From b0e3dcd358a9c48202d8ac76fc05fcfa97811083 Mon Sep 17 00:00:00 2001 From: "Jay R. Wren" Date: Thu, 6 Jun 2024 11:34:05 -0400 Subject: [PATCH 1/6] use setpriv instead of gosu --- Dockerfile.template | 86 ++--------------------------------- docker-entrypoint.sh | 3 +- generate-stackbrew-library.sh | 4 +- versions.sh | 66 --------------------------- 4 files changed, 8 insertions(+), 151 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index 489f6102..e2ee7dbb 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -22,6 +22,8 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ +# add setpriv for step down from root. + setpriv \ ; {{ ) else ( -}} RUN set -eux; \ @@ -29,92 +31,12 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ +# add util-linux for setpriv for step down from root. + util-linux \ ; \ rm -rf /var/lib/apt/lists/* {{ ) end -}} -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION {{ .gosu.version }} -RUN set -eux; \ -{{ if env.variant == "alpine" then ( -}} - apk add --no-cache --virtual .gosu-fetch gnupg; \ - arch="$(apk --print-arch)"; \ -{{ ) else ( -}} - savedAptMark="$(apt-mark showmanual)"; \ - apt-get update; \ - apt-get install -y --no-install-recommends ca-certificates gnupg wget; \ - rm -rf /var/lib/apt/lists/*; \ - arch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ -{{ ) end -}} - case "$arch" in \ -{{ - [ - .gosu.arches - | to_entries[] - | ( - if env.variant == "alpine" then - { - # https://dl-cdn.alpinelinux.org/alpine/edge/main/ - # https://dl-cdn.alpinelinux.org/alpine/latest-stable/main/ - amd64: "x86_64", - arm32v6: "armhf", - arm32v7: "armv7", - arm64v8: "aarch64", - i386: "x86", - ppc64le: "ppc64le", - riscv64: "riscv64", - s390x: "s390x", - } - else - { - # https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/data/cputable - # https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines - # http://deb.debian.org/debian/dists/unstable/main/ - # http://deb.debian.org/debian/dists/stable/main/ - # https://deb.debian.org/debian-ports/dists/unstable/main/ - amd64: "amd64", - arm32v5: "armel", - arm32v7: "armhf", - arm64v8: "arm64", - i386: "i386", - mips64le: "mips64el", - ppc64le: "ppc64el", - riscv64: "riscv64", - s390x: "s390x", - } - end - )[.key] as $arch - | select($arch) - | .value - | ( --}} - {{ $arch | @sh }}) url={{ .url | @sh }}; sha256={{ .sha256 | @sh }} ;; \ -{{ - ) - ] | add --}} - *) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \ - esac; \ - wget -O /usr/local/bin/gosu.asc "$url.asc"; \ - wget -O /usr/local/bin/gosu "$url"; \ - echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ -{{ if env.variant == "alpine" then ( -}} - apk del --no-network .gosu-fetch; \ -{{ ) else ( -}} - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ -{{ ) end -}} - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - ENV REDIS_VERSION {{ .version }} ENV REDIS_DOWNLOAD_URL {{ .url }} ENV REDIS_DOWNLOAD_SHA {{ .sha256 // error("no sha256 for \(.version) (\(env.version))") }} diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 30406a51..7ce10b9b 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -10,7 +10,8 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - exec gosu redis "$0" "$@" + # setpriv is builtin in busybox so invoke as /usr/bin/setpriv + exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh index 90cef229..e3112324 100755 --- a/generate-stackbrew-library.sh +++ b/generate-stackbrew-library.sh @@ -110,7 +110,7 @@ for version; do suiteAliases=( "${suiteAliases[@]//latest-/}" ) variantAliases+=( "${suiteAliases[@]}" ) - # calculate the intersection of parent image arches and gosu arches + # calculate the intersection of parent image arches arches="$(jq -r --arg arches "$arches" ' ( $arches @@ -118,7 +118,7 @@ for version; do | split("[[:space:]]+"; "") ) as $parentArches | .[env.version] - | $parentArches - ($parentArches - (.gosu.arches | keys)) + | $parentArches | join(", ") ' versions.json)" diff --git a/versions.sh b/versions.sh index bfad7385..fc3597b2 100755 --- a/versions.sh +++ b/versions.sh @@ -16,71 +16,6 @@ debian="$( [ "$(wc -l <<<"$debian")" = 1 ] export debian -gosus="$( - git ls-remote --tags https://github.com/tianon/gosu.git \ - | cut -d/ -f3- \ - | cut -d^ -f1 \ - | grep -E '^[0-9]+' \ - | sort -urV -)" -gosu= -for possible in $gosus; do - urlBase="https://github.com/tianon/gosu/releases/download/$possible" - if shas="$(wget -qO- "$urlBase/SHA256SUMS")" && [ -n "$shas" ]; then - gosu="$(jq <<<"$shas" -csR --arg version "$possible" --arg urlBase "$urlBase" '{ - version: $version, - arches: ( - rtrimstr("\n") - | split("\n") - | map( - # this capture will naturally ignore the ".asc" file checksums - capture( - [ - "^(?