" ]
2 changes: 1 addition & 1 deletion manifest.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,6 @@
"release": "v1.2.0"
},
"cli": {
"tag": "v1.2.1"
"tag": "14387a519ef794e41b85c039e40ddc419fd5967a"
}
}

0 comments on commit 2bc8a3a

Please sign in to comment.