Merge pull request #20 from jduepmeier/hardening

Hardening
lmenezes · Jan 16, 2022 · b631c36 · b631c36
2 parents b5fccde + 7f4536e
commit b631c36
Showing 1 changed file with 12 additions and 6 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,17 +1,23 @@
-FROM openjdk:11-jre-slim
+FROM openjdk:11-jre-slim as builder
 
 ENV CEREBRO_VERSION 0.9.4
 
 RUN  apt-get update \
  && apt-get install -y wget \
- && rm -rf /var/lib/apt/lists/* \
  && mkdir -p /opt/cerebro/logs \
  && wget -qO- https://github.com/lmenezes/cerebro/releases/download/v${CEREBRO_VERSION}/cerebro-${CEREBRO_VERSION}.tgz \
   | tar xzv --strip-components 1 -C /opt/cerebro \
- && sed -i '/<appender-ref ref="FILE"\/>/d' /opt/cerebro/conf/logback.xml \
- && addgroup -gid 1000 cerebro \
- && adduser -gid 1000 -uid 1000 cerebro \
- && chown -R cerebro:cerebro /opt/cerebro
+ && sed -i '/<appender-ref ref="FILE"\/>/d' /opt/cerebro/conf/logback.xml
+
+FROM openjdk:11.0.13-jre-slim
+
+COPY --from=builder /opt/cerebro /opt/cerebro
+
+RUN addgroup -gid 1000 cerebro \
+ && adduser -q --system --no-create-home --disabled-login -gid 1000 -uid 1000 cerebro \
+ && chown -R root:root /opt/cerebro \
+ && chown -R cerebro:cerebro /opt/cerebro/logs \
+ && chown cerebro:cerebro /opt/cerebro
 
 WORKDIR /opt/cerebro
 USER cerebro