Limited user.

Use capabilities to bind to lower number port. Also, remove the expose directive, it's already in the original image.

Limited user.
1b5b51b0 · nimrod · 5b20a450 · 1b5b51b0
Commit 1b5b51b0 authored 4 years ago by nimrod
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,11 +4,14 @@ FROM registry.hub.docker.com/cznic/knot:latest
 RUN apt-get update && \
    DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
        gettext-base \
+        libcap2-bin \
    && \
+    setcap CAP_NET_BIND_SERVICE=+ep /sbin/knotd && \
+    chmod 777 /storage /rundir && \
    rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
 COPY --chown=root:root entrypoint /usr/local/bin/
 COPY --chown=root:root knot.conf /etc/knot/
-EXPOSE 53/tcp 53/udp
 ENTRYPOINT ["entrypoint"]
 CMD ["knotd", "-vc", "/etc/knot/knot.conf"]
+USER nobody
 HEALTHCHECK CMD knotc status