[0-9a-f]{64})", - "( | [*])", - "(?", - "gosu-", - "(?[^_. -]+)", - ")$" - ] | join("") - ) - | { - ( - # convert dpkg arch into bashbrew arch - { - # https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/data/cputable - # https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines - # http://deb.debian.org/debian/dists/unstable/main/ - # http://deb.debian.org/debian/dists/stable/main/ - # https://deb.debian.org/debian-ports/dists/unstable/main/ - amd64: "amd64", - armel: "arm32v5", - armhf: "arm32v6", # https://github.com/tianon/gosu/blob/2dada3bb5dfbc1e7162a29907691b6f45995d54e/Dockerfile#L52-L53 - arm64: "arm64v8", - i386: "i386", - mips64el: "mips64le", - ppc64el: "ppc64le", - riscv64: "riscv64", - s390x: "s390x", - }[.dpkgArch] // empty - ): { - url: ($urlBase + "/" + .file), - sha256: .sha256, - }, - } - ) - | add - | if has("arm32v6") and (has("arm32v7") | not) then - .arm32v7 = .arm32v6 - else . end - ), - }')" - break - fi -done -[ -n "$gosu" ] -export gosu - cd "$(dirname "$(readlink -f "$BASH_SOURCE")")" versions=( "$@" ) @@ -147,7 +82,6 @@ for version in "${versions[@]}"; do .[env.version] = ($doc + { debian: { version: env.debian }, alpine: { version: env.alpine }, - gosu: (env.gosu | fromjson), }) ')" done From 1a2f58b0d4d60d024a0286618757e8ff0f7341b0 Mon Sep 17 00:00:00 2001 From: "Jay R. Wren" Date: Thu, 6 Jun 2024 14:38:46 -0400 Subject: [PATCH 2/6] run apply-templates.sh --- 6.2/alpine/Dockerfile | 32 +------- 6.2/alpine/docker-entrypoint.sh | 3 +- 6.2/debian/Dockerfile | 38 +-------- 6.2/debian/docker-entrypoint.sh | 3 +- 7.0/alpine/Dockerfile | 32 +------- 7.0/alpine/docker-entrypoint.sh | 3 +- 7.0/debian/Dockerfile | 38 +-------- 7.0/debian/docker-entrypoint.sh | 3 +- 7.2/alpine/Dockerfile | 32 +------- 7.2/alpine/docker-entrypoint.sh | 3 +- 7.2/debian/Dockerfile | 38 +-------- 7.2/debian/docker-entrypoint.sh | 3 +- versions.json | 135 -------------------------------- 13 files changed, 24 insertions(+), 339 deletions(-) diff --git a/6.2/alpine/Dockerfile b/6.2/alpine/Dockerfile index 43d02e10..f9047c9c 100644 --- a/6.2/alpine/Dockerfile +++ b/6.2/alpine/Dockerfile @@ -17,38 +17,10 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ +# add setpriv for step down from root. + setpriv \ ; -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - apk add --no-cache --virtual .gosu-fetch gnupg; \ - arch="$(apk --print-arch)"; \ - case "$arch" in \ - 'x86_64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64'; sha256='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3' ;; \ - 'aarch64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64'; sha256='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b' ;; \ - 'armhf') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - 'x86') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-i386'; sha256='087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca' ;; \ - 'ppc64le') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el'; sha256='1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76' ;; \ - 'riscv64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64'; sha256='38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6' ;; \ - 's390x') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x'; sha256='69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0' ;; \ - 'armv7') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - *) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \ - esac; \ - wget -O /usr/local/bin/gosu.asc "$url.asc"; \ - wget -O /usr/local/bin/gosu "$url"; \ - echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apk del --no-network .gosu-fetch; \ - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - ENV REDIS_VERSION 6.2.14 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-6.2.14.tar.gz ENV REDIS_DOWNLOAD_SHA 34e74856cbd66fdb3a684fb349d93961d8c7aa668b06f81fd93ff267d09bc277 diff --git a/6.2/alpine/docker-entrypoint.sh b/6.2/alpine/docker-entrypoint.sh index 30406a51..7ce10b9b 100755 --- a/6.2/alpine/docker-entrypoint.sh +++ b/6.2/alpine/docker-entrypoint.sh @@ -10,7 +10,8 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - exec gosu redis "$0" "$@" + # setpriv is builtin in busybox so invoke as /usr/bin/setpriv + exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/6.2/debian/Dockerfile b/6.2/debian/Dockerfile index 7f3c1c75..3f610b7f 100644 --- a/6.2/debian/Dockerfile +++ b/6.2/debian/Dockerfile @@ -17,45 +17,11 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ +# add util-linux for setpriv for step down from root. + util-linux \ ; \ rm -rf /var/lib/apt/lists/* -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - savedAptMark="$(apt-mark showmanual)"; \ - apt-get update; \ - apt-get install -y --no-install-recommends ca-certificates gnupg wget; \ - rm -rf /var/lib/apt/lists/*; \ - arch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - case "$arch" in \ - 'amd64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64'; sha256='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3' ;; \ - 'arm64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64'; sha256='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b' ;; \ - 'armel') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armel'; sha256='f9969910fa141140438c998cfa02f603bf213b11afd466dcde8fa940e700945d' ;; \ - 'i386') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-i386'; sha256='087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca' ;; \ - 'mips64el') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-mips64el'; sha256='87140029d792595e660be0015341dfa1c02d1181459ae40df9f093e471d75b70' ;; \ - 'ppc64el') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el'; sha256='1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76' ;; \ - 'riscv64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64'; sha256='38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6' ;; \ - 's390x') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x'; sha256='69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0' ;; \ - 'armhf') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - *) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \ - esac; \ - wget -O /usr/local/bin/gosu.asc "$url.asc"; \ - wget -O /usr/local/bin/gosu "$url"; \ - echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - ENV REDIS_VERSION 6.2.14 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-6.2.14.tar.gz ENV REDIS_DOWNLOAD_SHA 34e74856cbd66fdb3a684fb349d93961d8c7aa668b06f81fd93ff267d09bc277 diff --git a/6.2/debian/docker-entrypoint.sh b/6.2/debian/docker-entrypoint.sh index 30406a51..7ce10b9b 100755 --- a/6.2/debian/docker-entrypoint.sh +++ b/6.2/debian/docker-entrypoint.sh @@ -10,7 +10,8 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - exec gosu redis "$0" "$@" + # setpriv is builtin in busybox so invoke as /usr/bin/setpriv + exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.0/alpine/Dockerfile b/7.0/alpine/Dockerfile index 80aaa20b..b95992f7 100644 --- a/7.0/alpine/Dockerfile +++ b/7.0/alpine/Dockerfile @@ -17,38 +17,10 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ +# add setpriv for step down from root. + setpriv \ ; -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - apk add --no-cache --virtual .gosu-fetch gnupg; \ - arch="$(apk --print-arch)"; \ - case "$arch" in \ - 'x86_64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64'; sha256='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3' ;; \ - 'aarch64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64'; sha256='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b' ;; \ - 'armhf') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - 'x86') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-i386'; sha256='087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca' ;; \ - 'ppc64le') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el'; sha256='1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76' ;; \ - 'riscv64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64'; sha256='38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6' ;; \ - 's390x') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x'; sha256='69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0' ;; \ - 'armv7') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - *) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \ - esac; \ - wget -O /usr/local/bin/gosu.asc "$url.asc"; \ - wget -O /usr/local/bin/gosu "$url"; \ - echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apk del --no-network .gosu-fetch; \ - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - ENV REDIS_VERSION 7.0.15 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-7.0.15.tar.gz ENV REDIS_DOWNLOAD_SHA 98066f5363504b26c34dd20fbcc3c957990d764cdf42576c836fc021073f4341 diff --git a/7.0/alpine/docker-entrypoint.sh b/7.0/alpine/docker-entrypoint.sh index 30406a51..7ce10b9b 100755 --- a/7.0/alpine/docker-entrypoint.sh +++ b/7.0/alpine/docker-entrypoint.sh @@ -10,7 +10,8 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - exec gosu redis "$0" "$@" + # setpriv is builtin in busybox so invoke as /usr/bin/setpriv + exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.0/debian/Dockerfile b/7.0/debian/Dockerfile index d252fa65..09627d7d 100644 --- a/7.0/debian/Dockerfile +++ b/7.0/debian/Dockerfile @@ -17,45 +17,11 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ +# add util-linux for setpriv for step down from root. + util-linux \ ; \ rm -rf /var/lib/apt/lists/* -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - savedAptMark="$(apt-mark showmanual)"; \ - apt-get update; \ - apt-get install -y --no-install-recommends ca-certificates gnupg wget; \ - rm -rf /var/lib/apt/lists/*; \ - arch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - case "$arch" in \ - 'amd64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64'; sha256='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3' ;; \ - 'arm64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64'; sha256='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b' ;; \ - 'armel') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armel'; sha256='f9969910fa141140438c998cfa02f603bf213b11afd466dcde8fa940e700945d' ;; \ - 'i386') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-i386'; sha256='087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca' ;; \ - 'mips64el') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-mips64el'; sha256='87140029d792595e660be0015341dfa1c02d1181459ae40df9f093e471d75b70' ;; \ - 'ppc64el') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el'; sha256='1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76' ;; \ - 'riscv64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64'; sha256='38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6' ;; \ - 's390x') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x'; sha256='69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0' ;; \ - 'armhf') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - *) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \ - esac; \ - wget -O /usr/local/bin/gosu.asc "$url.asc"; \ - wget -O /usr/local/bin/gosu "$url"; \ - echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - ENV REDIS_VERSION 7.0.15 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-7.0.15.tar.gz ENV REDIS_DOWNLOAD_SHA 98066f5363504b26c34dd20fbcc3c957990d764cdf42576c836fc021073f4341 diff --git a/7.0/debian/docker-entrypoint.sh b/7.0/debian/docker-entrypoint.sh index 30406a51..7ce10b9b 100755 --- a/7.0/debian/docker-entrypoint.sh +++ b/7.0/debian/docker-entrypoint.sh @@ -10,7 +10,8 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - exec gosu redis "$0" "$@" + # setpriv is builtin in busybox so invoke as /usr/bin/setpriv + exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.2/alpine/Dockerfile b/7.2/alpine/Dockerfile index 19304a8d..eee07733 100644 --- a/7.2/alpine/Dockerfile +++ b/7.2/alpine/Dockerfile @@ -17,38 +17,10 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ +# add setpriv for step down from root. + setpriv \ ; -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - apk add --no-cache --virtual .gosu-fetch gnupg; \ - arch="$(apk --print-arch)"; \ - case "$arch" in \ - 'x86_64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64'; sha256='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3' ;; \ - 'aarch64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64'; sha256='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b' ;; \ - 'armhf') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - 'x86') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-i386'; sha256='087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca' ;; \ - 'ppc64le') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el'; sha256='1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76' ;; \ - 'riscv64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64'; sha256='38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6' ;; \ - 's390x') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x'; sha256='69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0' ;; \ - 