From e9d1b89936a1e04cfddf3bd758a2d708b8be0684 Mon Sep 17 00:00:00 2001
From: yixingj <yixingj@vmware.com>
Date: Fri, 3 Nov 2017 18:06:27 +0800
Subject: [PATCH] Run clair with limited user

1>creat user clair
2>run clair with user clair
---
 make/docker-compose.clair.yml          |  3 +--
 make/photon/clair/Dockerfile           | 21 ++++++++++++---------
 make/photon/clair/docker-entrypoint.sh |  4 ++++
 3 files changed, 17 insertions(+), 11 deletions(-)
 create mode 100644 make/photon/clair/docker-entrypoint.sh

diff --git a/make/docker-compose.clair.yml b/make/docker-compose.clair.yml
index 888d243f8..5cacf9a74 100644
--- a/make/docker-compose.clair.yml
+++ b/make/docker-compose.clair.yml
@@ -35,14 +35,13 @@ services:
     networks:
       - harbor-clair
     container_name: clair
-    image: vmware/clair-photon:v2.0.1
+    image: vmware/clair:v2.0.1-photon
     restart: always
     cpu_quota: 150000
     depends_on:
       - postgres
     volumes:
       - ./common/config/clair:/config
-    command: [-config, /config/config.yaml]
     logging:
       driver: "syslog"
       options:  
diff --git a/make/photon/clair/Dockerfile b/make/photon/clair/Dockerfile
index 9f5d1185f..eb319e85b 100644
--- a/make/photon/clair/Dockerfile
+++ b/make/photon/clair/Dockerfile
@@ -2,15 +2,18 @@ FROM vmware/photon:1.0
 
 RUN tdnf distro-sync -y \
     && tdnf erase vim -y \
-    && tdnf install -y git bzr rpm xz \
+    && tdnf install -y git shadow sudo bzr rpm xz python-xml \
     && tdnf clean all \
-	&& mkdir /clair2.0.1/ 
-
+    && mkdir /clair2.0.1/ \
+    && groupadd -r -g 10000 clair \
+    && useradd --no-log-init -m -r -g 10000 -u 10000 clair
 COPY clair /clair2.0.1/
-
+COPY docker-entrypoint.sh /docker-entrypoint.sh
 VOLUME /config
-EXPOSE 6060 6061	
-
-RUN chmod u+x /clair2.0.1/clair
-
-ENTRYPOINT ["/clair2.0.1/clair"]
+EXPOSE 6060 6061
+RUN chown -R 10000:10000 /clair2.0.1 \
+    && chmod u+x /clair2.0.1/clair \
+    && chmod u+x /docker-entrypoint.sh
+HEALTHCHECK --interval=30s --timeout=10s --retries=3 CMD curl -sS 127.0.0.1:6061/health || exit 1
+USER clair
+ENTRYPOINT ["/docker-entrypoint.sh"]
diff --git a/make/photon/clair/docker-entrypoint.sh b/make/photon/clair/docker-entrypoint.sh
new file mode 100644
index 000000000..b09f4a6bf
--- /dev/null
+++ b/make/photon/clair/docker-entrypoint.sh
@@ -0,0 +1,4 @@
+#!/bin/bash
+set -e
+/clair2.0.1/clair -config /config/config.yaml
+set +e