hexops / dockerfile Goto Github PK

This docker cmd
RUN addgroup -g 10001 -S nonroot && adduser -u 10000 -S -G nonroot -h /home/nonroot nonroot
does not work for Ubuntu based images.
Got error like:

 > [stage-1 5/9] RUN addgroup -g 10001 -S nonroot && adduser -u 10000 -S -G nonroot -h /home/nonroot nonroot:                             
#9 0.427 Option g is ambiguous (gecos, gid, group)
#9 0.427 Option s is ambiguous (shell, system)

addgroup on Ubuntu desktop doesn't have same arguments like the ones provided in the docker file

Replaced it with:

RUN groupadd --gid 10001 nonroot && \
         useradd  --home-dir /home/nonroot \
                        --shell /bin/bash \
                        --create-home
                        --gid nonroot \
                        --groups nonroot \
                        --uid 10000 nonroot

Please let me know if I got the mapping right. I don't know what -S argument represents in your cmd

A topic on multi-stage builds?

The problem is in this line:

- [Is `tini` still required in 2020? I thought Docker added it natively?](is-tini-still-required-in-2020-i-thought-docker-added-it-natively)

There is a missing #

- [Is `tini` still required in 2020? I thought Docker added it natively?](#is-tini-still-required-in-2020-i-thought-docker-added-it-natively)

It might not be a big thing but I suggest to fix the spellings in the bellow sentences.
priviledge --> privilege

host priviledge escalation could occur
because if someone does manage to escalate priviledges outside the Docker container

Hi, first of all I would like to say thank you so much for creating this awesome repo.

But sorry, I misunderstood two steps which are

• In Tiny section, you said, "Replace 'myapp' above with your binary". What kind of binary do you mean? Would you mind giving us an example for that?
• And the last one you said, "Default arguments for your app (remove if you have none)". What kind of app arguments do you mean? Also would you mind giving us an example for that? Let's say I'm gonna deploy a Node JS app.

Thanks for understanding.

I presume this was intended to be “ergonomically”. Although my brain initially skimmed it as “erroneously”.

The repository currently doesn't seem to contain any license. Could you add one, please? See Choose a License for more information 🙂

Try building static binaries for you app and use minimalist base image, like Distroless:
https://github.com/GoogleContainerTools/distroless

I’m interested in your thoughts on building images for platforms like Red Hat OpenShift, which override the UID/GID of the image when a container is run (using an unpredictable, high UID). This adds security, but causes problems with file permissions unless the image author builds in permission fixes.
I haven’t found a simple to implement, general best practice that works with these platforms... it’s usually some hacky chmod script acting on application specific folders/files.