Skip to content

Commit

Permalink
Merge pull request #274 from abjugard/feature/enable-running-as-non-root
Browse files Browse the repository at this point in the history 
Enable running as non root
  • Loading branch information
@hairyhenderson
hairyhenderson authored Feb 8, 2023
2 parents 6fa9eaf + a5a1dac commit 066a879
Show file tree
Hide file tree
Showing 7 changed files with 42 additions and 28 deletions.
6 changes: 5 additions & 1 deletion 2.6/alpine/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
FROM alpine:3.16

RUN apk add --no-cache ca-certificates mailcap
RUN apk add --no-cache \
ca-certificates \
libcap \
mailcap

RUN set -eux; \
mkdir -p \
Expand Down Expand Up @@ -30,6 +33,7 @@ RUN set -eux; \
echo "$checksum /tmp/caddy.tar.gz" | sha512sum -c; \
tar x -z -f /tmp/caddy.tar.gz -C /usr/bin caddy; \
rm -f /tmp/caddy.tar.gz; \
setcap cap_net_bind_service=+ep /usr/bin/caddy; \
chmod +x /usr/bin/caddy; \
caddy version

Expand Down
23 changes: 13 additions & 10 deletions 2.6/builder/Dockerfile
View file
Original file line number Diff line number Diff line change
@@ -1,27 +1,30 @@
FROM golang:1.19-alpine

RUN apk add --no-cache \
git \
ca-certificates
ca-certificates \
git \
libcap

ENV XCADDY_VERSION v0.3.1
ENV XCADDY_VERSION v0.3.2
# Configures xcaddy to build with this version of Caddy
ENV CADDY_VERSION v2.6.2
# Configures xcaddy to not clean up post-build (unnecessary in a container)
ENV XCADDY_SKIP_CLEANUP 1
# Sets capabilities for output caddy binary to be able to bind to privileged ports
ENV XCADDY_SETCAP 1

RUN set -eux; \
apkArch="$(apk --print-arch)"; \
case "$apkArch" in \
x86_64) binArch='amd64'; checksum='bffe075ac254111ead0238c330a33c7f39f9cc5f7d2b4b3fce48256d79c3f5fb94aec23d816c9ea0e21cd51bda058c05336cfa2849a0d25d821c9280962f9a53' ;; \
armhf) binArch='armv6'; checksum='6e988c78881bf6463d92e2194a815a243b0b1bb185ff37f321bd74694d55c6ae6490403e99b165fa3548d37340230ef486cba7ff3801d53607d8df4c036baf4c' ;; \
armv7) binArch='armv7'; checksum='ace94e101d1d1fa368b644043dce5e46a634dd85ecf2a8fcec367281420af48c7609cf451f2930d07fce6238e68dd9848e48aef203dd5c6b4f64c2a67e3010d3' ;; \
aarch64) binArch='arm64'; checksum='97f3d83124846a22080dd1136d066141c0972a31abc4d54aefd9e7c7a4ad0b3deeede5df4e24b190291235c337c06c340bcdc29e302c253a667494c6825d2a0c' ;; \
ppc64el|ppc64le) binArch='ppc64le'; checksum='ae8d994dbd1870efb54fcfa7d10b541a01afee482102a5fa0b5852848d88775a54056ecacd96192116cb205bead6a6e3165192a0d1b91f4fc5ef73c9368bc5d0' ;; \
s390x) binArch='s390x'; checksum='a7ed957d3b9cda7345ae4444302d53c12cf648ec7c354de93c92fbd7a10d104d90cc2b3b41ff357969baaeadb6dab5c074f735bcc41520b7ba35dada87a4ac8f' ;; \
x86_64) binArch='amd64'; checksum='2538d080f065cf1c5a41c9c14dd6acd55783e004c7ea3fdd6e1bc07c4d846a85b78d5de1111391fda71d48cad9d542a0741593e5b25ea9826faaee74577d8a98' ;; \
armhf) binArch='armv6'; checksum='5bd99dfc28d867253275c2a6753425a1e8445385449cd5414c8bb14fdf7b513f468c69e0ae8ba431cf4b5e2b5f77666dda2a6811fbe8a1718cae377387319b36' ;; \
armv7) binArch='armv7'; checksum='e8ea697bcbe029c81ce183b5ec44d095d8919f62a7170a0697dd7531d5a87c980b9aac1442638bf4dee1e60abe0ad698dfa56bed222fe9329ff274f5973f12fe' ;; \
aarch64) binArch='arm64'; checksum='afbf26528c4238a7d6eaa375c1367d213f7d3359e97193b996a896b89fb852531d33581b8cef6432bd866d1488f5f98ed43a198732c45d5b9d008eb9316d36ab' ;; \
ppc64el|ppc64le) binArch='ppc64le'; checksum='519e8d7575507e49ddd7d58d168c6223802b94a8954284956db4b72133bf3027de03f9bfc0dc578373ebcb49d668a140fcd54d90888c17cdbbef6ab182a8b511' ;; \
s390x) binArch='s390x'; checksum='b95078a4231acd54bd56c70d110709c9e290089200855c9448259621c983fa5ecfa925a1e6ab59459750bc6abb936422433543b6079fa547dea4dc08d5daabf9' ;; \
*) echo >&2 "error: unsupported architecture ($apkArch)"; exit 1 ;;\
esac; \
wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v0.3.1/xcaddy_0.3.1_linux_${binArch}.tar.gz"; \
wget -O /tmp/xcaddy.tar.gz "https://github.com/caddyserver/xcaddy/releases/download/v0.3.2/xcaddy_0.3.2_linux_${binArch}.tar.gz"; \
echo "$checksum /tmp/xcaddy.tar.gz" | sha512sum -c; \
tar x -z -f /tmp/xcaddy.tar.gz -C /usr/bin xcaddy; \
rm -f /tmp/xcaddy.tar.gz; \
Expand Down
6 changes: 3 additions & 3 deletions 2.6/windows-builder/1809/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.19-windowsservercore-1809

SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

ENV XCADDY_VERSION v0.3.1
ENV XCADDY_VERSION v0.3.2
# Configures xcaddy to build with this version of Caddy
ENV CADDY_VERSION v2.6.2
# Configures xcaddy to not clean up post-build (unnecessary in a container)
Expand All @@ -11,9 +11,9 @@ ENV XCADDY_SKIP_CLEANUP 1
# Apparently Windows Server 2016 disables TLS 1.2 by default - this enables it so we can talk to GitHub
RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \
Invoke-WebRequest \
-Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.1/xcaddy_0.3.1_windows_amd64.zip" \
-Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.2/xcaddy_0.3.2_windows_amd64.zip" \
-OutFile "/xcaddy.zip"; \
if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('f20e6ae1f20b65098ed7d1638a7ba96bd8da8dc8e7b6f771d32f33216abfd20606b821c6780d49ed866629764613deaff9adf3c7a26c35ec9413979b5e1087a6')) { exit 1; }; \
if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('8de1cb65e555e8d7f1124d384904cd53a37d1914106af6ec1cef92f1975bd66b5a1f0e066c2c6b68c85d67de54d52f170f539dff117ce97f4166d8e984a728ba')) { exit 1; }; \
Expand-Archive -Path "/xcaddy.zip" -DestinationPath "/" -Force; \
Remove-Item "/xcaddy.zip" -Force

Expand Down
6 changes: 3 additions & 3 deletions 2.6/windows-builder/ltsc2022/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ FROM golang:1.19-windowsservercore-ltsc2022

SHELL ["powershell", "-Command", "$ErrorActionPreference = 'Stop'; $ProgressPreference = 'SilentlyContinue';"]

ENV XCADDY_VERSION v0.3.1
ENV XCADDY_VERSION v0.3.2
# Configures xcaddy to build with this version of Caddy
ENV CADDY_VERSION v2.6.2
# Configures xcaddy to not clean up post-build (unnecessary in a container)
Expand All @@ -11,9 +11,9 @@ ENV XCADDY_SKIP_CLEANUP 1
# Apparently Windows Server 2016 disables TLS 1.2 by default - this enables it so we can talk to GitHub
RUN [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; \
Invoke-WebRequest \
-Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.1/xcaddy_0.3.1_windows_amd64.zip" \
-Uri "https://github.com/caddyserver/xcaddy/releases/download/v0.3.2/xcaddy_0.3.2_windows_amd64.zip" \
-OutFile "/xcaddy.zip"; \
if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('f20e6ae1f20b65098ed7d1638a7ba96bd8da8dc8e7b6f771d32f33216abfd20606b821c6780d49ed866629764613deaff9adf3c7a26c35ec9413979b5e1087a6')) { exit 1; }; \
if (!(Get-FileHash -Path /xcaddy.zip -Algorithm SHA512).Hash.ToLower().Equals('8de1cb65e555e8d7f1124d384904cd53a37d1914106af6ec1cef92f1975bd66b5a1f0e066c2c6b68c85d67de54d52f170f539dff117ce97f4166d8e984a728ba')) { exit 1; }; \
Expand-Archive -Path "/xcaddy.zip" -DestinationPath "/" -Force; \
Remove-Item "/xcaddy.zip" -Force

Expand Down
7 changes: 5 additions & 2 deletions Dockerfile.builder.tmpl
View file
Original file line number Diff line number Diff line change
@@ -1,14 +1,17 @@
{{ .base | strings.TrimSpace }}

RUN apk add --no-cache \
git \
ca-certificates
ca-certificates \
git \
libcap

ENV XCADDY_VERSION v{{ .xcaddy_config.version }}
# Configures xcaddy to build with this version of Caddy
ENV CADDY_VERSION v{{ .config.caddy_version }}
# Configures xcaddy to not clean up post-build (unnecessary in a container)
ENV XCADDY_SKIP_CLEANUP 1
# Sets capabilities for output caddy binary to be able to bind to privileged ports
ENV XCADDY_SETCAP 1

