From 1b5b51b0c8da910de9746609915051c492a4c16e Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 6 Feb 2021 07:08:37 +0200
Subject: [PATCH] Limited user.

Use capabilities to bind to lower number port. Also, remove the expose
directive, it's already in the original image.
---
 Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 4f8b663..7dbf42f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -4,11 +4,14 @@ FROM registry.hub.docker.com/cznic/knot:latest
 RUN apt-get update && \
     DEBIAN_FRONTEND=noninteractive apt-get install -y --no-install-recommends \
         gettext-base \
+        libcap2-bin \
     && \
+    setcap CAP_NET_BIND_SERVICE=+ep /sbin/knotd && \
+    chmod 777 /storage /rundir && \
     rm -rf /tmp/* /var/tmp/* /var/lib/apt/lists/* /var/cache/apt/archives/*
 COPY --chown=root:root entrypoint /usr/local/bin/
 COPY --chown=root:root knot.conf /etc/knot/
-EXPOSE 53/tcp 53/udp
 ENTRYPOINT ["entrypoint"]
 CMD ["knotd", "-vc", "/etc/knot/knot.conf"]
+USER nobody
 HEALTHCHECK CMD knotc status
-- 
GitLab