use setpriv instead of gosu (#24)

Signed-off-by: Jay R. Wren <[email protected]>
valkey-io · Aug 1, 2024 · e8c75a0 · e8c75a0
1 parent 5f95a51
commit e8c75a0
Show file tree

Hide file tree

Showing 13 changed files with 18 additions and 394 deletions.
diff --git a/7.2/alpine/Dockerfile b/7.2/alpine/Dockerfile
diff --git a/7.2/alpine/docker-entrypoint.sh b/7.2/alpine/docker-entrypoint.sh
diff --git a/7.2/debian/Dockerfile b/7.2/debian/Dockerfile
diff --git a/7.2/debian/docker-entrypoint.sh b/7.2/debian/docker-entrypoint.sh
diff --git a/Dockerfile.template b/Dockerfile.template
@@ -23,6 +23,8 @@ RUN set -eux; \
 	apk add --no-cache \
 # add tzdata for https://github.com/docker-library/valkey/issues/138
 		tzdata \
+		# add setpriv for step down from root.
+		setpriv \
 	;
 {{ ) else ( -}}
 RUN set -eux; \
@@ -34,88 +36,6 @@ RUN set -eux; \
 	rm -rf /var/lib/apt/lists/*
 {{ ) end -}}
 
-# grab gosu for easy step-down from root
-# https://github.com/tianon/gosu/releases
-ENV GOSU_VERSION {{ .gosu.version }}
-RUN set -eux; \
-{{ if env.variant == "alpine" then ( -}}
-	apk add --no-cache --virtual .gosu-fetch gnupg; \
-	arch="$(apk --print-arch)"; \
-{{ ) else ( -}}
-	savedAptMark="$(apt-mark showmanual)"; \
-	apt-get update; \
-	apt-get install -y --no-install-recommends ca-certificates gnupg wget; \
-	rm -rf /var/lib/apt/lists/*; \
-	arch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
-{{ ) end -}}
-	case "$arch" in \
-{{
-	[
-		.gosu.arches
-		| to_entries[]
-		| (
-			if env.variant == "alpine" then
-				{
-					# https://dl-cdn.alpinelinux.org/alpine/edge/main/
-					# https://dl-cdn.alpinelinux.org/alpine/latest-stable/main/
-					amd64: "x86_64",
-					arm32v6: "armhf",
-					arm32v7: "armv7",
-					arm64v8: "aarch64",
-					i386: "x86",
-					ppc64le: "ppc64le",
-					riscv64: "riscv64",
-					s390x: "s390x",
-				}
-			else
-				{
-					# https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/data/cputable
-					# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
-					# http://deb.debian.org/debian/dists/unstable/main/
-					# http://deb.debian.org/debian/dists/stable/main/
-					# https://deb.debian.org/debian-ports/dists/unstable/main/
-					amd64: "amd64",
-					arm32v5: "armel",
-					arm32v7: "armhf",
-					arm64v8: "arm64",
-					i386: "i386",
-					mips64le: "mips64el",
-					ppc64le: "ppc64el",
-					riscv64: "riscv64",
-					s390x: "s390x",
-				}
-			end
-		)[.key] as $arch
-		| select($arch)
-		| .value
-		| (
--}}
-		{{ $arch | @sh }}) url={{ .url | @sh }}; sha256={{ .sha256 | @sh }} ;; \
-{{
-		)
-	] | add
--}}
-		*) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \
-	esac; \
-	wget -O /usr/local/bin/gosu.asc "$url.asc"; \
-	wget -O /usr/local/bin/gosu "$url"; \
-	echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \
-	export GNUPGHOME="$(mktemp -d)"; \
-	gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
-	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
-	gpgconf --kill all; \
-	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
-{{ if env.variant == "alpine" then ( -}}
-	apk del --no-network .gosu-fetch; \
-{{ ) else ( -}}
-	apt-mark auto '.*' > /dev/null; \
-	[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
-	apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
-{{ ) end -}}
-	chmod +x /usr/local/bin/gosu; \
-	gosu --version; \
-	gosu nobody true
-
 ENV VALKEY_VERSION {{ .version }}
 ENV VALKEY_DOWNLOAD_URL {{ .url }}
 ENV VALKEY_DOWNLOAD_SHA {{ .sha256 // error("no sha256 for \(.version) (\(env.version))") }}

diff --git a/docker-entrypoint.sh b/docker-entrypoint.sh
@@ -10,7 +10,7 @@ fi
 # allow the container to be started with `--user`
 if [ "$1" = 'valkey-server' -a "$(id -u)" = '0' ]; then
 	find . \! -user valkey -exec chown valkey '{}' +
-	exec gosu valkey "$0" "$@"
+	exec setpriv --reuid=valkey --regid=valkey --clear-groups -- "$0" "$@"
 fi
 
 # set an appropriate umask (if one isn't set already)

diff --git a/generate-stackbrew-library.sh b/generate-stackbrew-library.sh
@@ -108,22 +108,10 @@ for version; do
 		suiteAliases=( "${suiteAliases[@]//latest-/}" )
 		variantAliases+=( "${suiteAliases[@]}" )
 
-		# calculate the intersection of parent image arches and gosu arches
-		arches="$(jq -r --arg arches "$arches" '
-			(
-				$arches
-				| gsub("^[[:space:]]+|[[:space:]]+$"; "")
-				| split("[[:space:]]+"; "")
-			) as $parentArches
-			| .[env.version]
-			| $parentArches - ($parentArches - (.gosu.arches | keys))
-			| join(", ")
-		' versions.json)"
-
 		echo
 		cat <<-EOE
 			Tags: $(join ', ' "${variantAliases[@]}")
-			Architectures: $arches
+			Architectures: $(join ', ' $arches)
 			GitCommit: $commit
 			Directory: $dir
 		EOE

diff --git a/unstable/alpine/Dockerfile b/unstable/alpine/Dockerfile
diff --git a/unstable/alpine/docker-entrypoint.sh b/unstable/alpine/docker-entrypoint.sh
diff --git a/unstable/debian/Dockerfile b/unstable/debian/Dockerfile
diff --git a/unstable/debian/docker-entrypoint.sh b/unstable/debian/docker-entrypoint.sh