From 66c7e995781b157b50bc95792587b40b27e199d7 Mon Sep 17 00:00:00 2001 From: Israel Blancas Date: Tue, 3 Jan 2023 17:43:32 +0100 Subject: [PATCH 1/5] Refactor the target allocator build to not run it as root Signed-off-by: Israel Blancas --- cmd/otel-allocator/Dockerfile | 38 +++++++++++++++++++++-------------- 1 file changed, 23 insertions(+), 15 deletions(-) diff --git a/cmd/otel-allocator/Dockerfile b/cmd/otel-allocator/Dockerfile index 3e856c08a0..e89b1d3aa7 100644 --- a/cmd/otel-allocator/Dockerfile +++ b/cmd/otel-allocator/Dockerfile @@ -1,26 +1,34 @@ # Build the target allocator binary FROM golang:1.19 as builder -WORKDIR /app - -# Copy go mod and sum files -COPY go.mod go.sum ./ - +WORKDIR /workspace +# Copy the Go Modules manifests +COPY go.mod go.mod +COPY go.sum go.sum +# cache deps before building and copying source so that we don't need to re-download as much +# and so that source changes don't invalidate our downloaded layer RUN go mod download -COPY . . +# Copy the go source +COPY main.go main.go +COPY allocation/ allocation/ +COPY collector/ collector/ +COPY config/ config/ +COPY diff/ diff/ +COPY prehook/ prehook/ +COPY server/ server/ +COPY target/ target/ +COPY watcher/ watcher/ # Build the Go app RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main . -######## Start a new stage from scratch ####### -FROM alpine:latest - -RUN apk --no-cache add ca-certificates - -WORKDIR /root/ - +# Use distroless as minimal base image to package the manager binary +# Refer to https://github.com/GoogleContainerTools/distroless for more details +FROM gcr.io/distroless/static:nonroot +WORKDIR / # Copy the pre-built binary file from the previous stage -COPY --from=builder /app/main . +COPY --from=builder /workspace/main . +USER 65532:65532 -ENTRYPOINT ["./main"] +ENTRYPOINT ["/main"] From 1e1a4101d91e91ec6c6b92d6fec17445efbae086 Mon Sep 17 00:00:00 2001 From: Israel Blancas Date: Tue, 3 Jan 2023 17:48:38 +0100 Subject: [PATCH 2/5] Add missing changelog Signed-off-by: Israel Blancas --- .chloggen/1345-run-ta-nonroot.yaml | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) create mode 100755 .chloggen/1345-run-ta-nonroot.yaml diff --git a/.chloggen/1345-run-ta-nonroot.yaml b/.chloggen/1345-run-ta-nonroot.yaml new file mode 100755 index 0000000000..20835079d0 --- /dev/null +++ b/.chloggen/1345-run-ta-nonroot.yaml @@ -0,0 +1,16 @@ +# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix' +change_type: bug_fix + +# The name of the component, or a single word describing the area of concern, (e.g. operator, target allocator, github action) +component: target allocator + +# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`). +note: "Run the target allocator as non root user" + +# One or more tracking issues related to the change +issues: [] + +# (Optional) One or more lines of additional information to render under the primary note. +# These lines will be padded with 2 spaces and then inserted directly into the document. +# Use pipe (|) for multiline entries. +subtext: From 6cd8a9bd41a07899d1afb0dbd24477999db73ac4 Mon Sep 17 00:00:00 2001 From: Israel Blancas Date: Wed, 4 Jan 2023 10:06:48 +0100 Subject: [PATCH 3/5] Fix issue number in changelog Signed-off-by: Israel Blancas --- .../{1345-run-ta-nonroot.yaml => 1346-run-ta-nonroot.yaml} | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) rename .chloggen/{1345-run-ta-nonroot.yaml => 1346-run-ta-nonroot.yaml} (97%) diff --git a/.chloggen/1345-run-ta-nonroot.yaml b/.chloggen/1346-run-ta-nonroot.yaml similarity index 97% rename from .chloggen/1345-run-ta-nonroot.yaml rename to .chloggen/1346-run-ta-nonroot.yaml index 20835079d0..b8d43368bd 100755 --- a/.chloggen/1345-run-ta-nonroot.yaml +++ b/.chloggen/1346-run-ta-nonroot.yaml @@ -8,7 +8,7 @@ component: target allocator note: "Run the target allocator as non root user" # One or more tracking issues related to the change -issues: [] +issues: [1346] # (Optional) One or more lines of additional information to render under the primary note. # These lines will be padded with 2 spaces and then inserted directly into the document. From 6c712a1974168a382107761d497ca57f0366bf7e Mon Sep 17 00:00:00 2001 From: Israel Blancas Date: Wed, 4 Jan 2023 13:54:08 +0100 Subject: [PATCH 4/5] Trigger Build Signed-off-by: Israel Blancas From 4e081fb0a938ffe3d86f7f0efaf31a9029062921 Mon Sep 17 00:00:00 2001 From: Israel Blancas Date: Mon, 9 Jan 2023 17:57:42 +0100 Subject: [PATCH 5/5] Use scratch image as base image for the target allocator Signed-off-by: Israel Blancas --- cmd/otel-allocator/Dockerfile | 47 ++++++++++++++++------------------- 1 file changed, 21 insertions(+), 26 deletions(-) diff --git a/cmd/otel-allocator/Dockerfile b/cmd/otel-allocator/Dockerfile index e89b1d3aa7..5ba6d819f4 100644 --- a/cmd/otel-allocator/Dockerfile +++ b/cmd/otel-allocator/Dockerfile @@ -1,34 +1,29 @@ -# Build the target allocator binary -FROM golang:1.19 as builder - -WORKDIR /workspace -# Copy the Go Modules manifests -COPY go.mod go.mod -COPY go.sum go.sum -# cache deps before building and copying source so that we don't need to re-download as much -# and so that source changes don't invalidate our downloaded layer +# Build the otel-allocator binary +FROM golang:1.19-alpine as builder + +WORKDIR /app + +RUN apk --no-cache add ca-certificates + +# Copy go mod and sum files +COPY go.mod go.sum ./ + RUN go mod download -# Copy the go source -COPY main.go main.go -COPY allocation/ allocation/ -COPY collector/ collector/ -COPY config/ config/ -COPY diff/ diff/ -COPY prehook/ prehook/ -COPY server/ server/ -COPY target/ target/ -COPY watcher/ watcher/ +COPY . . # Build the Go app RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o main . -# Use distroless as minimal base image to package the manager binary -# Refer to https://github.com/GoogleContainerTools/distroless for more details -FROM gcr.io/distroless/static:nonroot -WORKDIR / +######## Start a new stage from scratch ####### +FROM scratch + +WORKDIR /root/ + +# Copy the certs from the builder +COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt + # Copy the pre-built binary file from the previous stage -COPY --from=builder /workspace/main . -USER 65532:65532 +COPY --from=builder /app/main . -ENTRYPOINT ["/main"] +ENTRYPOINT ["./main"]