feat: switch to rootless runs + refactor

* build as root but run the container as UID/GID 1000 * db expose only on localhost * docker-compose mount $PWD for easy local debugging
2020-12-15 22:47:08 +01:00 · 2020-12-15 22:47:08 +01:00 · 82d075dd01
parent 1489069c5c
commit 82d075dd01
3 changed files with 15 additions and 1 deletions
--- a/6
+++ b/6
@ -1,4 +1,8 @@
 FROM mcr.microsoft.com/dotnet/core/sdk:3.1-alpine
+ENV UID 1000
+ENV GID 1000
+ENV UNAME unpriv
+RUN adduser -D -u ${UID} -g ${GID} -H ${UNAME} -h /src
 WORKDIR /src

 COPY global.json ./
@ -14,5 +18,7 @@ RUN dotnet publish -c Release -o bin/out
 FROM mcr.microsoft.com/dotnet/aspnet:3.1
 WORKDIR /App
 COPY --from=0 /src/bin/out/ .
+RUN chown -R ${UID}:${GID} ./
+USER ${UNAME}
 ENV ASPNETCORE_ENVIRONMENT=Release
 ENTRYPOINT ["dotnet", "pwt-0x01-ng.dll"]
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@ -1,4 +1,8 @@
 FROM mcr.microsoft.com/dotnet/core/sdk:3.1-alpine
+ENV UID 1000
+ENV GID 1000
+ENV UNAME unpriv
+RUN adduser -D -u ${UID} -g ${GID} -H ${UNAME} -h /src
 WORKDIR /src

 COPY global.json ./
@ -10,6 +14,8 @@ RUN dotnet restore
 COPY . ./
 RUN sed -i 's/3.1.110/3.1.404/' global.json
 RUN dotnet build -c Debug -o bin/out
+RUN chown -R ${UID}:${GID} ./ /root/
+USER ${UNAME}

 ENV ASPNETCORE_ENVIRONMENT=Development

--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -7,6 +7,8 @@ services:
      dockerfile: Dockerfile.dev
    ports:
    - 127.0.0.1:8001:5000
+    volumes:
+    - $PWD:/src
    environment:
      ASPNETCORE_ENVIRONMENT: Development
      DB_CONNECTION_STRING: "User ID=postgres;Password=679968312e029a806c1905c40ec331aa199a1eb86bd0b9eb04057933e449bdc9ef8ef292a39b68cafa5689c901a17266;Server=db;Port=5432;Database=pwt;Integrated Security=true;Pooling=true;"
@ -21,7 +23,7 @@ services:
    container_name: 'db'
    image: postgres:13.1-alpine
    ports:
-    - 5432:5432
+    - 127.0.0.1:5432:5432
    volumes:
    - dbdata:/var/lib/postgresql/data
    environment: