Feature/optimze container (#3)

* Removed Entrypoint * Optimized example * Optimized container * Updated Trivy Scan
aessing · Jul 10, 2023 · 686c503 · 686c503
1 parent 68e6fcc
commit 686c503
Show file tree

Hide file tree

Showing 5 changed files with 17 additions and 33 deletions.
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -3,7 +3,7 @@
 # separate terms of service, privacy policy, and support
 # documentation.
 
-name: Trivy vulnerability scan
+name: Trivy Vulnerability Scan
 
 on:
  push:
@@ -22,7 +22,7 @@ permissions:
 
 jobs:
  build:
- name: Trivy vulnerability scan
+ name: Vulnerability scan
  permissions:
  contents: read # for actions/checkout to fetch code
  security-events: write # for github/codeql-action/upload-sarif to upload SARIF results
@@ -40,8 +40,7 @@ jobs:
  uses: aquasecurity/trivy-action@41f05d9ecffa2ed3f1580af306000f734b733e54
  with:
  image-ref: 'docker.io/${{ env.IMAGE_NAME }}:trivy-${{ github.sha }}'
- format: 'template'
- template: '@/contrib/sarif.tpl'
+ format: 'sarif'
  output: 'trivy-results.sarif'
  severity: 'CRITICAL,HIGH'
 

diff --git a/Dockerfile b/Dockerfile
@@ -39,24 +39,30 @@ LABEL org.opencontainers.image.created=${BUILD_DATE} \
 
 ################################################### ############################
 # Install chronyd and necessary packages
-RUN apk add --update --no-cache bind ca-certificates tzdata \
+RUN apk --update --no-cache upgrade \
+ && apk add --update --no-cache bind ca-certificates tzdata \
+ && rm -rf /var/cache/apk/* \
  && update-ca-certificates \
  && cp /usr/share/zoneinfo/${TZ} /etc/localtime \
- && echo $TZ > /etc/timezone
+ && echo $TZ > /etc/timezone \
+ && mkdir -p /etc/bind /var/lib/bind /var/cache/bind \
+ && chown -R named:named /etc/bind /var/lib/bind \
+ && chown -R root:named /var/cache/bind \
+ && chmod -R u+rw,g+rw,o-rwx /var/cache/bind /var/lib/bind \
+ && chmod -R u+rw,g+w,g-w,o-rwx /etc/bind 
 
 ###############################################################################
 # Copy files
-COPY container-files/entrypoint.sh /entrypoint.sh
 COPY container-files/named.conf /etc/bind/named.conf
 COPY container-files/db.* /var/lib/bind/zones/
 
 ###############################################################################
-# Healthcheck
-HEALTHCHECK CMD dig +norecurse +short +retry=0 @127.0.0.1 localhost || exit 1
+# Run in non-root context
+USER named
 
 ###############################################################################
 # Start chronyd
-CMD [ "/bin/sh", "entrypoint.sh" ]
+CMD [ "/usr/sbin/named", "-g", "-u", "named", "-c", "/etc/bind/named.conf" ]
 
 ###############################################################################
 #EOF
diff --git a/container-files/db.10.in-addr.arpa b/container-files/db.10.in-addr.arpa
@@ -16,6 +16,7 @@ $TTL 3600
 3.53.10 3600 IN PTR ns02.example.com.
 129.31.124 3600 IN PTR server01.example.com.
 13.235.221 3600 IN PTR server02.example.com.
+1.33.234 3600 IN PTR time.example.com.
 
 ; -----------------------------------------------------------------------------
 ; EOF
diff --git a/container-files/db.example.com b/container-files/db.example.com
@@ -18,6 +18,7 @@ ns01 3600 IN A 10.0.0.132
 ns02 3600 IN A 10.3.53.10
 server01 3600 IN A 10.129.31.124
 server02 3600 IN A 10.13.235.221
+time 3600 IN A 10.1.33.234
 
 ; -----------------------------------------------------------------------------
 ; EOF
diff --git a/container-files/entrypoint.sh b/container-files/entrypoint.sh