From 58868b75af79d71cb7996a0b421fdc0d114f6cfe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ce=CC=81drik=20LIME?= Date: Wed, 17 Apr 2019 18:24:24 +0200 Subject: [PATCH 1/2] Run as non-root user --- Dockerfile | 13 ++++++++++--- Dockerfile.travis | 11 +++++++++-- 2 files changed, 19 insertions(+), 5 deletions(-) diff --git a/Dockerfile b/Dockerfile index 83080de2..1d6ee6a9 100644 --- a/Dockerfile +++ b/Dockerfile @@ -11,14 +11,21 @@ FROM alpine:latest LABEL maintainer="AdGuard Team " # Update CA certs -RUN apk --no-cache --update add ca-certificates && \ - rm -rf /var/cache/apk/* && mkdir -p /opt/adguardhome +RUN apk --no-cache --update add ca-certificates libcap && \ + rm -rf /var/cache/apk/* && mkdir -p /opt/adguardhome/conf /opt/adguardhome/work COPY --from=build /src/AdGuardHome/AdGuardHome /opt/adguardhome/AdGuardHome +RUN chown -R nobody: /opt/adguardhome \ + && setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome + EXPOSE 53/tcp 53/udp 67/tcp 67/udp 68/tcp 68/udp 80/tcp 443/tcp 853/tcp 853/udp 3000/tcp VOLUME ["/opt/adguardhome/conf", "/opt/adguardhome/work"] +WORKDIR /opt/adguardhome/work + +USER nobody + ENTRYPOINT ["/opt/adguardhome/AdGuardHome"] -CMD ["-c", "/opt/adguardhome/conf/AdGuardHome.yaml", "-w", "/opt/adguardhome/work"] \ No newline at end of file +CMD ["-c", "/opt/adguardhome/conf/AdGuardHome.yaml", "-w", "/opt/adguardhome/work"] diff --git a/Dockerfile.travis b/Dockerfile.travis index 327ccb8d..3a4ba640 100644 --- a/Dockerfile.travis +++ b/Dockerfile.travis @@ -2,15 +2,22 @@ FROM alpine:latest LABEL maintainer="AdGuard Team " # Update CA certs -RUN apk --no-cache --update add ca-certificates && \ - rm -rf /var/cache/apk/* && mkdir -p /opt/adguardhome +RUN apk --no-cache --update add ca-certificates libcap && \ + rm -rf /var/cache/apk/* && mkdir -p /opt/adguardhome/conf /opt/adguardhome/work COPY ./AdGuardHome /opt/adguardhome/AdGuardHome +RUN chown -R nobody: /opt/adguardhome \ + && setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome + EXPOSE 53/tcp 53/udp 67/tcp 67/udp 68/tcp 68/udp 80/tcp 443/tcp 853/tcp 853/udp 3000/tcp VOLUME ["/opt/adguardhome/conf", "/opt/adguardhome/work"] +WORKDIR /opt/adguardhome/work + +USER nobody + ENTRYPOINT ["/opt/adguardhome/AdGuardHome"] CMD ["-h", "0.0.0.0", "-c", "/opt/adguardhome/conf/AdGuardHome.yaml", "-w", "/opt/adguardhome/work"] From 17aa46c4d214051f0efa904b531c8eab2cfcbea7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ce=CC=81drik=20LIME?= Date: Wed, 8 May 2019 21:17:14 +0200 Subject: [PATCH 2/2] Optimize Docker image layers; comment out runtime user; add sample docker-compose.yml --- Dockerfile | 11 ++++++----- Dockerfile.travis | 12 ++++++------ docker-compose.yml | 31 +++++++++++++++++++++++++++++++ 3 files changed, 43 insertions(+), 11 deletions(-) create mode 100644 docker-compose.yml diff --git a/Dockerfile b/Dockerfile index 1d6ee6a9..8b89e11b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -12,12 +12,13 @@ LABEL maintainer="AdGuard Team " # Update CA certs RUN apk --no-cache --update add ca-certificates libcap && \ - rm -rf /var/cache/apk/* && mkdir -p /opt/adguardhome/conf /opt/adguardhome/work + rm -rf /var/cache/apk/* && \ + mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \ + chown -R nobody: /opt/adguardhome -COPY --from=build /src/AdGuardHome/AdGuardHome /opt/adguardhome/AdGuardHome +COPY --from=build --chown=nobody: /src/AdGuardHome/AdGuardHome /opt/adguardhome/AdGuardHome -RUN chown -R nobody: /opt/adguardhome \ - && setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome +RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome EXPOSE 53/tcp 53/udp 67/tcp 67/udp 68/tcp 68/udp 80/tcp 443/tcp 853/tcp 853/udp 3000/tcp @@ -25,7 +26,7 @@ VOLUME ["/opt/adguardhome/conf", "/opt/adguardhome/work"] WORKDIR /opt/adguardhome/work -USER nobody +#USER nobody ENTRYPOINT ["/opt/adguardhome/AdGuardHome"] CMD ["-c", "/opt/adguardhome/conf/AdGuardHome.yaml", "-w", "/opt/adguardhome/work"] diff --git a/Dockerfile.travis b/Dockerfile.travis index 3a4ba640..bdfbb00a 100644 --- a/Dockerfile.travis +++ b/Dockerfile.travis @@ -3,13 +3,13 @@ LABEL maintainer="AdGuard Team " # Update CA certs RUN apk --no-cache --update add ca-certificates libcap && \ - rm -rf /var/cache/apk/* && mkdir -p /opt/adguardhome/conf /opt/adguardhome/work + rm -rf /var/cache/apk/* && \ + mkdir -p /opt/adguardhome/conf /opt/adguardhome/work && \ + chown -R nobody: /opt/adguardhome +COPY --chown=nobody: ./AdGuardHome /opt/adguardhome/AdGuardHome -COPY ./AdGuardHome /opt/adguardhome/AdGuardHome - -RUN chown -R nobody: /opt/adguardhome \ - && setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome +RUN setcap 'cap_net_bind_service=+eip' /opt/adguardhome/AdGuardHome EXPOSE 53/tcp 53/udp 67/tcp 67/udp 68/tcp 68/udp 80/tcp 443/tcp 853/tcp 853/udp 3000/tcp @@ -17,7 +17,7 @@ VOLUME ["/opt/adguardhome/conf", "/opt/adguardhome/work"] WORKDIR /opt/adguardhome/work -USER nobody +#USER nobody ENTRYPOINT ["/opt/adguardhome/AdGuardHome"] CMD ["-h", "0.0.0.0", "-c", "/opt/adguardhome/conf/AdGuardHome.yaml", "-w", "/opt/adguardhome/work"] diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 00000000..1c3d6646 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,31 @@ +%YAML 1.2 +--- +# https://docs.docker.com/compose/compose-file/ + +version: '2.4' + +services: + + adguard-home: + image: adguard/adguardhome:armhf-latest + init: true + ports: + - "53:53/tcp" + - "53:53/udp" + - "67:67/tcp" + - "67:67/udp" + - "68:68/tcp" + - "68:68/udp" + - "80:80/tcp" + - "443:443/tcp" + - "853:853/tcp" + - "853:853/udp" + - "3000:3000/tcp" + volumes: + - /opt/adguard-home:/opt/adguardhome/conf + - /srv/adguard-home:/opt/adguardhome/work + #user: nobody + read_only: true + restart: always + +...