security: run container as non-root user
- Add appgroup and appuser (uid 1000) - Set ownership of /app directory to appuser - Switch to non-root user before running server
This commit is contained in:
10
Dockerfile
10
Dockerfile
@@ -26,13 +26,16 @@ WORKDIR /app
|
|||||||
# 安装运行时依赖
|
# 安装运行时依赖
|
||||||
RUN apk add --no-cache ca-certificates tzdata
|
RUN apk add --no-cache ca-certificates tzdata
|
||||||
|
|
||||||
|
# 创建非 root 用户
|
||||||
|
RUN addgroup -g 1000 appgroup && adduser -u 1000 -G appgroup -s /bin/sh -D appuser
|
||||||
|
|
||||||
# 从构建阶段复制二进制文件
|
# 从构建阶段复制二进制文件
|
||||||
COPY --from=builder /build/server .
|
COPY --from=builder /build/server .
|
||||||
COPY --from=builder /build/configs ./configs
|
COPY --from=builder /build/configs ./configs
|
||||||
COPY --from=builder /build/data ./data
|
COPY --from=builder /build/data ./data
|
||||||
|
|
||||||
# 创建日志目录
|
# 创建日志目录并设置权限
|
||||||
RUN mkdir -p /app/logs
|
RUN mkdir -p /app/logs && chown -R appuser:appgroup /app
|
||||||
|
|
||||||
# 设置时区
|
# 设置时区
|
||||||
ENV TZ=Asia/Shanghai
|
ENV TZ=Asia/Shanghai
|
||||||
@@ -45,5 +48,8 @@ EXPOSE 8080
|
|||||||
HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=5s \
|
HEALTHCHECK --interval=30s --timeout=10s --retries=3 --start-period=5s \
|
||||||
CMD wget -q --spider http://localhost:8080/api/v1/health || exit 1
|
CMD wget -q --spider http://localhost:8080/api/v1/health || exit 1
|
||||||
|
|
||||||
|
# 切换到非 root 用户
|
||||||
|
USER appuser
|
||||||
|
|
||||||
# 启动命令
|
# 启动命令
|
||||||
CMD ["./server"]
|
CMD ["./server"]
|
||||||
|
|||||||
Reference in New Issue
Block a user