Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F3516535
D4178.id13287.diff
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Award Token
Flag For Later
Size
3 KB
Referenced Files
None
Subscribers
None
D4178.id13287.diff
View Options
diff --git a/keyserver/Dockerfile b/keyserver/Dockerfile
--- a/keyserver/Dockerfile
+++ b/keyserver/Dockerfile
@@ -1,7 +1,5 @@
FROM node:16.13-bullseye
-WORKDIR /app
-
#-------------------------------------------------------------------------------
# STEP 0: INSTALL PREREQS
# Install prereqs first so we don't have to reinstall them if anything changes
@@ -12,53 +10,66 @@
rsync \
&& rm -rf /var/lib/apt/lists/*
+#-------------------------------------------------------------------------------
+# STEP 1: DEVOLVE PRIVILEGES
+# Create another user to run the rest of the commands
+#-------------------------------------------------------------------------------
+
+RUN useradd -m comm
+USER comm
+WORKDIR /home/comm/app
+
+#-------------------------------------------------------------------------------
+# STEP 2: INSTALL NVM
# We use nvm to make sure we're running the right Node version
-ENV NVM_DIR /root/.nvm
+#-------------------------------------------------------------------------------
+
+ENV NVM_DIR /home/comm/.nvm
RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh \
| bash
#-------------------------------------------------------------------------------
-# STEP 1: YARN CLEANINSTALL
+# STEP 3: YARN CLEANINSTALL
# We run yarn cleaninstall before copying most of the files in for build caching
#-------------------------------------------------------------------------------
# Copy in package.json and yarn.lock files
-COPY package.json yarn.lock .
-COPY keyserver/package.json keyserver/.flowconfig keyserver/
-COPY lib/package.json lib/.flowconfig lib/
-COPY web/package.json web/.flowconfig web/
-COPY native/package.json native/.flowconfig native/
-COPY landing/package.json landing/.flowconfig landing/
+COPY --chown=comm package.json yarn.lock .
+COPY --chown=comm keyserver/package.json keyserver/.flowconfig keyserver/
+COPY --chown=comm lib/package.json lib/.flowconfig lib/
+COPY --chown=comm web/package.json web/.flowconfig web/
+COPY --chown=comm native/package.json native/.flowconfig native/
+COPY --chown=comm landing/package.json landing/.flowconfig landing/
# Copy in files needed for patch-package and pod-patch
-COPY patches patches/
-COPY native/ios/pod-patch native/ios/pod-patch/
-COPY native/ios/Podfile native/ios/
+COPY --chown=comm patches patches/
+COPY --chown=comm native/ios/pod-patch native/ios/pod-patch/
+COPY --chown=comm native/ios/Podfile native/ios/
# Actually run yarn
RUN yarn cleaninstall
#-------------------------------------------------------------------------------
-# STEP 2: WEBPACK BUILD
+# STEP 4: WEBPACK BUILD
# We do this first so Docker doesn't rebuild when only keyserver files change
#-------------------------------------------------------------------------------
-COPY lib lib/
-COPY landing landing/
+COPY --chown=comm lib lib/
+COPY --chown=comm landing landing/
RUN yarn workspace landing prod
-COPY web web/
+COPY --chown=comm web web/
RUN yarn workspace web prod
#-------------------------------------------------------------------------------
-# STEP 3: COPY IN SOURCE FILES
+# STEP 5: COPY IN SOURCE FILES
# We run this later so the above layers are cached if only source files change
#-------------------------------------------------------------------------------
-COPY . .
+COPY --chown=comm . .
#-------------------------------------------------------------------------------
-# STEP 4: RUN BUILD SCRIPTS
+# STEP 6: RUN BUILD SCRIPTS
# We need to populate keyserver/dist, among other things
#-------------------------------------------------------------------------------
@@ -66,10 +77,10 @@
RUN yarn workspace keyserver prod-build
#-------------------------------------------------------------------------------
-# STEP 5: RUN THE SERVER
+# STEP 7: RUN THE SERVER
# Actually run the Node.js keyserver using nvm
#-------------------------------------------------------------------------------
EXPOSE 3000
-WORKDIR /app/keyserver
+WORKDIR /home/comm/app/keyserver
CMD bash/run-prod.sh
File Metadata
Details
Attached
Mime Type
text/plain
Expires
Mon, Dec 23, 2:51 PM (18 h, 1 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
2694358
Default Alt Text
D4178.id13287.diff (3 KB)
Attached To
Mode
D4178: [keyserver] Run Docker as non-root user
Attached
Detach File
Event Timeline
Log In to Comment