'armv7') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - *) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \ - esac; \ - wget -O /usr/local/bin/gosu.asc "$url.asc"; \ - wget -O /usr/local/bin/gosu "$url"; \ - echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apk del --no-network .gosu-fetch; \ - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - ENV REDIS_VERSION 7.2.5 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-7.2.5.tar.gz ENV REDIS_DOWNLOAD_SHA 5981179706f8391f03be91d951acafaeda91af7fac56beffb2701963103e423d diff --git a/7.2/alpine/docker-entrypoint.sh b/7.2/alpine/docker-entrypoint.sh index 30406a51..7ce10b9b 100755 --- a/7.2/alpine/docker-entrypoint.sh +++ b/7.2/alpine/docker-entrypoint.sh @@ -10,7 +10,8 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - exec gosu redis "$0" "$@" + # setpriv is builtin in busybox so invoke as /usr/bin/setpriv + exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.2/debian/Dockerfile b/7.2/debian/Dockerfile index 3e2fbd13..cdd02be5 100644 --- a/7.2/debian/Dockerfile +++ b/7.2/debian/Dockerfile @@ -17,45 +17,11 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ +# add util-linux for setpriv for step down from root. + util-linux \ ; \ rm -rf /var/lib/apt/lists/* -# grab gosu for easy step-down from root -# https://github.com/tianon/gosu/releases -ENV GOSU_VERSION 1.17 -RUN set -eux; \ - savedAptMark="$(apt-mark showmanual)"; \ - apt-get update; \ - apt-get install -y --no-install-recommends ca-certificates gnupg wget; \ - rm -rf /var/lib/apt/lists/*; \ - arch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \ - case "$arch" in \ - 'amd64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64'; sha256='bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3' ;; \ - 'arm64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64'; sha256='c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b' ;; \ - 'armel') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armel'; sha256='f9969910fa141140438c998cfa02f603bf213b11afd466dcde8fa940e700945d' ;; \ - 'i386') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-i386'; sha256='087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca' ;; \ - 'mips64el') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-mips64el'; sha256='87140029d792595e660be0015341dfa1c02d1181459ae40df9f093e471d75b70' ;; \ - 'ppc64el') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el'; sha256='1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76' ;; \ - 'riscv64') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64'; sha256='38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6' ;; \ - 's390x') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x'; sha256='69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0' ;; \ - 'armhf') url='https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf'; sha256='e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b' ;; \ - *) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \ - esac; \ - wget -O /usr/local/bin/gosu.asc "$url.asc"; \ - wget -O /usr/local/bin/gosu "$url"; \ - echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \ - export GNUPGHOME="$(mktemp -d)"; \ - gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \ - gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \ - gpgconf --kill all; \ - rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \ - apt-mark auto '.*' > /dev/null; \ - [ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \ - apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \ - chmod +x /usr/local/bin/gosu; \ - gosu --version; \ - gosu nobody true - ENV REDIS_VERSION 7.2.5 ENV REDIS_DOWNLOAD_URL http://download.redis.io/releases/redis-7.2.5.tar.gz ENV REDIS_DOWNLOAD_SHA 5981179706f8391f03be91d951acafaeda91af7fac56beffb2701963103e423d diff --git a/7.2/debian/docker-entrypoint.sh b/7.2/debian/docker-entrypoint.sh index 30406a51..7ce10b9b 100755 --- a/7.2/debian/docker-entrypoint.sh +++ b/7.2/debian/docker-entrypoint.sh @@ -10,7 +10,8 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - exec gosu redis "$0" "$@" + # setpriv is builtin in busybox so invoke as /usr/bin/setpriv + exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/versions.json b/versions.json index 4eb623cc..7919f67e 100644 --- a/versions.json +++ b/versions.json @@ -8,51 +8,6 @@ }, "alpine": { "version": "3.20" - }, - "gosu": { - "version": "1.17", - "arches": { - "amd64": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64", - "sha256": "bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3" - }, - "arm64v8": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64", - "sha256": "c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b" - }, - "arm32v5": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armel", - "sha256": "f9969910fa141140438c998cfa02f603bf213b11afd466dcde8fa940e700945d" - }, - "arm32v6": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf", - "sha256": "e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b" - }, - "i386": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-i386", - "sha256": "087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca" - }, - "mips64le": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-mips64el", - "sha256": "87140029d792595e660be0015341dfa1c02d1181459ae40df9f093e471d75b70" - }, - "ppc64le": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el", - "sha256": "1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76" - }, - "riscv64": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64", - "sha256": "38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6" - }, - "s390x": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x", - "sha256": "69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0" - }, - "arm32v7": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf", - "sha256": "e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b" - } - } } }, "7.0": { @@ -64,51 +19,6 @@ }, "alpine": { "version": "3.20" - }, - "gosu": { - "version": "1.17", - "arches": { - "amd64": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64", - "sha256": "bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3" - }, - "arm64v8": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64", - "sha256": "c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b" - }, - "arm32v5": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armel", - "sha256": "f9969910fa141140438c998cfa02f603bf213b11afd466dcde8fa940e700945d" - }, - "arm32v6": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf", - "sha256": "e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b" - }, - "i386": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-i386", - "sha256": "087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca" - }, - "mips64le": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-mips64el", - "sha256": "87140029d792595e660be0015341dfa1c02d1181459ae40df9f093e471d75b70" - }, - "ppc64le": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el", - "sha256": "1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76" - }, - "riscv64": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64", - "sha256": "38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6" - }, - "s390x": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x", - "sha256": "69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0" - }, - "arm32v7": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf", - "sha256": "e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b" - } - } } }, "7.2": { @@ -120,51 +30,6 @@ }, "alpine": { "version": "3.20" - }, - "gosu": { - "version": "1.17", - "arches": { - "amd64": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64", - "sha256": "bbc4136d03ab138b1ad66fa4fc051bafc6cc7ffae632b069a53657279a450de3" - }, - "arm64v8": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-arm64", - "sha256": "c3805a85d17f4454c23d7059bcb97e1ec1af272b90126e79ed002342de08389b" - }, - "arm32v5": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armel", - "sha256": "f9969910fa141140438c998cfa02f603bf213b11afd466dcde8fa940e700945d" - }, - "arm32v6": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf", - "sha256": "e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b" - }, - "i386": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-i386", - "sha256": "087dbb8fe479537e64f9c86fa49ff3b41dee1cbd28739a19aaef83dc8186b1ca" - }, - "mips64le": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-mips64el", - "sha256": "87140029d792595e660be0015341dfa1c02d1181459ae40df9f093e471d75b70" - }, - "ppc64le": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-ppc64el", - "sha256": "1891acdcfa70046818ab6ed3c52b9d42fa10fbb7b340eb429c8c7849691dbd76" - }, - "riscv64": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-riscv64", - "sha256": "38a6444b57adce135c42d5a3689f616fc7803ddc7a07ff6f946f2ebc67a26ba6" - }, - "s390x": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-s390x", - "sha256": "69873bab588192f760547ca1f75b27cfcf106e9f7403fee6fd0600bc914979d0" - }, - "arm32v7": { - "url": "https://github.com/tianon/gosu/releases/download/1.17/gosu-armhf", - "sha256": "e5866286277ff2a2159fb9196fea13e0a59d3f1091ea46ddb985160b94b6841b" - } - } } } } From