Merge pull request #82 from glasswalk3r/feature/non-root-user

feature: non root user
jonasbn · Jun 24, 2024 · 7ca1157 · 7ca1157
2 parents 2fbb08b + 6060986
commit 7ca1157
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 11 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,24 +3,39 @@
 FROM perl:5.40.0-bullseye
 
 # We point to the original repository for the image
-LABEL org.opencontainers.image.source https://github.com/jonasbn/ebirah
+LABEL org.opencontainers.image.source="https://github.com/jonasbn/ebirah"
+LABEL org.opencontainers.image.base.name="registry.hub.docker.com/library/perl:5.38.2-bullseye"
+LABEL org.opencontainers.image.url="https://github.com/jonasbn/ebirah"
+LABEL org.opencontainers.image.title="ebirah"
+LABEL org.opencontainers.image.description="Experimental Docker image for Dist::Zilla"
 
+ENV DEBIAN_FRONTEND=noninteractive RUNNER_GROUP=distzilla RUNNER_USER=runner
+RUN apt-get update && apt-get upgrade -y && apt-get autoremove -y && \
+    apt-get clean -y && rm -rf /var/lib/apt/lists/* && addgroup "$RUNNER_GROUP" && \
+    adduser --ingroup "$RUNNER_GROUP" --home /home/runner --shell /bin/bash \
+    --disabled-password --gecos '' runner
+
+# Non-privileged user to run dzil
+USER "$RUNNER_USER"
 # This is our Dist::Zilla work directory, we do not want to mix this
 # with our staging area
-WORKDIR /usr/src/dzil
+WORKDIR /home/runner
 
+ENV LOCAL_LIB_FILE=local_lib.txt CPAN_FILE=cpanfile
 # REF: http://dzil.org/
-COPY cpanfile .
+COPY $LOCAL_LIB_FILE $CPAN_FILE ./
+RUN cpanm --local-lib="$HOME/perl5" 'local::lib' && \
+    eval "$(perl -I ~/perl5/lib/perl5/ -Mlocal::lib)" && \
+    # probably not required, but let's setup it here
+    cat $LOCAL_LIB_FILE >> .bashrc && \
+    rm -fv $LOCAL_LIB_FILE
 
-ENV DEBIAN_FRONTEND=noninteractive
-RUN apt-get update && apt-get upgrade -y && apt-get autoremove -y && \
-    apt-get clean -y && rm -rf /var/lib/apt/lists/*
-
-RUN cpanm --notest Dist::Zilla && rm -rf $HOME/.cpanm && rm -rf /tmp/*
-RUN cpanm --installdeps --notest . && rm -rf $HOME/.cpanm && rm -rf /tmp/*
+RUN cpanm --notest Dist::Zilla && rm -rf "$HOME/.cpanm" && rm -rf /tmp/*
+RUN cpanm --installdeps --notest . && rm -rf "$HOME/.cpanm" && rm -rf /tmp/* && rm -fv "$CPAN_FILE"
 
 # This is our staging work directory
 WORKDIR /tmp
-
+COPY --chmod=555 entrypoint.sh /opt
 # This is our executable, it consumes all parameters passed to our container
-ENTRYPOINT [ "dzil" ]
+ENTRYPOINT ["/bin/bash", "/opt/entrypoint.sh"]
+CMD ["version"]
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,18 @@
+#!/bin/bash
+
+# TODO: probably not the best way to setup local::lib, but bash --login
+# is not doing it's job
+PATH="/home/runner/perl5/bin${PATH:+:${PATH}}"
+export PATH
+PERL5LIB="/home/runner/perl5/lib/perl5${PERL5LIB:+:${PERL5LIB}}"
+export PERL5LIB
+PERL_LOCAL_LIB_ROOT="/home/runner/perl5${PERL_LOCAL_LIB_ROOT:+:${PERL_LOCAL_LIB_ROOT}}"
+export PERL_LOCAL_LIB_ROOT
+# shellcheck disable=SC2089
+PERL_MB_OPT="--install_base \"/home/runner/perl5\"";
+# shellcheck disable=SC2090
+export PERL_MB_OPT
+PERL_MM_OPT="INSTALL_BASE=/home/runner/perl5"
+export PERL_MM_OPT
+
+exec dzil "$@"
diff --git a/local_lib.txt b/local_lib.txt
@@ -0,0 +1,7 @@
+
+# Configures Perl local::lib properly for interactive sessions
+PATH="/home/runner/perl5/bin${PATH:+:${PATH}}"; export PATH;
+PERL5LIB="/home/runner/perl5/lib/perl5${PERL5LIB:+:${PERL5LIB}}"; export PERL5LIB;
+PERL_LOCAL_LIB_ROOT="/home/runner/perl5${PERL_LOCAL_LIB_ROOT:+:${PERL_LOCAL_LIB_ROOT}}"; export PERL_LOCAL_LIB_ROOT;
+PERL_MB_OPT="--install_base \"/home/runner/perl5\""; export PERL_MB_OPT;
+PERL_MM_OPT="INSTALL_BASE=/home/runner/perl5"; export PERL_MM_OPT;