RUN set -eux; \
apkArch="$(apk --print-arch)"; \
Expand Down
6 changes: 5 additions & 1 deletion Dockerfile.tmpl
View file
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
{{ .base | strings.TrimSpace }}

RUN apk add --no-cache ca-certificates mailcap
RUN apk add --no-cache \
ca-certificates \
libcap \
mailcap

RUN set -eux; \
mkdir -p \
Expand Down Expand Up @@ -30,6 +33,7 @@ RUN set -eux; \
echo "$checksum /tmp/caddy.tar.gz" | sha512sum -c; \
tar x -z -f /tmp/caddy.tar.gz -C /usr/bin caddy; \
rm -f /tmp/caddy.tar.gz; \
setcap cap_net_bind_service=+ep /usr/bin/caddy; \
chmod +x /usr/bin/caddy; \
caddy version

Expand Down
16 changes: 8 additions & 8 deletions stackbrew-config.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -12,15 +12,15 @@ versions:
s390x: 2c8f9b6b28194dcc14db98c0657f6a47f35dbfa6c0a45fc485b488ada7c5b77abb4f880d3763dac1699d1007ba8e0f622a075fc7f394a0f3898fb90883c00407
windows_amd64: 1454eb2de857fa091a00e62199bb5ea7840210a90a9b04f626f0cf3688cdf69ea736b497e3b8ac0f1b40bb9aba416bfa9e4eb9c33be166665ee0ce02a26cfd98
xcaddy_config:
version: '0.3.1'
version: '0.3.2'
checksums:
amd64: bffe075ac254111ead0238c330a33c7f39f9cc5f7d2b4b3fce48256d79c3f5fb94aec23d816c9ea0e21cd51bda058c05336cfa2849a0d25d821c9280962f9a53
arm32v6: 6e988c78881bf6463d92e2194a815a243b0b1bb185ff37f321bd74694d55c6ae6490403e99b165fa3548d37340230ef486cba7ff3801d53607d8df4c036baf4c
arm32v7: ace94e101d1d1fa368b644043dce5e46a634dd85ecf2a8fcec367281420af48c7609cf451f2930d07fce6238e68dd9848e48aef203dd5c6b4f64c2a67e3010d3
arm64v8: 97f3d83124846a22080dd1136d066141c0972a31abc4d54aefd9e7c7a4ad0b3deeede5df4e24b190291235c337c06c340bcdc29e302c253a667494c6825d2a0c
ppc64le: ae8d994dbd1870efb54fcfa7d10b541a01afee482102a5fa0b5852848d88775a54056ecacd96192116cb205bead6a6e3165192a0d1b91f4fc5ef73c9368bc5d0
s390x: a7ed957d3b9cda7345ae4444302d53c12cf648ec7c354de93c92fbd7a10d104d90cc2b3b41ff357969baaeadb6dab5c074f735bcc41520b7ba35dada87a4ac8f
windows_amd64: f20e6ae1f20b65098ed7d1638a7ba96bd8da8dc8e7b6f771d32f33216abfd20606b821c6780d49ed866629764613deaff9adf3c7a26c35ec9413979b5e1087a6
amd64: 2538d080f065cf1c5a41c9c14dd6acd55783e004c7ea3fdd6e1bc07c4d846a85b78d5de1111391fda71d48cad9d542a0741593e5b25ea9826faaee74577d8a98
arm32v6: 5bd99dfc28d867253275c2a6753425a1e8445385449cd5414c8bb14fdf7b513f468c69e0ae8ba431cf4b5e2b5f77666dda2a6811fbe8a1718cae377387319b36
arm32v7: e8ea697bcbe029c81ce183b5ec44d095d8919f62a7170a0697dd7531d5a87c980b9aac1442638bf4dee1e60abe0ad698dfa56bed222fe9329ff274f5973f12fe
arm64v8: afbf26528c4238a7d6eaa375c1367d213f7d3359e97193b996a896b89fb852531d33581b8cef6432bd866d1488f5f98ed43a198732c45d5b9d008eb9316d36ab
ppc64le: 519e8d7575507e49ddd7d58d168c6223802b94a8954284956db4b72133bf3027de03f9bfc0dc578373ebcb49d668a140fcd54d90888c17cdbbef6ab182a8b511
s390x: b95078a4231acd54bd56c70d110709c9e290089200855c9448259621c983fa5ecfa925a1e6ab59459750bc6abb936422433543b6079fa547dea4dc08d5daabf9
windows_amd64: 8de1cb65e555e8d7f1124d384904cd53a37d1914106af6ec1cef92f1975bd66b5a1f0e066c2c6b68c85d67de54d52f170f539dff117ce97f4166d8e984a728ba
# configuration for the stackbrew.tmpl template
variants:
- dir: alpine
Expand Down

0 comments on commit 066a879

Please sign in to comment.