a46d29bbe415827cba14f07049f91c7796f94080 Mon Sep 17 00:00:00 2001 From: "Jay R. Wren" Date: Thu, 6 Jun 2024 14:45:26 -0400 Subject: [PATCH 3/6] use --regid=redis --clear-groups with setpriv and no explicit path --- Dockerfile.template | 2 -- docker-entrypoint.sh | 3 +-- 2 files changed, 1 insertion(+), 4 deletions(-) diff --git a/Dockerfile.template b/Dockerfile.template index e2ee7dbb..4c7ecc5b 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -31,8 +31,6 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ -# add util-linux for setpriv for step down from root. - util-linux \ ; \ rm -rf /var/lib/apt/lists/* {{ ) end -}} diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh index 7ce10b9b..758661c1 100755 --- a/docker-entrypoint.sh +++ b/docker-entrypoint.sh @@ -10,8 +10,7 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - # setpriv is builtin in busybox so invoke as /usr/bin/setpriv - exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" + exec setpriv --reuid=redis --regid=redis --clear-groups -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) From 0264183b601a2fdbf26cd737964cf6835df3d670 Mon Sep 17 00:00:00 2001 From: "Jay R. Wren" Date: Thu, 6 Jun 2024 14:47:48 -0400 Subject: [PATCH 4/6] . --- 6.2/alpine/docker-entrypoint.sh | 3 +-- 6.2/debian/Dockerfile | 2 -- 6.2/debian/docker-entrypoint.sh | 3 +-- 7.0/alpine/docker-entrypoint.sh | 3 +-- 7.0/debian/Dockerfile | 2 -- 7.0/debian/docker-entrypoint.sh | 3 +-- 7.2/alpine/docker-entrypoint.sh | 3 +-- 7.2/debian/Dockerfile | 2 -- 7.2/debian/docker-entrypoint.sh | 3 +-- Dockerfile.template | 2 +- 10 files changed, 7 insertions(+), 19 deletions(-) diff --git a/6.2/alpine/docker-entrypoint.sh b/6.2/alpine/docker-entrypoint.sh index 7ce10b9b..758661c1 100755 --- a/6.2/alpine/docker-entrypoint.sh +++ b/6.2/alpine/docker-entrypoint.sh @@ -10,8 +10,7 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - # setpriv is builtin in busybox so invoke as /usr/bin/setpriv - exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" + exec setpriv --reuid=redis --regid=redis --clear-groups -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/6.2/debian/Dockerfile b/6.2/debian/Dockerfile index 3f610b7f..121bc0fc 100644 --- a/6.2/debian/Dockerfile +++ b/6.2/debian/Dockerfile @@ -17,8 +17,6 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ -# add util-linux for setpriv for step down from root. - util-linux \ ; \ rm -rf /var/lib/apt/lists/* diff --git a/6.2/debian/docker-entrypoint.sh b/6.2/debian/docker-entrypoint.sh index 7ce10b9b..758661c1 100755 --- a/6.2/debian/docker-entrypoint.sh +++ b/6.2/debian/docker-entrypoint.sh @@ -10,8 +10,7 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - # setpriv is builtin in busybox so invoke as /usr/bin/setpriv - exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" + exec setpriv --reuid=redis --regid=redis --clear-groups -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.0/alpine/docker-entrypoint.sh b/7.0/alpine/docker-entrypoint.sh index 7ce10b9b..758661c1 100755 --- a/7.0/alpine/docker-entrypoint.sh +++ b/7.0/alpine/docker-entrypoint.sh @@ -10,8 +10,7 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - # setpriv is builtin in busybox so invoke as /usr/bin/setpriv - exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" + exec setpriv --reuid=redis --regid=redis --clear-groups -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.0/debian/Dockerfile b/7.0/debian/Dockerfile index 09627d7d..68591880 100644 --- a/7.0/debian/Dockerfile +++ b/7.0/debian/Dockerfile @@ -17,8 +17,6 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ -# add util-linux for setpriv for step down from root. - util-linux \ ; \ rm -rf /var/lib/apt/lists/* diff --git a/7.0/debian/docker-entrypoint.sh b/7.0/debian/docker-entrypoint.sh index 7ce10b9b..758661c1 100755 --- a/7.0/debian/docker-entrypoint.sh +++ b/7.0/debian/docker-entrypoint.sh @@ -10,8 +10,7 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - # setpriv is builtin in busybox so invoke as /usr/bin/setpriv - exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" + exec setpriv --reuid=redis --regid=redis --clear-groups -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.2/alpine/docker-entrypoint.sh