From 16284904eb78e4cafa274501cea95af7aa49eb4a Mon Sep 17 00:00:00 2001 From: fra Date: Tue, 19 Jan 2021 15:08:49 +0100 Subject: [PATCH] rewrote dockerfile for running as acmesh user and not root --- Dockerfile | 40 +++++++++++++++++++++++++++++++--------- 1 file changed, 31 insertions(+), 9 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4618efaf..ef9d06c1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -16,19 +16,37 @@ RUN apk update -f \ && rm -rf /var/cache/apk/* ENV LE_CONFIG_HOME /acme.sh - +ENV UID 1000 +ENV GID 1000 ARG AUTO_UPGRADE=1 ENV AUTO_UPGRADE $AUTO_UPGRADE +ENV SUPERCRONIC_URL=https://github.com/aptible/supercronic/releases/download/v0.1.12/supercronic-linux-amd64 \ + SUPERCRONIC=supercronic-linux-amd64 \ + SUPERCRONIC_SHA1SUM=048b95b48b708983effb2e5c935a1ef8483d9e3e + #Install -ADD ./ /install_acme.sh/ -RUN cd /install_acme.sh && ([ -f /install_acme.sh/acme.sh ] && /install_acme.sh/acme.sh --install || curl https://get.acme.sh | sh) && rm -rf /install_acme.sh/ +ADD ./ /home/acmesh/install_acme.sh/ +RUN curl -fsSLO "$SUPERCRONIC_URL" \ + && echo "${SUPERCRONIC_SHA1SUM} ${SUPERCRONIC}" | sha1sum -c - \ + && chmod +x "$SUPERCRONIC" \ + && mv "$SUPERCRONIC" "/usr/local/bin/${SUPERCRONIC}" \ + && ln -s "/usr/local/bin/${SUPERCRONIC}" /usr/local/bin/supercronic +RUN addgroup -S -g $GID acmesh && \ + adduser -S -u $UID -G acmesh -s /bin/sh acmesh && \ + mkdir /acme.sh && chown acmesh /acme.sh && \ + chown -R acmesh /home/acmesh/install_acme.sh -RUN ln -s /root/.acme.sh/acme.sh /usr/local/bin/acme.sh && crontab -l | grep acme.sh | sed 's#> /dev/null##' | crontab - +USER acmesh +RUN cd /home/acmesh/install_acme.sh && \ +/bin/sh /home/acmesh/install_acme.sh/acme.sh --install --nocron \ + && rm -rf /home/acmesh/install_acme.sh/ -RUN for verb in help \ +USER root +RUN ln -s /home/acmesh/.acme.sh/acme.sh /usr/local/bin/acme.sh && \ +for verb in help \ version \ install \ uninstall \ @@ -58,17 +76,21 @@ RUN for verb in help \ set-notify \ set-default-ca \ ; do \ - printf -- "%b" "#!/usr/bin/env sh\n/root/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \ + printf -- "%b" "#!/usr/bin/env sh\n/home/acmesh/.acme.sh/acme.sh --${verb} --config-home /acme.sh \"\$@\"" >/usr/local/bin/--${verb} && chmod +x /usr/local/bin/--${verb} \ ; done +RUN printf "%b" "$((1 + $RANDOM % 60)) 0 * * * /bin/sh /home/acmesh/.acme.sh/acme.sh --cron --config-home /acme.sh \n" > /acme_crontab && chmod a+r /acme_crontab + + RUN printf "%b" '#!'"/usr/bin/env sh\n \ if [ \"\$1\" = \"daemon\" ]; then \n \ - trap \"echo stop && killall crond && exit 0\" SIGTERM SIGINT \n \ - crond && while true; do sleep 1; done;\n \ + trap \"pkill supercronic\" SIGTERM SIGINT \n \ + exec supercronic /acme_cron.tab \n \ else \n \ exec -- \"\$@\"\n \ -fi" >/entry.sh && chmod +x /entry.sh +fi" >/entry.sh && chmod a+x /entry.sh +USER acmesh VOLUME /acme.sh ENTRYPOINT ["/entry.sh"]