mirror of
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git
synced 2025-10-13 20:11:19 -04:00
chore: Dockerfile: run proxy as non-root user
I believe this might have a potential to affect existing setups, e.g. if they use a privileged port for `--metrics-port` or `--ephemeral-ports-range`. But it should work fine with our currently recommended `docker-compose.yml`: https://gitlab.torproject.org/tpo/anti-censorship/docker-snowflake-proxy/-/blob/main/docker-compose.yml Related: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/issues/40328
This commit is contained in:
WofWca
parent
94b6647d33
commit
ee628c5df0
1 changed files with 7 additions and 0 deletions
|
|
@ -15,8 +15,15 @@ WORKDIR /app/proxy
|
|||
RUN go get
|
||||
RUN CGO_ENABLED=0 go build -o proxy -ldflags '-extldflags "-static" -w -s' .
|
||||
|
||||
RUN groupadd nonroot
|
||||
RUN useradd --gid nonroot nonroot
|
||||
|
||||
FROM scratch
|
||||
|
||||
COPY --from=build /etc/passwd /etc/passwd
|
||||
COPY --from=build /etc/group /etc/group
|
||||
USER nonroot:nonroot
|
||||
|
||||
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
|
||||
COPY --from=build /usr/share/zoneinfo /usr/share/zoneinfo
|
||||
COPY --from=build /app/proxy/proxy /bin/proxy
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue