archives/snowflake
2
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git synced 2025-10-13 20:11:19 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions

chore: Dockerfile: run proxy as non-root user

Browse source 
I believe this might have a potential to affect existing setups,
e.g. if they use a privileged port for `--metrics-port`
or `--ephemeral-ports-range`.

But it should work fine with our currently recommended
`docker-compose.yml`:
https://gitlab.torproject.org/tpo/anti-censorship/docker-snowflake-proxy/-/blob/main/docker-compose.yml

Related: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40328
This commit is contained in:
WofWca 2024-12-07 16:21:02 +04:00
parent 94b6647d33
commit ee628c5df0
1 changed files with 7 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

7
Dockerfile
View file

@ -15,8 +15,15 @@ WORKDIR /app/proxy
RUN go get RUN go get
RUN CGO_ENABLED=0 go build -o proxy -ldflags '-extldflags "-static" -w -s' . RUN CGO_ENABLED=0 go build -o proxy -ldflags '-extldflags "-static" -w -s' .
RUN groupadd nonroot
RUN useradd --gid nonroot nonroot
FROM scratch FROM scratch
COPY --from=build /etc/passwd /etc/passwd
COPY --from=build /etc/group /etc/group
USER nonroot:nonroot
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
COPY --from=build /usr/share/zoneinfo /usr/share/zoneinfo COPY --from=build /usr/share/zoneinfo /usr/share/zoneinfo
COPY --from=build /app/proxy/proxy /bin/proxy COPY --from=build /app/proxy/proxy /bin/proxy