Merge pull request #3546 from yixingjia/noroot_clair

Run clair with limited user

make/docker-compose.clair.yml

@@ -35,14 +35,13 @@ services:
     networks:
       - harbor-clair
     container_name: clair
-    image: vmware/clair-photon:v2.0.1
+    image: vmware/clair:v2.0.1-photon
     restart: always
     cpu_quota: 150000
     depends_on:
       - postgres
     volumes:
       - ./common/config/clair:/config
-    command: [-config, /config/config.yaml]
     logging:
       driver: "syslog"
       options:  

make/photon/clair/Dockerfile

@@ -2,15 +2,18 @@ FROM vmware/photon:1.0
 
 RUN tdnf distro-sync -y \
     && tdnf erase vim -y \
-    && tdnf install -y git bzr rpm xz \
+    && tdnf install -y git shadow sudo bzr rpm xz python-xml \
     && tdnf clean all \
-	&& mkdir /clair2.0.1/ 
-
+    && mkdir /clair2.0.1/ \
+    && groupadd -r -g 10000 clair \
+    && useradd --no-log-init -m -r -g 10000 -u 10000 clair
 COPY clair /clair2.0.1/
-
+COPY docker-entrypoint.sh /docker-entrypoint.sh
 VOLUME /config
-EXPOSE 6060 6061	
-
-RUN chmod u+x /clair2.0.1/clair
-
-ENTRYPOINT ["/clair2.0.1/clair"]
+EXPOSE 6060 6061
+RUN chown -R 10000:10000 /clair2.0.1 \
+    && chmod u+x /clair2.0.1/clair \
+    && chmod u+x /docker-entrypoint.sh
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:6061/health || exit 1
+USER clair
+ENTRYPOINT ["/docker-entrypoint.sh"]

make/photon/clair/docker-entrypoint.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+/clair2.0.1/clair -config /config/config.yaml
+set +e