Distroless busybox #81
Comments
|
I've written a script which makes copying binaries and their shared object dependencies easier. copy-bin.sh -p /base --ldd /bin/busybox --links /bin:/sbin:/usr/bin:/usr/sbinAlternate Dockerfile using FROM alpine
SHELL ["/bin/sh", "-exc"]
# copy-bin.sh provides easy ability to copy binaries with shared object dependencies
RUN \
wget -qO /usr/local/bin/copy-bin.sh https://raw.githubusercontent.com/samrocketman/home/main/bin/copy-bin.sh; \
chmod 755 /usr/local/bin/copy-bin.sh
# Distroless hierarchy
RUN \
# Directory structure and permissions
mkdir -p base/bin base/tmp base/var/tmp base/etc base/home/nonroot base/sbin base/root; \
chmod 700 /root; \
chown root:root /root; \
chmod 1777 base/tmp base/var/tmp; \
chown 65532:65532 base/home/nonroot; \
chmod 750 base/home/nonroot; \
# UID and GID
echo 'root:x:0:' > /base/etc/group; \
echo 'nonroot:x:65532:' >> /base/etc/group; \
echo 'root:x:0:0:root:/root:/sbin/nologin' > /base/etc/passwd; \
echo 'nonroot:x:65532:65532:nonroot:/home/nonroot:/sbin/nologin' >> /base/etc/passwd; \
# init binary
apk add --no-cache dumb-init; \
cp -a /usr/bin/dumb-init base/bin/dumb-init; \
echo "distroless" > base/etc/issue
# Add busybox shell to distroless distribution
RUN \
copy-bin.sh -p /base --ldd /bin/busybox --links /bin:/sbin:/usr/bin:/usr/sbin
FROM scratch
COPY --from=0 /base/ /
ENTRYPOINT ["/bin/dumb-init", "--"]
USER nonroot
ENV HOME=/home/nonroot USER=nonroot PATH="/usr/sbin:/usr/bin:/sbin:/bin"
WORKDIR /home/nonroot
CMD ["/bin/sh"] |
|
Example copy-bin.sh -p "$PWD"/base --ldd /bin/bash
docker build -f Dockerfile -t bash base
docker run --init -it --rm bash /bin/bashWhere FROM scratch
COPY . / |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
A minimal distroless busybox
The text was updated successfully, but these errors were encountered: