From ec85aa8a48dbb44ae3c44f654627ea415169886d Mon Sep 17 00:00:00 2001
From: Gustavo Valverde <gustavo@iterativo.do>
Date: Tue, 27 Aug 2024 22:29:50 +0100
Subject: [PATCH] fix(docker): add `gosu` and remove unsupported flag in
 `adduser` (#8808)

* fix(docker): typo and uknown option in debian

* fix(docker): use `gosu` for rootless execution

Some of our entrypoint commands requires creating directories and files in places a non-privileged user can't access.

So we use `gosu` to step down from `root` to a non-privileged user during container startup, right at our application execution.
---
 docker/Dockerfile    | 13 ++++++++-----
 docker/entrypoint.sh |  4 ++--
 2 files changed, 10 insertions(+), 7 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 4e6610b8383..3820d87adf4 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -187,24 +187,29 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
-    rocksdb-tools
+    rocksdb-tools \
+    gosu \
+    && \
+    rm -rf /var/lib/apt/lists/* /tmp/*
 
 # Create a non-privileged user that the app will run under.
 # Running as root inside the container is running as root in the Docker host
 # If an attacker manages to break out of the container, they will have root access to the host
 # See https://docs.docker.com/go/dockerfile-user-best-practices/
 ARG USER=zebra
+ENV USER=${USER}
 ARG UID=10001
+ENV UID=${UID}
 ARG GID=10001
+ENV GID=${GID}
 
 RUN addgroup --system --gid ${GID} ${USER} \
     && adduser \
-    --no-log-init \
     --system \
     --disabled-login \
     --shell /bin/bash \
     --uid "${UID}" \
-    --gid "{GID}" \
+    --gid "${GID}" \
     ${USER}
 
 # Config settings for zebrad
@@ -218,8 +223,6 @@ ENV ZEBRA_CONF_FILE=${ZEBRA_CONF_FILE:-zebrad.toml}
 COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
 COPY --from=release /entrypoint.sh /
 
-USER ${USER}
-
 # Expose configured ports
 EXPOSE 8233 18233
 
diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh
index cc4fb5ac82e..3dd5275d643 100755
--- a/docker/entrypoint.sh
+++ b/docker/entrypoint.sh
@@ -357,11 +357,11 @@ case "$1" in
         exec cargo test --locked --release --features "zebra-test" --package zebra-scan -- --nocapture --include-ignored scan_task_commands
 
       else
-          exec "$@"
+          exec gosu "$USER" "$@"
       fi
     fi
     ;;
   *)
-    exec "$@"
+    exec gosu "$USER" "$@"
     ;;
 esac