mirror of
https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake.git
synced 2025-10-13 20:11:19 -04:00
37541868c5
chore: Dockerfile: run proxy as non-root user See merge request tpo/anti-censorship/pluggable-transports/snowflake!455
34 lines
1.2 KiB
Docker
34 lines
1.2 KiB
Docker
FROM docker.io/library/golang:1.23-bookworm AS build
|
|
|
|
RUN apt-get update && apt-get install -y tor-geoipdb
|
|
|
|
ADD . /app
|
|
|
|
WORKDIR /app/proxy
|
|
RUN go get
|
|
RUN CGO_ENABLED=0 go build -o proxy -ldflags '-extldflags "-static" -w -s' .
|
|
|
|
RUN groupadd nonroot
|
|
RUN useradd --gid nonroot nonroot
|
|
|
|
FROM scratch
|
|
|
|
COPY --from=build /etc/passwd /etc/passwd
|
|
COPY --from=build /etc/group /etc/group
|
|
USER nonroot:nonroot
|
|
|
|
COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
|
|
COPY --from=build /usr/share/zoneinfo /usr/share/zoneinfo
|
|
COPY --from=build /usr/share/tor/geoip* /usr/share/tor/
|
|
COPY --from=build /app/proxy/proxy /bin/proxy
|
|
|
|
ENTRYPOINT [ "/bin/proxy" ]
|
|
|
|
# Set some labels
|
|
# io.containers.autoupdate label will instruct podman to reach out to the
|
|
# corresponding registry to check if the image has been updated. If an image
|
|
# must be updated, Podman pulls it down and restarts the systemd unit executing
|
|
# the container. See podman-auto-update(1) for more details, or
|
|
# https://docs.podman.io/en/latest/markdown/podman-auto-update.1.html
|
|
LABEL io.containers.autoupdate=registry
|
|
LABEL org.opencontainers.image.authors="anti-censorship-team@lists.torproject.org"
|