Skip to content

Commit d340024

Browse files
author
Mark Phelps
authored
Rootless (#659)
* WIP: rootless run container * Use hadolint for Dockerfile linting * Add support for signing via cosign * Add pub key
1 parent 707199f commit d340024

File tree

6 files changed

+32
-9
lines changed

6 files changed

+32
-9
lines changed

.gitignore

+1
Original file line numberDiff line numberDiff line change
@@ -34,3 +34,4 @@ tmp
3434
__debug_bin
3535

3636
Brewfile.lock.json
37+
*.key

.goreleaser.yml

+5
Original file line numberDiff line numberDiff line change
@@ -57,3 +57,8 @@ dockers:
5757
extra_files:
5858
- config/migrations/
5959
- config/default.yml
60+
61+
docker_signs:
62+
- artifacts: all
63+
stdin: "{{ .Env.COSIGN_PWD }}"
64+
output: true

Brewfile

+8-6
Original file line numberDiff line numberDiff line change
@@ -1,12 +1,14 @@
1-
tap 'filosottile/musl-cross'
21
tap 'bufbuild/buf'
2+
tap 'filosottile/musl-cross'
33
tap 'goreleaser/tap'
44

5-
brew 'go'
5+
brew 'buf'
66
brew 'cmake'
7+
brew 'cosign'
8+
brew 'go'
9+
brew 'goreleaser'
10+
brew 'hadolint'
11+
brew 'musl-cross'
712
brew 'pkg-config'
8-
brew 'sqlite'
913
brew 'protobuf'
10-
brew 'musl-cross'
11-
brew 'goreleaser'
12-
brew 'buf'
14+
brew 'sqlite'

Dockerfile

+8-3
Original file line numberDiff line numberDiff line change
@@ -8,16 +8,21 @@ RUN apt-get update && \
88
gnupg \
99
sudo \
1010
openssh-server \
11-
postgresql-client
11+
postgresql-client && \
12+
apt-get clean && \
13+
rm -rf /var/lib/apt/lists/*
1214

1315
RUN curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add - && \
1416
echo "deb https://dl.yarnpkg.com/debian/ stable main" | tee /etc/apt/sources.list.d/yarn.list
1517

1618
RUN curl -sL https://deb.nodesource.com/setup_16.x | bash
1719

1820
RUN apt-get update && \
19-
apt-get install -y nodejs yarn && \
20-
apt-get clean -y
21+
apt-get install -y --no-install-recommends \
22+
nodejs \
23+
yarn && \
24+
apt-get clean && \
25+
rm -rf /var/lib/apt/lists/*
2126

2227
WORKDIR /flipt
2328

build/Dockerfile

+6
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,13 @@ COPY $BINARY /
1818
COPY config/migrations/ /etc/flipt/config/migrations/
1919
COPY config/*.yml /etc/flipt/config/
2020

21+
RUN addgroup flipt && \
22+
adduser -S -D -H -g '' -G flipt -s /bin/sh flipt && \
23+
chown -R flipt:flipt /etc/flipt /var/opt/flipt
24+
2125
EXPOSE 8080
2226
EXPOSE 9000
2327

28+
USER flipt
29+
2430
CMD ["./flipt"]

cosign.pub

+4
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,4 @@
1+
-----BEGIN PUBLIC KEY-----
2+
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEpgwkLrS1BAPoXVjnKoq5Nj2U93I0
3+
eYi0jMMhh/DbaNk2LBF6rdj9c3bcDGIGjcU3EtcrPoHfSk+YM2+V4P5Vbw==
4+
-----END PUBLIC KEY-----

0 commit comments

Comments
 (0)