Skip to content

Add a non root user (muslrust) #74

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
63 changes: 42 additions & 21 deletions Dockerfile
Original file line number Diff line number Diff line change
@@ -1,6 +1,9 @@
FROM ubuntu:xenial
LABEL maintainer="Eirik Albrigtsen <[email protected]>"

ARG USER_ID
ARG GROUP_ID

# Required packages:
# - musl-dev, musl-tools - the musl toolchain
# - curl, g++, make, pkgconf, cmake - for fetching and building third party libs
@@ -33,17 +36,6 @@ RUN apt-get update && apt-get install -y \
--no-install-recommends && \
rm -rf /var/lib/apt/lists/*

# Install rust using rustup
ARG CHANNEL="nightly"
ENV RUSTUP_VER="1.22.1" \
RUST_ARCH="x86_64-unknown-linux-gnu"
RUN curl "https://static.rust-lang.org/rustup/archive/${RUSTUP_VER}/${RUST_ARCH}/rustup-init" -o rustup-init && \
chmod +x rustup-init && \
./rustup-init -y --default-toolchain ${CHANNEL} --profile minimal && \
rm rustup-init && \
~/.cargo/bin/rustup target add x86_64-unknown-linux-musl && \
echo "[build]\ntarget = \"x86_64-unknown-linux-musl\"" > ~/.cargo/config

# Convenience list of versions and variables for compilation later on
# This helps continuing manually if anything breaks.
ENV SSL_VER="1.0.2u" \
@@ -53,19 +45,10 @@ ENV SSL_VER="1.0.2u" \
SQLITE_VER="3320300" \
CC=musl-gcc \
PREFIX=/musl \
PATH=/usr/local/bin:/root/.cargo/bin:$PATH \
PATH=/usr/local/bin:/home/muslrust/.cargo/bin:$PATH \
PKG_CONFIG_PATH=/usr/local/lib/pkgconfig \
LD_LIBRARY_PATH=$PREFIX

# Set up a prefix for musl build libraries, make the linker's job of finding them easier
# Primarily for the benefit of postgres.
# Lastly, link some linux-headers for openssl 1.1 (not used herein)
RUN mkdir $PREFIX && \
echo "$PREFIX/lib" >> /etc/ld-musl-x86_64.path && \
ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/x86_64-linux-musl/asm && \
ln -s /usr/include/asm-generic /usr/include/x86_64-linux-musl/asm-generic && \
ln -s /usr/include/linux /usr/include/x86_64-linux-musl/linux

# Build zlib (used in openssl and pq)
RUN curl -sSL https://zlib.net/zlib-$ZLIB_VER.tar.gz | tar xz && \
cd zlib-$ZLIB_VER && \
@@ -113,6 +96,44 @@ RUN curl -sSL https://www.sqlite.org/2020/sqlite-autoconf-$SQLITE_VER.tar.gz | t
make && make install && \
cd .. && rm -rf sqlite-autoconf-$SQLITE_VER

# Set up a prefix for musl build libraries, make the linker's job of finding them easier
# Primarily for the benefit of postgres.
# Lastly, link some linux-headers for openssl 1.1 (not used herein)
RUN mkdir -p $PREFIX && \
echo "$PREFIX/lib" >> /etc/ld-musl-x86_64.path && \
ln -s /usr/include/x86_64-linux-gnu/asm /usr/include/x86_64-linux-musl/asm && \
ln -s /usr/include/asm-generic /usr/include/x86_64-linux-musl/asm-generic && \
ln -s /usr/include/linux /usr/include/x86_64-linux-musl/linux

# Setup a non root user (muslrust) that the end-user will be using when calling cargo commands
# inside the image. This is to try to circumvent the permission issue where the docker image
# creates files as root.
# If there is need for a different id than the default one to be used the end-user has to build
# their own version of the docker image and supply the builds args to update it.
RUN if [ ${USER_ID:-0} -ne 0 ] && [ ${GROUP_ID:-0} -ne 0 ]; then \
groupadd -g ${GROUP_ID} muslrust &&\
useradd -m -l -u ${USER_ID} -g muslrust \
;else \
groupadd muslrust &&\
useradd -m -l -g muslrust muslrust \
;fi

USER muslrust
WORKDIR /home/muslrust

# Install rust using rustup
ARG CHANNEL="nightly"
ENV RUSTUP_VER="1.22.1" \
RUST_ARCH="x86_64-unknown-linux-gnu"
RUN curl "https://static.rust-lang.org/rustup/archive/${RUSTUP_VER}/${RUST_ARCH}/rustup-init" -o rustup-init && \
chmod +x rustup-init && \
./rustup-init -y --default-toolchain ${CHANNEL} --profile minimal && \
rm rustup-init && \
~/.cargo/bin/rustup target add x86_64-unknown-linux-musl && \
echo "[build]\ntarget = \"x86_64-unknown-linux-musl\"" > ~/.cargo/config

ENV PATH=/usr/local/bin:/home/muslrust/.cargo/bin:$PATH

# SSL cert directories get overridden by --prefix and --openssldir
# and they do not match the typical host configurations.
# The SSL_CERT_* vars fix this, but only when inside this container