问题
我有一个部署在Docker容器nginxinc/nginx-unprivileged:alpine-slim
中的前端应用程序。该管道目前无法通过AquaScan检查安全漏洞。
Dockerfile:
FROM nginxinc/nginx-unprivileged:alpine-slim
USER root
RUN apk update && apk upgrade --no-cache
WORKDIR /usr/share/nginx/html
COPY --chown=nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
USER nginx
COPY build .
我尝试过的东西
- 由于AquaScan存在问题,使用
RUN apk update && apk upgrade --no-cache
升级易受攻击的程序包无法通过扫描 - 更改为特权容器使部署失败
- lxc create unprivileged containers是一个相关的帖子,在我的情况下不起作用
如果我可以更新另一个容器为非特权容器,那么我可以通过AquaScan并部署我的应用程序。
如何更新Docker容器,使其没有特权
解决方案
我更新了Dockerfile
,如下所示:
# nginxinc/nginx-unprivileged:alpine-slim has container vulnerabilities that do not pass AquaScan, even after updating. 3/21/2023.
FROM nginx:alpine-slim
# implement changes required to run NGINX as an unprivileged user
RUN sed -i 's,listen 80;,listen 8080;,' /etc/nginx/conf.d/default.conf
&& sed -i '/user nginx;/d' /etc/nginx/nginx.conf
&& sed -i 's,/var/run/nginx.pid,/tmp/nginx.pid,' /etc/nginx/nginx.conf
&& sed -i "/^http {/a proxy_temp_path /tmp/proxy_temp;n client_body_temp_path /tmp/client_temp;n fastcgi_temp_path /tmp/fastcgi_temp;n uwsgi_temp_path /tmp/uwsgi_temp;n scgi_temp_path /tmp/scgi_temp;n" /etc/nginx/nginx.conf
# nginx user must own the cache and etc directory to write cache and tweak the nginx config && chown -R $UID:0 /var/cache/nginx
&& chmod -R g+w /var/cache/nginx
&& chown -R $UID:0 /etc/nginx
&& chmod -R g+w /etc/nginx
COPY --chown=nginx:nginx ./docker/nginx/nginx.conf /etc/nginx/conf.d/default.conf
WORKDIR /usr/share/nginx/html
USER nginx
EXPOSE 8080
COPY build .
现在,我的前端应用程序部署在容器中,通过AquaScan。