From bbe3ba426837fdcac89d7ff0758cee5de84686a4 Mon Sep 17 00:00:00 2001 From: jcrichlake Date: Mon, 26 Aug 2024 12:29:38 -0400 Subject: [PATCH 1/6] Fixing user permissions for Docker file Co-authored-by: halprin --- Dockerfile | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/Dockerfile b/Dockerfile index 84348a2ff..f4e863255 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,15 +1,18 @@ # Use Linux-Alpine image FROM amazoncorretto:17.0.12-alpine -RUN apk -U upgrade +RUN apk update && apk -U upgrade && rm -rf /var/cache/apk/* + +RUN adduser -S myLowPrivilegeUser +USER myLowPrivilegeUser ARG JAR_LIB_FILE=./app/build/libs/app-all.jar # Create directory and switch to it -WORKDIR /app +WORKDIR /home/myLowPrivilegeUser/app/ # Add application JAR to created folder -COPY ${JAR_LIB_FILE} app.jar +COPY --chown=myLowPrivilegeUser ${JAR_LIB_FILE} app.jar # Run the api CMD ["java", "-jar", "app.jar"] From db9f177de9885b0c81ebe8d4aa5401b17c03f2ec Mon Sep 17 00:00:00 2001 From: jcrichlake Date: Mon, 26 Aug 2024 15:59:47 -0400 Subject: [PATCH 2/6] Attempted fix for internal --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index f4e863255..2922bda5c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,7 @@ USER myLowPrivilegeUser ARG JAR_LIB_FILE=./app/build/libs/app-all.jar # Create directory and switch to it -WORKDIR /home/myLowPrivilegeUser/app/ +WORKDIR /home/myLowPrivilegeUser/app # Add application JAR to created folder COPY --chown=myLowPrivilegeUser ${JAR_LIB_FILE} app.jar From 3798dcb0c8cbeaccd6c647934c437d5061ad7cdc Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 27 Aug 2024 08:55:15 -0600 Subject: [PATCH 3/6] Put the jar in the coconut --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2922bda5c..4405713e8 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,7 +9,8 @@ USER myLowPrivilegeUser ARG JAR_LIB_FILE=./app/build/libs/app-all.jar # Create directory and switch to it -WORKDIR /home/myLowPrivilegeUser/app +#WORKDIR /home/myLowPrivilegeUser/app +WORKDIR /usr/local/bin/ # Add application JAR to created folder COPY --chown=myLowPrivilegeUser ${JAR_LIB_FILE} app.jar From 69f2114e1652ea310f86215dfcfa6a2979011fc7 Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 27 Aug 2024 09:47:39 -0600 Subject: [PATCH 4/6] Set the workdir to a place where we can write files --- Dockerfile | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4405713e8..33dd45b9a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -9,14 +9,13 @@ USER myLowPrivilegeUser ARG JAR_LIB_FILE=./app/build/libs/app-all.jar # Create directory and switch to it -#WORKDIR /home/myLowPrivilegeUser/app -WORKDIR /usr/local/bin/ +WORKDIR /home/myLowPrivilegeUser/app/ # Add application JAR to created folder -COPY --chown=myLowPrivilegeUser ${JAR_LIB_FILE} app.jar +COPY --chown=myLowPrivilegeUser ${JAR_LIB_FILE} /usr/local/bin/app.jar # Run the api -CMD ["java", "-jar", "app.jar"] +CMD ["java", "-jar", "/usr/local/bin/app.jar"] # Use port 8080 EXPOSE 8080 From d1cfe1f5f1c48faefe4b52da3282f5143fdee93e Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 27 Aug 2024 10:58:15 -0600 Subject: [PATCH 5/6] add comments describing why we are doing certain things --- Dockerfile | 13 +++++-------- 1 file changed, 5 insertions(+), 8 deletions(-) diff --git a/Dockerfile b/Dockerfile index 33dd45b9a..3fcb0cac4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,3 @@ -# Use Linux-Alpine image FROM amazoncorretto:17.0.12-alpine RUN apk update && apk -U upgrade && rm -rf /var/cache/apk/* @@ -6,16 +5,14 @@ RUN apk update && apk -U upgrade && rm -rf /var/cache/apk/* RUN adduser -S myLowPrivilegeUser USER myLowPrivilegeUser -ARG JAR_LIB_FILE=./app/build/libs/app-all.jar - -# Create directory and switch to it +# Set the workdir to a location that the running application can write to +# which is in the myLowPrivilegeUser home folder because we are running as that user instead of root. WORKDIR /home/myLowPrivilegeUser/app/ -# Add application JAR to created folder -COPY --chown=myLowPrivilegeUser ${JAR_LIB_FILE} /usr/local/bin/app.jar +# Copy the jar file into /usr/local/bin/ because it seemingly needs to go to a location that any user can access. +# If we put the jar file into the myLowPrivilegeUser's home directly, the container fails to run in Azure. +COPY --chown=myLowPrivilegeUser ./app/build/libs/app-all.jar /usr/local/bin/app.jar -# Run the api CMD ["java", "-jar", "/usr/local/bin/app.jar"] -# Use port 8080 EXPOSE 8080 From f46bff33dc3320ddebeb35252e75b889899e69e5 Mon Sep 17 00:00:00 2001 From: halprin Date: Tue, 27 Aug 2024 11:31:34 -0600 Subject: [PATCH 6/6] Added more precise comments back --- Dockerfile | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/Dockerfile b/Dockerfile index 3fcb0cac4..c00006314 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,7 +1,9 @@ FROM amazoncorretto:17.0.12-alpine +# Uppdate dependencies and clear the dependency cache. RUN apk update && apk -U upgrade && rm -rf /var/cache/apk/* +# Create and use a lower permission (non-root) user. RUN adduser -S myLowPrivilegeUser USER myLowPrivilegeUser @@ -13,6 +15,8 @@ WORKDIR /home/myLowPrivilegeUser/app/ # If we put the jar file into the myLowPrivilegeUser's home directly, the container fails to run in Azure. COPY --chown=myLowPrivilegeUser ./app/build/libs/app-all.jar /usr/local/bin/app.jar +# Run the service. CMD ["java", "-jar", "/usr/local/bin/app.jar"] +# Inform Docker that this container listens on the specified port. EXPOSE 8080