source/shadowsocks-rust
1
0
Fork 0
mirror of https://github.com/shadowsocks/shadowsocks-rust.git synced 2026-02-09 01:59:16 +08:00
Code Issues Packages Projects Releases Wiki Activity

Update Dockerfile (#618)

Browse Source 
Running programs as root that don't require it is a big security risk. Docker is only containerization and not virtualization.
Instead of using the user "nobody" a custom user may be created, but as shadowsocks-rust only uses networking and only reads the config file I see it as unnecessary.
If the server is intended to bind on a privileged port (<1024) Docker's port mapping may be used or a program such as nftables or setcap may be used.
This commit is contained in:
Julia
2021-09-05 16:53:34 +02:00
committed by GitHub
parent 58381e5470
commit 806ad4898c
1 changed files with 4 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
Dockerfile
View File

@@ -39,6 +39,8 @@ COPY --from=build /root/shadowsocks-rust/target/release/sslocal /usr/bin
COPY --from=build /root/shadowsocks-rust/examples/config.json /etc/shadowsocks-rust/
USER nobody
ENTRYPOINT [ "sslocal", "--log-without-time", "-c", "/etc/shadowsocks-rust/config.json" ]
FROM alpine:3.14 AS ssserver
@@ -47,4 +49,6 @@ COPY --from=build /root/shadowsocks-rust/target/release/ssserver /usr/bin
COPY --from=build /root/shadowsocks-rust/examples/config.json /etc/shadowsocks-rust/
USER nobody
ENTRYPOINT [ "ssserver", "--log-without-time", "-c", "/etc/shadowsocks-rust/config.json" ]