From 59bd37f9f8a41deb71ee856e79d3e7e2b7bce826 Mon Sep 17 00:00:00 2001 From: Ari Yonaty <18715356+ariyonaty@users.noreply.github.com> Date: Fri, 11 Oct 2024 14:01:33 +0000 Subject: [PATCH] Convert docker image from Debian to Alpine (#679) --- docker/Dockerfile | 27 +++++++++++++++------------ 1 file changed, 15 insertions(+), 12 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index da5c7383c..ea19a62a9 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,7 +1,7 @@ # BUILD STAGE --------------------------------------- # split this stage to save time and reduce image size # --------------------------------------------------- -FROM python:3.10-bookworm AS build-stage +FROM python:3.10-alpine AS build-stage # from now on, work in the /app directory WORKDIR /app/ # Layer dependency install (for caching) @@ -10,7 +10,9 @@ COPY ./packages/opal-common/requires.txt ./common_requires.txt COPY ./packages/opal-client/requires.txt ./client_requires.txt COPY ./packages/opal-server/requires.txt ./server_requires.txt # install python deps -RUN pip install --no-cache-dir --upgrade pip && pip install --no-cache-dir -r ./base_requires.txt -r ./common_requires.txt -r ./client_requires.txt -r ./server_requires.txt +RUN apk add gcc python3-dev musl-dev zlib-dev linux-headers && \ + pip install --no-cache-dir --upgrade pip && \ + pip install --no-cache-dir -r ./base_requires.txt -r ./common_requires.txt -r ./client_requires.txt -r ./server_requires.txt # CEDAR AGENT BUILD STAGE --------------------------- # split this stage to save time and reduce image size @@ -22,24 +24,25 @@ RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build --release # COMMON IMAGE -------------------------------------- # --------------------------------------------------- -FROM python:3.10-slim-bookworm AS common +FROM python:3.10-alpine AS common # copy libraries from build stage (This won't copy redundant libraries we used in build-stage) # also remove the default python site-packages that has older versions of packages that won't be overridden RUN rm -r /usr/local/lib/python3.10/site-packages COPY --from=build-stage /usr/local /usr/local -# Add non-root user (with home dir at /opal) -RUN useradd -m -b / -s /bin/bash opal +# Add non-root user (with home dir) WORKDIR /opal +RUN addgroup -g 1000 -S opal && \ + adduser -u 1000 -S -s /bin/bash -G opal opal && \ + chown -R 1000:1000 /opal # copy wait-for script (create link at old path to maintain backward compatibility) COPY scripts/wait-for.sh . RUN chmod +x ./wait-for.sh RUN ln -s /opal/wait-for.sh /usr/wait-for.sh -# netcat (nc) is used by the wait-for.sh script -RUN apt-get update && apt-get install -y netcat-traditional jq && apt-get clean +RUN apk add --no-cache jq bash # copy startup script (create link at old path to maintain backward compatibility) COPY ./scripts/start.sh . @@ -80,9 +83,10 @@ ENV OPAL_INLINE_OPA_ENABLED=false # expose opal client port EXPOSE 7000 -USER opal -RUN mkdir -p /opal/backup +RUN mkdir -p /opal/backup && \ + chown -R 1000:1000 /opal +USER opal VOLUME /opal/backup @@ -144,8 +148,7 @@ USER opal # --------------------------------------------------- FROM common AS server -RUN apt-get update && apt-get install -y openssh-client git && apt-get clean -RUN git config --global core.symlinks false # Mitigate CVE-2024-32002 +RUN apk add openssh-client git USER opal @@ -198,4 +201,4 @@ ENV OPAL_POLICY_REPO_REUSE_CLONE_PATH=true # expose opal server port EXPOSE 7002 -USER opal +USER opal \ No newline at end of file