litestream icon indicating copy to clipboard operation
litestream copied to clipboard
verified publisher icon benbjohnson

feat(docker): harden docker image

Open hazcod opened this issue 3 years ago • 2 comments

This change removes the alpine docker image with an empty scratch image. This removes a bunch of attack surface which is unused anyway. Additionally it adds-in an unprivileged user such that root is no longer used to reduce attack surface.

hazcod avatar Jun 30 '22 12:06 hazcod

@hazcod Thanks for the PR. I'll have to do some testing with this. Isn't running as root inside Docker typical as the container is already sandboxed?

benbjohnson avatar Jul 19 '22 21:07 benbjohnson

@benbjohnson It's still a best practice not to, running as root in a container greatly increases the risk of kernel exploitation or container escape. https://dockerlabs.collabnix.com/security/Running-Containers-as-ROOT.html

hazcod avatar Jul 20 '22 05:07 hazcod