Closed hi-artem closed 2 years ago
One way to get around this issue will be restructure the dockerfile to pull from caddy website instead of git. Something like that:
RUN set -eux; \
wget -O /tmp/caddy "https://caddyserver.com/api/download?os=linux&arch=arm64"; \
mv /tmp/caddy /usr/bin/caddy; \
rm -f /tmp/caddy; \
chmod +x /usr/bin/caddy; \
caddy version
I was able to ~bypass~ resolve the vulnerabilities with @hi-artem 's approach
### Build Caddy (runs in parallel with previous steps)
FROM alpine:3.15 AS caddy-build
WORKDIR /tmp
RUN set -eux && \
apk update && \
# Install openssh and git to which are needed to install npm dependencies
apk add --no-cache \
wget=1.21.2-r2 && \
wget -qO /tmp/caddy "https://caddyserver.com/api/download?os=linux&arch=amd64" && \
chmod +x /tmp/caddy && \
/tmp/caddy version
### Serve
FROM scratch AS serve
# Setup non-root user (use a very large uid to avoid users that may have sudo access)
USER 10001
# Copy caddy
COPY --from=caddy-build /tmp/caddy /caddy
# Copy the post-build directory to serve dir (app specific command)
# COPY --from=post-build /app/copy-this /srv
# Copy the caddyfile (my Caddyfile serves /srv)
COPY Caddyfile /Caddyfile
# Use non-privledged port
EXPOSE 8080
CMD ["/caddy", "run", "--config", "/Caddyfile"]
This will be resolved by the v2.5.0 image - see https://github.com/docker-library/official-images/pull/12305
(closing this as there's no more action necessary on this)
Re-opening this issue here: