From b18e597d6819aa0328e0f4bc5f00057b8e83a338 Mon Sep 17 00:00:00 2001 From: Mia Bennett Date: Thu, 6 Nov 2025 13:20:20 +0930 Subject: [PATCH 1/3] build(Dockerfile): [PPT-2278] set permissions on /tmp --- Dockerfile | 37 ++++++++++++++++++++++--------------- 1 file changed, 22 insertions(+), 15 deletions(-) diff --git a/Dockerfile b/Dockerfile index fd60bf20..a7c27e0c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,13 +15,13 @@ ENV USER=appuser # See https://stackoverflow.com/a/55757473/12429735 RUN adduser \ - --disabled-password \ - --gecos "" \ - --home "/nonexistent" \ - --shell "/sbin/nologin" \ - --no-create-home \ - --uid "${UID}" \ - "${USER}" + --disabled-password \ + --gecos "" \ + --home "/nonexistent" \ + --shell "/sbin/nologin" \ + --no-create-home \ + --uid "${UID}" \ + "${USER}" # Install shards for caching COPY shard.yml shard.yml @@ -35,19 +35,19 @@ COPY ./src /app/src # Build application RUN UNAME_AT_COMPILE_TIME=true \ - PLACE_COMMIT=$PLACE_COMMIT \ - PLACE_VERSION=$PLACE_VERSION \ - shards build --production --error-trace + PLACE_COMMIT=$PLACE_COMMIT \ + PLACE_VERSION=$PLACE_VERSION \ + shards build --production --error-trace SHELL ["/bin/ash", "-eo", "pipefail", "-c"] # Extract binary dependencies RUN for binary in "/bin/ping" "/bin/ping6" "/usr/bin/git" /app/bin/* /usr/libexec/git-core/*; do \ - ldd "$binary" | \ - tr -s '[:blank:]' '\n' | \ - grep '^/' | \ - xargs -I % sh -c 'mkdir -p $(dirname deps%); cp % deps%;' || true; \ - done + ldd "$binary" | \ + tr -s '[:blank:]' '\n' | \ + grep '^/' | \ + xargs -I % sh -c 'mkdir -p $(dirname deps%); cp % deps%;' || true; \ + done RUN git config --system http.sslCAInfo /etc/ssl/certs/ca-certificates.crt @@ -78,6 +78,13 @@ COPY --from=build /usr/share/zoneinfo/ /usr/share/zoneinfo/ # Copy tmp directory COPY --from=build /tmp /tmp +# chmod for setting permissions on /tmp +COPY --from=build /bin /bin +COPY --from=build /lib/ld-musl-* /lib/ +RUN chmod -R a+rwX /tmp +# hadolint ignore=SC2114,DL3059 +RUN rm -rf /bin /lib + # this is required to ping things COPY --from=build /bin/ping /ping COPY --from=build /bin/ping6 /ping6 From c615629a062b59c057b3ef32384385cbf730eee3 Mon Sep 17 00:00:00 2001 From: Mia Bennett Date: Thu, 6 Nov 2025 13:22:04 +0930 Subject: [PATCH 2/3] Revert "build(Dockerfile): [PPT-2278] set permissions on /tmp" This reverts commit b18e597d6819aa0328e0f4bc5f00057b8e83a338. --- Dockerfile | 37 +++++++++++++++---------------------- 1 file changed, 15 insertions(+), 22 deletions(-) diff --git a/Dockerfile b/Dockerfile index a7c27e0c..fd60bf20 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,13 +15,13 @@ ENV USER=appuser # See https://stackoverflow.com/a/55757473/12429735 RUN adduser \ - --disabled-password \ - --gecos "" \ - --home "/nonexistent" \ - --shell "/sbin/nologin" \ - --no-create-home \ - --uid "${UID}" \ - "${USER}" + --disabled-password \ + --gecos "" \ + --home "/nonexistent" \ + --shell "/sbin/nologin" \ + --no-create-home \ + --uid "${UID}" \ + "${USER}" # Install shards for caching COPY shard.yml shard.yml @@ -35,19 +35,19 @@ COPY ./src /app/src # Build application RUN UNAME_AT_COMPILE_TIME=true \ - PLACE_COMMIT=$PLACE_COMMIT \ - PLACE_VERSION=$PLACE_VERSION \ - shards build --production --error-trace + PLACE_COMMIT=$PLACE_COMMIT \ + PLACE_VERSION=$PLACE_VERSION \ + shards build --production --error-trace SHELL ["/bin/ash", "-eo", "pipefail", "-c"] # Extract binary dependencies RUN for binary in "/bin/ping" "/bin/ping6" "/usr/bin/git" /app/bin/* /usr/libexec/git-core/*; do \ - ldd "$binary" | \ - tr -s '[:blank:]' '\n' | \ - grep '^/' | \ - xargs -I % sh -c 'mkdir -p $(dirname deps%); cp % deps%;' || true; \ - done + ldd "$binary" | \ + tr -s '[:blank:]' '\n' | \ + grep '^/' | \ + xargs -I % sh -c 'mkdir -p $(dirname deps%); cp % deps%;' || true; \ + done RUN git config --system http.sslCAInfo /etc/ssl/certs/ca-certificates.crt @@ -78,13 +78,6 @@ COPY --from=build /usr/share/zoneinfo/ /usr/share/zoneinfo/ # Copy tmp directory COPY --from=build /tmp /tmp -# chmod for setting permissions on /tmp -COPY --from=build /bin /bin -COPY --from=build /lib/ld-musl-* /lib/ -RUN chmod -R a+rwX /tmp -# hadolint ignore=SC2114,DL3059 -RUN rm -rf /bin /lib - # this is required to ping things COPY --from=build /bin/ping /ping COPY --from=build /bin/ping6 /ping6 From 2775ddb1cd5f88380354dd3c9cbadf8f4200e8c0 Mon Sep 17 00:00:00 2001 From: Mia Bennett Date: Thu, 6 Nov 2025 13:22:56 +0930 Subject: [PATCH 3/3] build(Dockerfile): [PPT-2278] set permissions on /tmp --- Dockerfile | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/Dockerfile b/Dockerfile index fd60bf20..0ed7c696 100644 --- a/Dockerfile +++ b/Dockerfile @@ -78,6 +78,13 @@ COPY --from=build /usr/share/zoneinfo/ /usr/share/zoneinfo/ # Copy tmp directory COPY --from=build /tmp /tmp +# chmod for setting permissions on /tmp +COPY --from=build /bin /bin +COPY --from=build /lib/ld-musl-* /lib/ +RUN chmod -R a+rwX /tmp +# hadolint ignore=SC2114,DL3059 +RUN rm -rf /bin /lib + # this is required to ping things COPY --from=build /bin/ping /ping COPY --from=build /bin/ping6 /ping6