arnault/Talks
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update Dockerfile to use nginxinc/nginx-unprivileged image and enhance user permissions
All checks were successful
Talks slides — image & chart / vars (push) Successful in 1s
Details
Talks slides — image & chart / Helm chart (push) Successful in 15s
Details
Talks slides — image & chart / Build container image (push) Successful in 47s
Details

Browse Source 
- Switched base image to nginxinc/nginx-unprivileged for improved security.
- Adjusted user permissions and ownership settings for better compliance with non-root user practices.
- Removed unnecessary commands related to pid and user configuration in nginx.conf.
This commit is contained in:
Le Prévost-Corvellec Arnault
2026-04-08 21:51:44 +02:00
parent 9a4942daad
commit 600c07e358
1 changed files with 8 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
server/Dockerfile
View File

@@ -1,14 +1,14 @@
# syntax=docker/dockerfile:1
# BuildKit / buildx : cache apk + permissions au build.
# Limage nginx:alpine fournit déjà lutilisateur / groupe nginx (typiquement 101:101) — pas besoin de le créer.
FROM nginx:alpine
# Image officielle « non-root » (nginxinc) : pid, user, port 8080 — on nimite pas nginx:alpine à coups de sed.
# https://github.com/nginxinc/docker-nginx-unprivileged
FROM nginxinc/nginx-unprivileged:stable-alpine
USER root
RUN --mount=type=cache,target=/var/cache/apk \
apk add --no-cache git
WORKDIR /usr/share/nginx/html
# Image figée au clone ; refresh.sh fait git pull en boucle (même utilisateur que nginx grâce à USER nginx).
ARG TALKS_REPO_URL=https://git.specificat.io/arnault/Talks.git
ARG TALKS_BRANCH=main
ARG TALKS_SPARSE_DIR=content
@@ -21,32 +21,17 @@ RUN find . -mindepth 1 -delete \
COPY nginx/default.conf /etc/nginx/conf.d/default.conf
COPY refresh.sh /refresh.sh
# Master non-root : pid hors /run (root-only), directive user commentée (évite setgid vers 101).
# Caches, logs, dépôt : nginx — pas de setuid/setgid ni CAP dans Kubernetes.
# Même UID que limage (nginx, 101) ; pas de retouche manuelle de nginx.conf.
RUN chmod +x /refresh.sh \
&& mkdir -p \
/var/cache/nginx/client_temp \
/var/cache/nginx/proxy_temp \
/var/cache/nginx/fastcgi_temp \
/var/cache/nginx/uwsgi_temp \
/var/cache/nginx/scgi_temp \
/var/log/nginx \
&& chown -R nginx:nginx \
/var/cache/nginx \
/var/log/nginx \
/usr/share/nginx/html \
&& sed -i 's|pid /run/nginx.pid;|pid /tmp/nginx.pid;|g' /etc/nginx/nginx.conf \
&& sed -i 's|pid /run/nginx/nginx.pid;|pid /tmp/nginx.pid;|g' /etc/nginx/nginx.conf \
&& sed -i 's/^[[:space:]]*user nginx;/# user nginx (master non-root)/' /etc/nginx/nginx.conf \
&& chown -R nginx:nginx /usr/share/nginx/html /refresh.sh \
&& mkdir -p /home/nginx \
&& chown nginx:nginx /home/nginx /refresh.sh \
&& su -s /bin/sh nginx -c 'HOME=/home/nginx git config --global --add safe.directory /usr/share/nginx/html'
&& chown nginx:nginx /home/nginx \
&& su nginx -s /bin/sh -c 'HOME=/home/nginx git config --global --add safe.directory /usr/share/nginx/html'
ENV HOME=/home/nginx
USER nginx
# Port non privilégié ; le Service K8s mappe souvent 80 → 8080.
EXPOSE 8080
CMD sh -c "/refresh.sh & exec nginx -g 'daemon off;'"