Rootless docker images by default (#358)

* Rootless docker images by default * Migrate to rootless base image Co-authored-by: Aliaksandr Valialkin <valyala@gmail.com>
2025-01-20 07:19:17 +01:00 · 2020-03-27 22:18:32 +03:00 · 2020-03-27 22:18:32 +03:00 · b84071fc25
commit b84071fc25
parent b803bcca6b
11 changed files with 58 additions and 43 deletions
--- a/app/vmagent/deployment/Dockerfile
+++ b/app/vmagent/deployment/Dockerfile
@ -1,8 +1,8 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+EXPOSE 8429
+
+ENTRYPOINT ["/vmagent-prod"]
 ARG src_binary
 COPY $src_binary ./vmagent-prod
-EXPOSE 8429
-ENTRYPOINT ["/vmagent-prod"]
--- a/app/vmbackup/deployment/Dockerfile
+++ b/app/vmbackup/deployment/Dockerfile
@ -1,7 +1,6 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+ENTRYPOINT ["/vmbackup-prod"]
 ARG src_binary
 COPY $src_binary ./vmbackup-prod
-ENTRYPOINT ["/vmbackup-prod"]
--- a/app/vminsert/deployment/Dockerfile
+++ b/app/vminsert/deployment/Dockerfile
@ -1,8 +1,8 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+EXPOSE 8480
+
+ENTRYPOINT ["/vminsert-prod"]
 ARG src_binary
 COPY $src_binary ./vminsert-prod
-EXPOSE 8480
-ENTRYPOINT ["/vminsert-prod"]
--- a/app/vmrestore/deployment/Dockerfile
+++ b/app/vmrestore/deployment/Dockerfile
@ -1,7 +1,6 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+ENTRYPOINT ["/vmrestore-prod"]
 ARG src_binary
 COPY $src_binary ./vmrestore-prod
-ENTRYPOINT ["/vmrestore-prod"]
--- a/app/vmselect/deployment/Dockerfile
+++ b/app/vmselect/deployment/Dockerfile
@ -1,8 +1,8 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+EXPOSE 8481
+
+ENTRYPOINT ["/vmselect-prod"]
 ARG src_binary
 COPY $src_binary ./vmselect-prod
-EXPOSE 8481
-ENTRYPOINT ["/vmselect-prod"]
--- a/app/vmstorage/deployment/Dockerfile
+++ b/app/vmstorage/deployment/Dockerfile
@ -1,10 +1,10 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-ARG src_binary
-COPY $src_binary ./vmstorage-prod
+ARG base_image
+FROM $base_image
+
 EXPOSE 8482
 EXPOSE 8400
 EXPOSE 8401
+
 ENTRYPOINT ["/vmstorage-prod"]
+ARG src_binary
+COPY $src_binary ./vmstorage-prod
--- a/deployment/docker/Makefile
+++ b/deployment/docker/Makefile
@ -2,17 +2,17 @@

 DOCKER_NAMESPACE := docker.io/victoriametrics
 BUILDER_IMAGE := local/builder:go1.14.1
-CERTS_IMAGE := local/certs:1.0.3
+BASE_IMAGE := local/base:1.0.0

-package-certs:
-	(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -q '$(CERTS_IMAGE)$$') \
-		|| docker build -t $(CERTS_IMAGE) deployment/docker/certs
+package-base:
+	(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -q '$(BASE_IMAGE)$$') \
+		|| docker build -t $(BASE_IMAGE) deployment/docker/base

 package-builder:
 	(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -q '$(BUILDER_IMAGE)$$') \
 		|| docker build -t $(BUILDER_IMAGE) deployment/docker/builder

-app-via-docker: package-certs package-builder
+app-via-docker: package-base package-builder
 	mkdir -p gocache-for-docker
 	docker run --rm \
 		--user $(shell id -u):$(shell id -g) \
@ -31,7 +31,7 @@ package-via-docker:
 		$(MAKE) app-via-docker && \
 		docker build \
 			--build-arg src_binary=$(APP_NAME)$(APP_SUFFIX)-prod \
-			--build-arg certs_image=$(CERTS_IMAGE) \
+			--build-arg base_image=$(BASE_IMAGE) \
 			-t $(DOCKER_NAMESPACE)/$(APP_NAME):$(PKG_TAG)$(APP_SUFFIX)$(RACE) \
 			-f app/$(APP_NAME)/deployment/Dockerfile bin)

--- a/deployment/docker/base/Dockerfile
+++ b/deployment/docker/base/Dockerfile
@ -0,0 +1,16 @@
+# See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
+FROM alpine:3.10 as base
+
+RUN apk --update --no-cache add ca-certificates
+
+RUN mkdir /future-tmp
+
+FROM scratch
+
+COPY --chown=0:0 ./passwd ./group /etc/
+USER 1000
+
+COPY --from=base --chown=1000:1000 /future-tmp /tmp
+COPY --from=base --chown=1000:1000 /future-tmp /vmstorage-data
+
+COPY --from=base --chown=1000:1000 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
--- a/deployment/docker/base/group
+++ b/deployment/docker/base/group
@ -0,0 +1,2 @@
+root:x:0:root
+victoriametrics:x:1000:victoriametrics
--- a/deployment/docker/base/passwd
+++ b/deployment/docker/base/passwd
@ -0,0 +1,2 @@
+root:x:0:0:root:/root:/bin/ash
+victoriametrics:x:1000:1000::/:
--- a/deployment/docker/certs/Dockerfile
+++ b/deployment/docker/certs/Dockerfile
@ -1,3 +0,0 @@
-# See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
-FROM alpine:3.10 as certs
-RUN apk --update add ca-certificates