From e0f6238d92ed4f3c9a159957e49b1db4f465c5d4 Mon Sep 17 00:00:00 2001 From: Timo Notheisen <65653426+tnotheis@users.noreply.github.com> Date: Mon, 11 Dec 2023 11:05:49 +0100 Subject: [PATCH] Use non-root users in Dockerfiles (#440) * feat: use 'app' user in production images * chore: run debug containers on port 8080 * ci: use new port in docker-compose.test.yml * fix: expose correct port * ci: fix health check in docker-compose.test.yml * feat: change port inthe helm chart's values.yaml --- .ci/docker-compose.test.yml | 6 +++--- AdminUi/src/AdminUi/Dockerfile | 9 ++++++--- AdminUi/src/AdminUi/Dockerfile.debug | 4 ++-- ConsumerApi/Dockerfile | 8 +++++--- ConsumerApi/Dockerfile.debug | 4 ++-- docker-compose/docker-compose.yml | 4 ++-- helm/values.yaml | 4 ++-- 7 files changed, 22 insertions(+), 17 deletions(-) diff --git a/.ci/docker-compose.test.yml b/.ci/docker-compose.test.yml index a6a6d02781..b9c7ccde2d 100644 --- a/.ci/docker-compose.test.yml +++ b/.ci/docker-compose.test.yml @@ -9,7 +9,7 @@ services: environment: - ASPNETCORE_ENVIRONMENT=Development ports: - - "5000:80" + - "5000:8080" depends_on: database: condition: service_started @@ -20,7 +20,7 @@ services: azure-storage-emulator: condition: service_started healthcheck: - test: ["CMD", "wget", "http://localhost/health"] + test: ["CMD", "wget", "http://localhost:8080/health", "-O", "/dev/null"] interval: 5s timeout: 2s retries: 40 @@ -37,7 +37,7 @@ services: environment: - ASPNETCORE_ENVIRONMENT=Development ports: - - "5173:80" + - "5173:8080" depends_on: database: condition: service_started diff --git a/AdminUi/src/AdminUi/Dockerfile b/AdminUi/src/AdminUi/Dockerfile index ffc8b61736..dcad672e3c 100644 --- a/AdminUi/src/AdminUi/Dockerfile +++ b/AdminUi/src/AdminUi/Dockerfile @@ -1,6 +1,6 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base WORKDIR /app -EXPOSE 80 +EXPOSE 8080 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build @@ -50,8 +50,11 @@ RUN dotnet publish /property:WarningLevel=0 /p:UseAppHost=false --no-restore --c FROM base AS final -ENV ASPNETCORE_URLS=http://0.0.0.0:80 - WORKDIR /app COPY --from=publish /app/publish . + +ENV ASPNETCORE_URLS=http://0.0.0.0:8080 + +USER $APP_UID + ENTRYPOINT ["dotnet", "Backbone.AdminUi.dll"] diff --git a/AdminUi/src/AdminUi/Dockerfile.debug b/AdminUi/src/AdminUi/Dockerfile.debug index 91a93acc9d..61e81b2e83 100644 --- a/AdminUi/src/AdminUi/Dockerfile.debug +++ b/AdminUi/src/AdminUi/Dockerfile.debug @@ -1,8 +1,8 @@ FROM mcr.microsoft.com/dotnet/sdk:8.0 -EXPOSE 80 +EXPOSE 8080 WORKDIR /app -ENV ASPNETCORE_URLS=http://0.0.0.0:80 +ENV ASPNETCORE_URLS=http://0.0.0.0:8080 ENTRYPOINT ["dotnet", "watch", "--non-interactive", "--project", "AdminUi/src/AdminUi/AdminUi.csproj"] diff --git a/ConsumerApi/Dockerfile b/ConsumerApi/Dockerfile index 53bfd4bf81..2a399c8a93 100644 --- a/ConsumerApi/Dockerfile +++ b/ConsumerApi/Dockerfile @@ -9,11 +9,9 @@ RUN dotnet publish /property:WarningLevel=0 --configuration Release --output /ap # Run FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.18 -EXPOSE 80 +EXPOSE 8080 WORKDIR /app -ENV ASPNETCORE_URLS=http://0.0.0.0:80 - ENV Logging__Console__FormatterName= ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0 RUN apk add icu-libs @@ -21,4 +19,8 @@ COPY --from=build-env /app . LABEL org.opencontainers.image.source = "https://github.com/nmshd/backbone" +ENV ASPNETCORE_URLS=http://0.0.0.0:8080 + +USER $APP_UID + ENTRYPOINT ["dotnet", "Backbone.ConsumerApi.dll"] diff --git a/ConsumerApi/Dockerfile.debug b/ConsumerApi/Dockerfile.debug index f4cf38dd04..1fc2b17cb4 100644 --- a/ConsumerApi/Dockerfile.debug +++ b/ConsumerApi/Dockerfile.debug @@ -1,9 +1,9 @@ FROM mcr.microsoft.com/dotnet/sdk:8.0 -EXPOSE 80 +EXPOSE 8080 WORKDIR /app -ENV ASPNETCORE_URLS=http://0.0.0.0:80 +ENV ASPNETCORE_URLS=http://0.0.0.0:8080 ENTRYPOINT ["dotnet", "watch", "--non-interactive", "--project", "ConsumerApi/ConsumerApi.csproj"] diff --git a/docker-compose/docker-compose.yml b/docker-compose/docker-compose.yml index f8f21e109d..3c7dd822b4 100644 --- a/docker-compose/docker-compose.yml +++ b/docker-compose/docker-compose.yml @@ -13,7 +13,7 @@ services: - Modules__Synchronization__Infrastructure__BlobStorage__ConnectionInfo=${ENMESHED_BLOB_STORAGE_CONNECTION_STRING} # set this environment variable on your local system to an appropriate value (DefaultEndpointsProtocol=https;AccountName=;AccountKey=;EndpointSuffix=core.windows.net) ports: - - "8080:80" + - "8080:8080" depends_on: # - ms-sql-server - rabbitmq @@ -102,7 +102,7 @@ services: environment: - ASPNETCORE_ENVIRONMENT=Local ports: - - "5173:80" + - "5173:8080" depends_on: # - ms-sql-server - rabbitmq diff --git a/helm/values.yaml b/helm/values.yaml index a719f39d5c..5f155ea2db 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -44,7 +44,7 @@ consumerapi: service: type: "ClusterIP" - port: 80 + port: 8080 loadBalancer: # ip - the static ip address the LoadBalancer should use ip: "" @@ -119,7 +119,7 @@ adminui: service: type: "ClusterIP" - port: 80 + port: 8080 image: repository: "ghcr.io/nmshd/backbone-admin-ui"