英文:
How do I update my Docker container so that it's unprivileged?
问题
问题
我有一个前端应用,部署在 Docker 容器 nginxinc/nginx-unprivileged:alpine-slim 中。当前管道在通过 AquaScan 检查安全漏洞的阶段失败。
Dockerfile:
FROM nginxinc/nginx-unprivileged:alpine-slim
USER root
RUN apk update && apk upgrade --no-cache
WORKDIR /usr/share/nginx/html
COPY --chown=nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
USER nginx
COPY build .
我尝试过的事情
- 由于 AquaScan 存在问题,使用
RUN apk update && apk upgrade --no-cache升级易受攻击的软件包未能通过扫描。 - 切换到特权容器会导致部署失败
- lxc create unprivileged containers 是一个相关的帖子,但在我的情况下不起作用。
<br>
如果我能更新另一个容器以使其无特权,那么我既可以通过 AquaScan,也可以部署我的应用。
如何更新我的 Docker 容器以使其无特权?
英文:
Problem
I have a frontend app that deploys in the Docker container nginxinc/nginx-unprivileged:alpine-slim. The pipeline is currently failing the stage that checks for security vulnerabilities via AquaScan.
The Dockerfile:
FROM nginxinc/nginx-unprivileged:alpine-slim
USER root
RUN apk update && apk upgrade --no-cache
WORKDIR /usr/share/nginx/html
COPY --chown=nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
USER nginx
COPY build .
Things I've tried
- Due to an issue with AquaScan, upgrading the vulnerable packages with
RUN apk update && apk upgrade --no-cachedoes not pass the scan. - Changing to a privileged container fails the deployment
- lxc create unprivileged containers is a related post that doesn't work in my situation.
<br>
If I could update a different container to be unprivileged, then I could both pass AquaScan and deploy my app.
How do I update my Docker container so that it's unprivileged?
答案1
得分: 0
I updated the Dockerfile如下所示:
# nginxinc/nginx-unprivileged:alpine-slim有容器漏洞,即使更新后仍无法通过AquaScan。2023年3月21日。
FROM nginx:alpine-slim
# 实施所需的更改以将NGINX作为非特权用户运行
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
# nginx用户必须拥有缓存和etc目录以写入缓存并调整nginx配置 && chown -R $UID:0 /var/cache/nginx \
&& chmod -R g+w /var/cache/nginx \
&& chown -R $UID:0 /etc/nginx \
&& chmod -R g+w /etc/nginx
COPY --chown=nginx:nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
WORKDIR /usr/share/nginx/html
USER nginx
EXPOSE 8080
COPY build .
现在我的前端应用在容器中部署并通过AquaScan。
英文:
Solution
I updated the Dockerfile like so:
# nginxinc/nginx-unprivileged:alpine-slim has container vulnerabilities that do not pass AquaScan, even after updating. 3/21/2023.
FROM nginx:alpine-slim
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf \
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf \
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf \
&& sed -i "/^http {/a \ proxy_temp_path /tmp/proxy_temp;\n client_body_temp_path /tmp/client_temp;\n fastcgi_temp_path /tmp/fastcgi_temp;\n uwsgi_temp_path /tmp/uwsgi_temp;\n scgi_temp_path /tmp/scgi_temp;\n" /etc/nginx/nginx.conf \
# nginx user must own the cache and etc directory to write cache and tweak the nginx config && chown -R $UID:0 /var/cache/nginx \
&& chmod -R g+w /var/cache/nginx \
&& chown -R $UID:0 /etc/nginx \
&& chmod -R g+w /etc/nginx
COPY --chown=nginx:nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
WORKDIR /usr/share/nginx/html
USER nginx
EXPOSE 8080
COPY build .
Now my frontend app deploys in a container and passes AquaScan.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论