b/7.2/alpine/docker-entrypoint.sh index 7ce10b9b..758661c1 100755 --- a/7.2/alpine/docker-entrypoint.sh +++ b/7.2/alpine/docker-entrypoint.sh @@ -10,8 +10,7 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - # setpriv is builtin in busybox so invoke as /usr/bin/setpriv - exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" + exec setpriv --reuid=redis --regid=redis --clear-groups -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/7.2/debian/Dockerfile b/7.2/debian/Dockerfile index cdd02be5..13ceb884 100644 --- a/7.2/debian/Dockerfile +++ b/7.2/debian/Dockerfile @@ -17,8 +17,6 @@ RUN set -eux; \ apt-get install -y --no-install-recommends \ # add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related) tzdata \ -# add util-linux for setpriv for step down from root. - util-linux \ ; \ rm -rf /var/lib/apt/lists/* diff --git a/7.2/debian/docker-entrypoint.sh b/7.2/debian/docker-entrypoint.sh index 7ce10b9b..758661c1 100755 --- a/7.2/debian/docker-entrypoint.sh +++ b/7.2/debian/docker-entrypoint.sh @@ -10,8 +10,7 @@ fi # allow the container to be started with `--user` if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then find . \! -user redis -exec chown redis '{}' + - # setpriv is builtin in busybox so invoke as /usr/bin/setpriv - exec /usr/bin/setpriv --reuid=redis -- "$0" "$@" + exec setpriv --reuid=redis --regid=redis --clear-groups -- "$0" "$@" fi # set an appropriate umask (if one isn't set already) diff --git a/Dockerfile.template b/Dockerfile.template index 4c7ecc5b..bcc6c3d8 100644 --- a/Dockerfile.template +++ b/Dockerfile.template @@ -22,7 +22,7 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ -# add setpriv for step down from root. +# add setpriv for step down from root setpriv \ ; {{ ) else ( -}} From 0e5fe6e802a19a636a71caf332e277a5ae346591 Mon Sep 17 00:00:00 2001 From: "Jay R. Wren" Date: Thu, 6 Jun 2024 15:13:27 -0400 Subject: [PATCH 5/6] remove calculate intersection block --- generate-stackbrew-library.sh | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh index e3112324..3ff598f2 100755 --- a/generate-stackbrew-library.sh +++ b/generate-stackbrew-library.sh @@ -110,21 +110,9 @@ for version; do suiteAliases=( "${suiteAliases[@]//latest-/}" ) variantAliases+=( "${suiteAliases[@]}" ) - # calculate the intersection of parent image arches - arches="$(jq -r --arg arches "$arches" ' - ( - $arches - | gsub("^[[:space:]]+|[[:space:]]+$"; "") - | split("[[:space:]]+"; "") - ) as $parentArches - | .[env.version] - | $parentArches - | join(", ") - ' versions.json)" - echo cat <<-EOE - Tags: $(join ', ' "${variantAliases[@]}") + Tags: $(join ', ' $arches) Architectures: $arches GitCommit: $commit Directory: $dir From 42c68284b6ab660078dca19aa116b54ee6bafea8 Mon Sep 17 00:00:00 2001 From: "Jay R. Wren" Date: Thu, 6 Jun 2024 15:42:44 -0400 Subject: [PATCH 6/6] fixup generate-stackbrew-library.sh --- 6.2/alpine/Dockerfile | 2 +- 7.0/alpine/Dockerfile | 2 +- 7.2/alpine/Dockerfile | 2 +- generate-stackbrew-library.sh | 4 ++-- 4 files changed, 5 insertions(+), 5 deletions(-) diff --git a/6.2/alpine/Dockerfile b/6.2/alpine/Dockerfile index f9047c9c..05e566aa 100644 --- a/6.2/alpine/Dockerfile +++ b/6.2/alpine/Dockerfile @@ -17,7 +17,7 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ -# add setpriv for step down from root. +# add setpriv for step down from root setpriv \ ; diff --git a/7.0/alpine/Dockerfile b/7.0/alpine/Dockerfile index b95992f7..aaa802a7 100644 --- a/7.0/alpine/Dockerfile +++ b/7.0/alpine/Dockerfile @@ -17,7 +17,7 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ -# add setpriv for step down from root. +# add setpriv for step down from root setpriv \ ; diff --git a/7.2/alpine/Dockerfile b/7.2/alpine/Dockerfile index eee07733..66b661c4 100644 --- a/7.2/alpine/Dockerfile +++ b/7.2/alpine/Dockerfile @@ -17,7 +17,7 @@ RUN set -eux; \ apk add --no-cache \ # add tzdata for https://github.com/docker-library/redis/issues/138 tzdata \ -# add setpriv for step down from root. +# add setpriv for step down from root setpriv \ ; diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh index 3ff598f2..ba4337d7 100755 --- a/generate-stackbrew-library.sh +++ b/generate-stackbrew-library.sh @@ -112,8 +112,8 @@ for version; do echo cat <<-EOE - Tags: $(join ', ' $arches) - Architectures: $arches + Tags: $(join ', ' "${variantAliases[@]}") + Architectures: $(join ', ' $arches) GitCommit: $commit Directory: $dir EOE