如何更新我的Docker容器,使其成为非特权容器?

huangapple go评论71阅读模式
英文:

How do I update my Docker container so that it's unprivileged?

问题

问题

我有一个前端应用,部署在 Docker 容器 nginxinc/nginx-unprivileged:alpine-slim 中。当前管道在通过 AquaScan 检查安全漏洞的阶段失败。

Dockerfile:

FROM nginxinc/nginx-unprivileged:alpine-slim
USER root
RUN apk update && apk upgrade --no-cache
WORKDIR /usr/share/nginx/html
COPY --chown=nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
USER nginx
COPY build .

我尝试过的事情

  • 由于 AquaScan 存在问题,使用 RUN apk update && apk upgrade --no-cache 升级易受攻击的软件包未能通过扫描。
  • 切换到特权容器会导致部署失败
  • lxc create unprivileged containers 是一个相关的帖子,但在我的情况下不起作用。

<br>

如果我能更新另一个容器以使其无特权,那么我既可以通过 AquaScan,也可以部署我的应用。

如何更新我的 Docker 容器以使其无特权?

英文:

Problem

I have a frontend app that deploys in the Docker container nginxinc/nginx-unprivileged:alpine-slim. The pipeline is currently failing the stage that checks for security vulnerabilities via AquaScan.

The Dockerfile:

FROM nginxinc/nginx-unprivileged:alpine-slim
USER root
RUN apk update &amp;&amp; apk upgrade --no-cache
WORKDIR /usr/share/nginx/html
COPY --chown=nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
USER nginx
COPY build .

Things I've tried

  • Due to an issue with AquaScan, upgrading the vulnerable packages with RUN apk update &amp;&amp; apk upgrade --no-cache does not pass the scan.
  • Changing to a privileged container fails the deployment
  • lxc create unprivileged containers is a related post that doesn't work in my situation.

<br>

If I could update a different container to be unprivileged, then I could both pass AquaScan and deploy my app.

How do I update my Docker container so that it's unprivileged?

答案1

得分: 0

I updated the Dockerfile如下所示:

# nginxinc/nginx-unprivileged:alpine-slim有容器漏洞,即使更新后仍无法通过AquaScan。2023年3月21日。
FROM nginx:alpine-slim
# 实施所需的更改以将NGINX作为非特权用户运行
RUN sed -i &#39;s,listen       80;,listen       8080;,&#39; /etc/nginx/conf.d/default.conf \
  &amp;&amp; sed -i &#39;/user  nginx;/d&#39; /etc/nginx/nginx.conf \
  &amp;&amp; sed -i &#39;s,/var/run/nginx.pid,/tmp/nginx.pid,&#39; /etc/nginx/nginx.conf \
  &amp;&amp; sed -i &quot;/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n&quot; /etc/nginx/nginx.conf \
  # nginx用户必须拥有缓存和etc目录以写入缓存并调整nginx配置    &amp;&amp; chown -R $UID:0 /var/cache/nginx \
  &amp;&amp; chmod -R g+w /var/cache/nginx \
  &amp;&amp; chown -R $UID:0 /etc/nginx \
  &amp;&amp; chmod -R g+w /etc/nginx
COPY --chown=nginx:nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
WORKDIR /usr/share/nginx/html
USER nginx
EXPOSE 8080
COPY build .

现在我的前端应用在容器中部署并通过AquaScan。

英文:

Solution

I updated the Dockerfile like so:

# nginxinc/nginx-unprivileged:alpine-slim has container vulnerabilities that do not pass AquaScan, even after updating. 3/21/2023.
FROM nginx:alpine-slim
# implement changes required to run NGINX as an unprivileged user
RUN sed -i &#39;s,listen       80;,listen       8080;,&#39; /etc/nginx/conf.d/default.conf \
  &amp;&amp; sed -i &#39;/user  nginx;/d&#39; /etc/nginx/nginx.conf \
  &amp;&amp; sed -i &#39;s,/var/run/nginx.pid,/tmp/nginx.pid,&#39; /etc/nginx/nginx.conf \
  &amp;&amp; sed -i &quot;/^http {/a \    proxy_temp_path /tmp/proxy_temp;\n    client_body_temp_path /tmp/client_temp;\n    fastcgi_temp_path /tmp/fastcgi_temp;\n    uwsgi_temp_path /tmp/uwsgi_temp;\n    scgi_temp_path /tmp/scgi_temp;\n&quot; /etc/nginx/nginx.conf \
  # nginx user must own the cache and etc directory to write cache and tweak the nginx config    &amp;&amp; chown -R $UID:0 /var/cache/nginx \
  &amp;&amp; chmod -R g+w /var/cache/nginx \
  &amp;&amp; chown -R $UID:0 /etc/nginx \
  &amp;&amp; chmod -R g+w /etc/nginx
COPY --chown=nginx:nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
WORKDIR /usr/share/nginx/html
USER nginx
EXPOSE 8080
COPY build .

Now my frontend app deploys in a container and passes AquaScan.

huangapple
  • 本文由 发表于 2023年4月7日 01:23:06
  • 转载请务必保留本文链接:https://go.coder-hub.com/75952200.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定