feat: unprivileged prod container w/ nobody+alpine
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
* let restore run as root in base container * switch runtime container to alpine (was using debian before) * chown stuff as nobody:nobody and become nobody to run the app * as a consequence, we're no longer allowed to bind to :80 so the port has been changed to :8081. that also needed to be reflected in the compose file for traefik to know where to route traffic * ASPNETCORE_ENVIRONMENT env var properly set to Production
This commit is contained in:
parent
c2e3016f4c
commit
4fd4146b1d
GPG Key ID:
19CE1EC1D9E0486D
13
Dockerfile
13
Dockerfile
|
|
@ -1,8 +1,4 @@
|
|||
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-alpine AS base
|
||||
ENV UID 1000
|
||||
ENV GID 1000
|
||||
ENV UNAME unpriv
|
||||
RUN adduser -D -u ${UID} -g ${GID} -H ${UNAME} -h /src
|
||||
WORKDIR /src
|
||||
|
||||
COPY *.csproj ./
|
||||
|
|
@ -11,10 +7,11 @@ RUN dotnet restore
|
|||
COPY . ./
|
||||
RUN dotnet publish -c Release -o bin/out
|
||||
|
||||
FROM mcr.microsoft.com/dotnet/aspnet:3.1
|
||||
FROM mcr.microsoft.com/dotnet/aspnet:3.1-alpine
|
||||
WORKDIR /App
|
||||
COPY --from=base /src/bin/out/ .
|
||||
RUN chown -R "${UID}":"${GID}" ./
|
||||
USER ${UNAME}
|
||||
ENV ASPNETCORE_ENVIRONMENT=Release
|
||||
RUN chown -R nobody:nobody ./
|
||||
USER nobody
|
||||
ENV ASPNETCORE_ENVIRONMENT Production
|
||||
ENV ASPNETCORE_URLS http://*:8081
|
||||
ENTRYPOINT ["dotnet", "pwt-0x01-ng.dll"]
|
||||
|
|
|
|||
|
|
@ -10,7 +10,7 @@ services:
|
|||
- internal-nw
|
||||
labels:
|
||||
traefik.enable: true
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.server.port: 80
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.server.port: 8081
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.sticky.cookie: true
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.sticky.cookie.name: lb-session_pwt
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.sticky.cookie.secure: true
|
||||
|
|
@ -19,7 +19,7 @@ services:
|
|||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.healthCheck.path: /health
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.healthCheck.interval: 30s
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.healthCheck.timeout: 3s
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.healthCheck.port: 80
|
||||
traefik.http.services.netcoreultimateapp-prod.loadbalancer.healthCheck.port: 8081
|
||||
traefik.http.routers.netcoreultimateapp-prod.rule: Host(`localhost`) || Host(`127.0.0.1`) || Host(`netcoreultimateapp-prod`) || Host(`pwt`)
|
||||
logging:
|
||||
driver: json-file
|
||||
|
|
|
|||
Reference in New Issue