docker: switch base image from distroless/base to distroless/static:nonroot (#224)

This cuts image size in half and improves security posture by
default, at the cost of a bit more complexity for what should
be slightly unusual deployments (privileged ports AND host
network).

---------

Signed-off-by: Kohei YOSHIDA <[email protected]>
Co-authored-by: Will McCutchen <[email protected]>

Author: yosida95

Dockerfile

@@ -8,7 +8,7 @@ COPY . .
 RUN --mount=type=cache,id=gobuild,target=/root/.cache/go-build \
     make build buildtests
 
-FROM gcr.io/distroless/base
+FROM gcr.io/distroless/static:nonroot
 
 COPY --from=build /go/src/github.com/mccutchen/go-httpbin/dist/go-httpbin* /bin/
 

README.md

@@ -19,13 +19,14 @@ automatically published to these public registries for every tagged release:
 - [mccutchen/go-httpbin][docker-hub]
 
 ```bash
-# Run http server
 $ docker run -P ghcr.io/mccutchen/go-httpbin
-
-# Run https server
-$ docker run -e HTTPS_CERT_FILE='/tmp/server.crt' -e HTTPS_KEY_FILE='/tmp/server.key' -p 8080:8080 -v /tmp:/tmp ghcr.io/mccutchen/go-httpbin
 ```
 
+> [!NOTE]
+> Prebuilt image versions >= 2.19.0 run as a non-root user by default. See
+> [Configuring non-root docker images](#configuring-non-root-docker-images)
+> below for details.
+
 ### Kubernetes
 
 ```
@@ -109,10 +110,9 @@ variables (or a combination of the two):
 | `-srv-read-timeout` | `SRV_READ_TIMEOUT` | Value to use for the http.Server's ReadTimeout option | 5s |
 | `-use-real-hostname` | `USE_REAL_HOSTNAME` | Expose real hostname as reported by os.Hostname() in the /hostname endpoint | false |
 
-#### ⚠️ **HERE BE DRAGONS** ⚠️
-
-These configuration options are dangerous and/or deprecated and should be
-avoided unless backwards compatibility is absolutely required.
+> [!WARNING]
+> These configuration options are dangerous and/or deprecated and should be
+> avoided unless backwards compatibility is absolutely required.
 
 | Argument| Env var | Documentation | Default |
 | - | - | - | - |
@@ -123,6 +123,35 @@ avoided unless backwards compatibility is absolutely required.
 - See [Production considerations] for recommendations around safe configuration
   of public instances of go-httpbin
 
+#### Configuring non-root docker images
+
+Prebuilt image versions >= 2.19.0 run as a non-root user by default to improve
+container security at the cost of additional complexity for some non-standard
+deployments:
+
+- To run the go-httpbin image a) on a privileged port (i.e. below 1024) _and_
+  b) using the Docker host network, you may need to run the container as root
+  in order to enable the `CAP_NET_BIND_SERVICE` capability:
+
+  ```bash
+  $ docker run \
+    --network host \
+    --user root \
+    --cap-drop ALL \
+    --cap-add CAP_NET_BIND_SERVICE \
+    ghcr.io/mccutchen/go-httpbin \
+    /bin/go-httpbin -port=80
+  ```
+
+- If you enable HTTPS directly in the image, make sure that the certificate
+  and private key files are readable by the user running the process:
+
+  ```bash
+  $ chmod 644 /tmp/server.crt
+  $ chmod 640 /tmp/server.key
+  # GID 65532: primary group of the nonroot user in distroless/static:nonroot.
+  $ chown root:65532 /tmp/server.crt /tmp/server.key
+  ```
 
 ## Installation
 

kustomize/resources.yaml

@@ -21,6 +21,8 @@ spec:
               path: /status/200
               port: http
           resources: {}
+          securityContext:
+            runAsNonRoot: true
 ---
 apiVersion: v1
 kind: Service