Added optimized alpine image for better security and smaller image. (#5780)

This commit is contained in:
SamTV12345 2023-06-27 22:17:55 +02:00 committed by GitHub
parent 7dfeda77bf
commit db42f23fcc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23

View file

@ -4,15 +4,18 @@
# #
# Author: muxator # Author: muxator
FROM node:lts-slim FROM node:lts-alpine
LABEL maintainer="Etherpad team, https://github.com/ether/etherpad-lite" LABEL maintainer="Etherpad team, https://github.com/ether/etherpad-lite"
ARG TIMEZONE= ARG TIMEZONE=
RUN \ RUN \
[ -z "${TIMEZONE}" ] || { \ [ -z "${TIMEZONE}" ] || { \
ln -sf /usr/share/zoneinfo/"${TIMEZONE#/usr/share/zoneinfo/}" /etc/localtime; \ apk add --no-cache tzdata && \
dpkg-reconfigure -f noninteractive tzdata; \ cp /usr/share/zoneinfo/${TIMEZONE} /etc/localtime && \
echo "${TIMEZONE}" > /etc/timezone; \
} }
ENV TIMEZONE=${TIMEZONE}
# plugins to install while building the container. By default no plugins are # plugins to install while building the container. By default no plugins are
# installed. # installed.
@ -43,6 +46,8 @@ ARG INSTALL_SOFFICE=
# other things, assets are minified & compressed). # other things, assets are minified & compressed).
ENV NODE_ENV=production ENV NODE_ENV=production
# Install dependencies required for modifying access.
RUN apk add shadow
# Follow the principle of least privilege: run as unprivileged user. # Follow the principle of least privilege: run as unprivileged user.
# #
# Running as non-root enables running this image in platforms like OpenShift # Running as non-root enables running this image in platforms like OpenShift
@ -54,6 +59,8 @@ ARG EP_HOME=
ARG EP_UID=5001 ARG EP_UID=5001
ARG EP_GID=0 ARG EP_GID=0
ARG EP_SHELL= ARG EP_SHELL=
RUN groupadd --system ${EP_GID:+--gid "${EP_GID}" --non-unique} etherpad && \ RUN groupadd --system ${EP_GID:+--gid "${EP_GID}" --non-unique} etherpad && \
useradd --system ${EP_UID:+--uid "${EP_UID}" --non-unique} --gid etherpad \ useradd --system ${EP_UID:+--uid "${EP_UID}" --non-unique} --gid etherpad \
${EP_HOME:+--home-dir "${EP_HOME}"} --create-home \ ${EP_HOME:+--home-dir "${EP_HOME}"} --create-home \
@ -64,18 +71,14 @@ RUN mkdir -p "${EP_DIR}" && chown etherpad:etherpad "${EP_DIR}"
# the mkdir is needed for configuration of openjdk-11-jre-headless, see # the mkdir is needed for configuration of openjdk-11-jre-headless, see
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863199 # https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=863199
RUN export DEBIAN_FRONTEND=noninteractive; \ RUN \
mkdir -p /usr/share/man/man1 && \ mkdir -p /usr/share/man/man1 && \
apt-get -qq update && \ apk update && apk upgrade && \
apt-get -qq dist-upgrade && \ apk add \
apt-get -qq --no-install-recommends install \
ca-certificates \ ca-certificates \
git \ git \
${INSTALL_ABIWORD:+abiword} \ ${INSTALL_ABIWORD:+abiword} \
${INSTALL_SOFFICE:+libreoffice default-jre libreoffice-java-common} \ ${INSTALL_SOFFICE:+libreoffice openjdk8-jre libreoffice-common}
&& \
apt-get -qq clean && \
rm -rf /var/lib/apt/lists/*
USER etherpad USER etherpad