Last active
May 8, 2023 00:11
-
-
Save donhector/15fe14c692f49daaa8fdec1ec89d9423 to your computer and use it in GitHub Desktop.
Dockerfile non root
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Image arguments can be overriden at build time via --build-arg KEY=VALUE | |
| ARG ALPINE_VERSION=3 | |
| FROM alpine:${ALPINE_VERSION} | |
| # User and group settings | |
| ARG USER=appuser | |
| ARG GROUP=${USER} | |
| ARG UID=1000 | |
| ARG GID=1000 | |
| # App settings | |
| ARG APP_HOME=/opt/app | |
| # annotation for OCI images | |
| LABEL org.opencontainers.image.authors="Hector Molina <[email protected]>" \ | |
| org.opencontainers.image.url="https://hmolina.dev/" \ | |
| org.opencontainers.image.vendor="darkenv" \ | |
| org.opencontainers.image.title="apline" \ | |
| org.opencontainers.image.description="Non root user Alpine image illustration" | |
| # Create a system (-S) group with the given id (-g) and the given name (${USER}) | |
| # Create a passwordless (-D) system (-S) user with the given id (-u) belonging to group (-G) | |
| # Create the application home folder and set ${USER} as the owner | |
| RUN addgroup -g ${GID} -S ${GROUP} && \ | |
| adduser -u ${UID} -D -S -G ${GROUP} ${USER} && \ | |
| mkdir -p ${APP_HOME} && \ | |
| chown ${USER}:${GROUP} ${APP_HOME} | |
| # Install stuff, including an init system to better handle signals to our app | |
| RUN set -eux && \ | |
| apk update && \ | |
| apk upgrade && \ | |
| apk add --no-cache \ | |
| ca-certificates \ | |
| dumb-init \ | |
| curl | |
| COPY --chown=${USER}:${GROUP} app ${APP_HOME} | |
| WORKDIR ${APP_HOME} | |
| USER ${USER} | |
| # Use the init system as the entrypoint to lunch our app | |
| ENTRYPOINT ["dumb-init", "--"] | |
| # Our app and any extra arguments that needs to be passed to it (using sh just for illustration) | |
| CMD ["sh"] |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ARG UBUNTU_VERSION=22.04 | |
| FROM ubuntu:${UBUNTU_VERSION} | |
| # User settings | |
| ARG USERNAME=appuser | |
| ARG USER_UID=1000 | |
| ARG USER_GID=$USER_UID | |
| # App settings | |
| ARG APP_HOME=/opt/app | |
| # annotation for OCI images | |
| LABEL org.opencontainers.image.authors="Hector Molina <[email protected]>" \ | |
| org.opencontainers.image.url="https://hmolina.dev/" \ | |
| org.opencontainers.image.vendor="darkenv" \ | |
| org.opencontainers.image.title="ubuntu-zsh" \ | |
| org.opencontainers.image.description="Ubuntu with ZSH goodies" | |
| ENV LANG=en_US.UTF-8 | |
| ENV LANGUAGE=en_US:en | |
| ENV LC_ALL=en_US.UTF-8 | |
| # Install basic packages and create non root user | |
| RUN <<EOF | |
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| export DEBIAN_FRONTEND=noninteractive | |
| groupadd --gid ${USER_GID} ${USERNAME} | |
| useradd --uid ${USER_UID} --gid ${USER_GID} -m ${USERNAME} | |
| apt-get update | |
| apt dist-upgrade -y | |
| apt-get install --no-install-recommends -y \ | |
| sudo \ | |
| curl \ | |
| wget \ | |
| build-essential \ | |
| ca-certificates \ | |
| libssl-dev \ | |
| git \ | |
| sshpass \ | |
| bash-completion \ | |
| locales \ | |
| net-tools \ | |
| dumb-init | |
| apt-get autoremove -y | |
| apt-get clean | |
| rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* | |
| locale-gen en_US.UTF-8 | |
| echo "$USERNAME ALL=(ALL) NOPASSWD:ALL" | tee /etc/sudoers.d/${USERNAME} | |
| chmod 0440 /etc/sudoers.d/${USERNAME} | |
| mkdir -p ${APP_HOME} | |
| chown ${USERNAME}:${USERNAME} ${APP_HOME} | |
| EOF | |
| USER ${USERNAME} | |
| WORKDIR /home/${USERNAME} | |
| RUN <<EOF | |
| #!/usr/bin/env bash | |
| set -euo pipefail | |
| NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)" | |
| eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)" | |
| brew analytics off | |
| brew install \ | |
| antidote \ | |
| awscli \ | |
| bat \ | |
| bottom \ | |
| chezmoi \ | |
| direnv \ | |
| dog \ | |
| dua-cli \ | |
| dust \ | |
| exa \ | |
| fd \ | |
| fzf \ | |
| gh \ | |
| git-delta \ | |
| git-extras \ | |
| glab \ | |
| graphviz \ | |
| helm \ | |
| hugo \ | |
| hyperfine \ | |
| jq \ | |
| k3d \ | |
| k9s \ | |
| keychain \ | |
| kind \ | |
| pipx \ | |
| procs \ | |
| rg \ | |
| rtx \ | |
| scc \ | |
| sops \ | |
| starship \ | |
| terraform-docs \ | |
| tfsec \ | |
| tmux \ | |
| yq \ | |
| zoxide \ | |
| zsh | |
| (echo; echo 'eval "$(/home/linuxbrew/.linuxbrew/bin/brew shellenv)"') >> ~/.zprofile | |
| sudo sh -c "echo $(which zsh) >> /etc/shells" | |
| sudo chsh -s $(which zsh) $(whoami) | |
| $(brew --prefix)/opt/fzf/install --all | |
| EOF | |
| RUN <<EOF | |
| cat <<EOZ > ~/.zsh_plugins.txt | |
| # Load plugins from ohmyzsh | |
| ohmyzsh/ohmyzsh path:lib | |
| ohmyzsh/ohmyzsh path:plugins/git # Adds git aliases | |
| ohmyzsh/ohmyzsh path:plugins/command-not-found | |
| ohmyzsh/ohmyzsh path:plugins/colored-man-pages | |
| ohmyzsh/ohmyzsh path:plugins/git-extras # Autocompletions for git-extras | |
| ohmyzsh/ohmyzsh path:plugins/web-search | |
| ohmyzsh/ohmyzsh path:plugins/docker | |
| ohmyzsh/ohmyzsh path:plugins/docker-compose | |
| ohmyzsh/ohmyzsh path:plugins/terraform | |
| # Load plugins from other repos | |
| Aloxaf/fzf-tab # pipe tab completions to fzf | |
| zsh-users/zsh-completions # add completions for more tools | |
| zsh-users/zsh-autosuggestions # command suggestions | |
| zdharma-continuum/fast-syntax-highlighting | |
| djui/alias-tips # reminds you to use aliases | |
| wfxr/forgit # adds git command interactivity via fzf (ie: ga, glo, etc..) | |
| EOZ | |
| EOF | |
| RUN <<EOF | |
| cat <<'EOZ' > ~/.zshrc | |
| # Add brew functions to fpath | |
| fpath=($HOMEBREW_PREFIX/share/zsh/site-functions $fpath) | |
| # Enable completion system for Zsh and Bash (for compatibility) | |
| autoload -Uz compinit && compinit | |
| autoload -Uz +X bashcompinit && bashcompinit | |
| # Prevent typewriter effect when pasting to terminal | |
| # Must be loaded before ohmyzsh (ie: before antidote) | |
| DISABLE_MAGIC_FUNCTIONS=true | |
| # Initialize antidote | |
| source $HOMEBREW_PREFIX/opt/antidote/share/antidote/antidote.zsh | |
| antidote load | |
| # Initialize other brew installed tools | |
| eval "$(starship init zsh)" | |
| eval "$(zoxide init zsh)" | |
| eval "$(direnv hook zsh)" | |
| eval "$(rtx activate zsh)" | |
| [ -f ~/.fzf.zsh ] && source ~/.fzf.zsh | |
| zstyle -d ':completion:*' format | |
| zstyle ':completion:*:descriptions' format '-- %d --' | |
| # Terraform completions | |
| #complete -o nospace -C "$(rtx which terraform)" terraform | |
| # Pipx completions | |
| eval "$(register-python-argcomplete pipx)" | |
| # Load all zsh preferences from the ~/.zshrc.d directory | |
| if [ -d "$HOME/.zshrc.d" ]; then | |
| for file in $HOME/.zshrc.d/*.sh; do | |
| source $file | |
| done | |
| fi | |
| # Load SSH keys into keychain | |
| # keychain --nogui $(fd 'id_.*(rsa|ed25519)' -E '*.pub' ~/.ssh) | |
| # source ~/.keychain/$HOST-sh | |
| EOZ | |
| EOF | |
| # Use the init system as the entrypoint | |
| ENTRYPOINT ["dumb-init", "--"] | |
| # Invoke our main process (ie: zsh as login shell so it loads .zprofile) | |
| CMD ["/home/linuxbrew/.linuxbrew/bin/zsh", "--login"] |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment