Skip to content

Commit 4ff8304

Browse files
baptisteghbaptistegh
committed
fix: Unprivileged container image
1 parent d393ec3 commit 4ff8304

File tree

3 files changed

+35
-37
lines changed

3 files changed

+35
-37
lines changed

Dockerfile

Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -29,6 +29,13 @@ RUN apt-get update \
2929
&& apt-get clean \
3030
&& rm -rf /var/lib/apt/lists/*
3131

32+
# Allow arbitrary UID
33+
RUN chgrp -R 0 /app && chmod -R g=u /app && \
34+
chmod 755 /app/starlake.sh && \
35+
useradd starlake -u 1001 -g 0 -m -s /bin/bash
36+
37+
USER 1001
38+
3239
COPY starlake/bin /app/bin
3340
COPY starlake/starlake.sh /app/starlake.sh
3441
COPY starlake/versions.sh /app/versions.sh

scripts/docker-build.sh

Lines changed: 27 additions & 35 deletions
Original file line numberDiff line numberDiff line change
@@ -12,9 +12,10 @@ GREEN='\033[0;32m'
1212
NC='\033[0m' # No Color
1313

1414
function usage() {
15-
echo "Usage: $0 (-e [environment]) (-b)"
15+
echo "Usage: $0 (-e [environment]) (-d [container-engine]) (-b)"
1616
echo ""
1717
echo "-e [environment] : build docker image to [environment], *cloud* by default"
18+
echo "-d [container-engine]: use the selected container engine, *docker* by default"
1819
echo "-p : publish the application"
1920
}
2021

@@ -40,35 +41,26 @@ MACHINE="$(uname -m)"
4041
ENVIRONMENT="cloud"
4142
BUILD="false"
4243
PUBLISH="false"
44+
CONTAINER_ENGINE="docker"
4345

4446
echo Running on ${MACHINE}
4547

46-
while getopts "e:m:b:p" opt; do
48+
while getopts ":e:m:d:bp" opt; do
4749
case ${opt} in
48-
e)
49-
ENVIRONMENT=${OPTARG}
50-
;;
51-
m)
52-
MACHINE=${OPTARG}
53-
;;
54-
b)
55-
BUILD="true"
56-
;;
57-
p)
58-
PUBLISH="true"
59-
;;
60-
\?)
61-
printError "Invalid option: ${OPTARG}"
62-
echo ""
63-
usage
64-
clean 1
65-
;;
50+
e) ENVIRONMENT=${OPTARG} ;;
51+
m) MACHINE=${OPTARG} ;;
52+
d) CONTAINER_ENGINE=${OPTARG} ;;
53+
b) BUILD="true" ;;
54+
p) PUBLISH="true" ;;
6655
:)
67-
printError "Invalid option: ${OPTARG} requires an argument"
68-
echo ""
69-
usage
70-
clean 1
71-
;;
56+
printError "Option -${OPTARG} requires an argument."
57+
usage
58+
clean 1
59+
;;
60+
h | *)
61+
usage
62+
clean 1
63+
;;
7264
esac
7365
done
7466

@@ -81,7 +73,7 @@ fi
8173

8274
echo Preparing docker image for ${ENVIRONMENT}
8375
if [ "$BUILD" == "true" ]; then
84-
./scripts/docker-prepare.sh -e $ENVIRONMENT -p
76+
./scripts/docker-prepare.sh -e $ENVIRONMENT -b # TODO: -b or -p ?
8577
else
8678
./scripts/docker-prepare.sh -e $ENVIRONMENT
8779
fi
@@ -90,27 +82,27 @@ source "./scripts/versions.sh"
9082

9183
if [ "$ENVIRONMENT" == "local" ] || [ "$ENVIRONMENT" == "dev" ] || [ "$MACHINE" == "arm64" ];
9284
then
93-
# docker buildx create --use
94-
docker builder prune -f
85+
# ${CONTAINER_ENGINE} buildx create --use
86+
${CONTAINER_ENGINE} builder prune -f
9587
if [ "$ENVIRONMENT" == "local" ]; then
9688
if [ "$BUILD" == "true" ] || [ "$PUBLISH" == "true" ]; then
97-
docker buildx create --platform ${PLATFORMS} --driver docker-container --use --bootstrap #--name starlake-builder
98-
docker buildx build --platform ${PLATFORMS} --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION -t ${REGISTRY_IMAGE_LATEST} ./distrib/docker --load
89+
${CONTAINER_ENGINE} buildx create --platform ${PLATFORMS} --driver docker-container --use --bootstrap #--name starlake-builder
90+
${CONTAINER_ENGINE} buildx build --platform ${PLATFORMS} --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION -t ${REGISTRY_IMAGE_LATEST} ./distrib/docker --load
9991
if [ "$PUBLISH" == "true" ]; then
100-
docker push ${REGISTRY_IMAGE_LATEST}
92+
${CONTAINER_ENGINE} push ${REGISTRY_IMAGE_LATEST}
10193
fi
10294
else
103-
docker buildx build --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION -t ${REGISTRY_IMAGE_LATEST} --load ./distrib/docker
95+
${CONTAINER_ENGINE} buildx build --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION -t ${REGISTRY_IMAGE_LATEST} --load ./distrib/docker
10496
fi
10597
else
106-
docker buildx build --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION -t ${REGISTRY_IMAGE_LATEST} --load ./distrib/docker
98+
${CONTAINER_ENGINE} buildx build --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION -t ${REGISTRY_IMAGE_LATEST} --load ./distrib/docker
10799
fi
108100
else
109101
echo building for linux/$MACHINE
110102
export cluster=$(gcloud config get-value container/cluster 2> /dev/null)
111103
export zone=$(gcloud config get-value compute/zone 2> /dev/null)
112104
export project=$(gcloud config get-value core/project 2> /dev/null)
113105

114-
docker buildx build --platform linux/$MACHINE --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION --output type=docker -t starlake-ai/starlake-$MACHINE:latest ./distrib/docker
115-
#docker push europe-west1-docker.pkg.dev/$project/starlake-docker-repo/starlake-$MACHINE:latest
106+
${CONTAINER_ENGINE} buildx build --platform linux/$MACHINE --build-arg BUILD_DATE=$BUILD_DATE --build-arg VCS_REF=$VCS_REF --build-arg SL_VERSION=$SL_VERSION --output type=docker -t starlake-ai/starlake-$MACHINE:latest ./distrib/docker
107+
#${CONTAINER_ENGINE} push europe-west1-docker.pkg.dev/$project/starlake-docker-repo/starlake-$MACHINE:latest
116108
fi

scripts/docker-prepare.sh

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -39,8 +39,7 @@ fi
3939
ENVIRONMENT="cloud"
4040
PUBLISH="false"
4141
BUILD="false"
42-
43-
while getopts "e:p:b" opt; do
42+
while getopts ":e:pb" opt; do
4443
case ${opt} in
4544
e)
4645
ENVIRONMENT=${OPTARG}

0 commit comments

Comments
 (0)