This is an automated email from the ASF dual-hosted git repository.
liuhongyu pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/shenyu.git
The following commit(s) were added to refs/heads/master by this push:
new 64ad46fa44 [Security] Harden Docker images to run as non-root user
(#6273)
64ad46fa44 is described below
commit 64ad46fa44d6295d284660afbd12fe0080d4b963
Author: Rin <[email protected]>
AuthorDate: Fri Jan 30 18:34:21 2026 +0700
[Security] Harden Docker images to run as non-root user (#6273)
Co-authored-by: aias00 <[email protected]>
Co-authored-by: zhengpeng <[email protected]>
---
shenyu-dist/shenyu-admin-dist/docker/Dockerfile | 14 ++++++++++----
shenyu-dist/shenyu-bootstrap-dist/docker/Dockerfile | 12 +++++++++---
2 files changed, 19 insertions(+), 7 deletions(-)
diff --git a/shenyu-dist/shenyu-admin-dist/docker/Dockerfile
b/shenyu-dist/shenyu-admin-dist/docker/Dockerfile
index 2df4884ad1..44d28b76ba 100644
--- a/shenyu-dist/shenyu-admin-dist/docker/Dockerfile
+++ b/shenyu-dist/shenyu-admin-dist/docker/Dockerfile
@@ -25,18 +25,24 @@ RUN mv /opt/${APP_NAME} ${LOCAL_PATH}
FROM amazoncorretto:17.0.11-alpine3.19
-RUN apk --no-cache add wget curl
+RUN apk --no-cache add wget curl && \
+ addgroup -S shenyu && \
+ adduser -S shenyu -G shenyu && \
+ mkdir -p /home/shenyu && \
+ chown -R shenyu:shenyu /home/shenyu
ENV LOCAL_PATH /opt/shenyu-admin
ENV ADMIN_JVM ""
-COPY --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
-COPY docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
-COPY docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
+COPY --chown=shenyu:shenyu --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
+COPY --chown=shenyu:shenyu docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
+COPY --chown=shenyu:shenyu docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
RUN chmod +x ${LOCAL_PATH}/entrypoint.sh
WORKDIR /opt/shenyu-admin
+USER shenyu
+
EXPOSE 9095
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
diff --git a/shenyu-dist/shenyu-bootstrap-dist/docker/Dockerfile
b/shenyu-dist/shenyu-bootstrap-dist/docker/Dockerfile
index 03cf11c783..06772955f4 100644
--- a/shenyu-dist/shenyu-bootstrap-dist/docker/Dockerfile
+++ b/shenyu-dist/shenyu-bootstrap-dist/docker/Dockerfile
@@ -26,18 +26,24 @@ RUN mv /opt/${APP_NAME} ${LOCAL_PATH}
# FROM amazoncorretto:17.0.11-alpine3.19
FROM eclipse-temurin:17-centos7
+RUN groupadd -r shenyu && \
+ useradd -r -g shenyu -m -d /home/shenyu shenyu && \
+ chown -R shenyu:shenyu /home/shenyu
+
# RUN apk --no-cache add wget curl
ENV LOCAL_PATH /opt/shenyu-bootstrap
ENV BOOT_JVM ""
-COPY --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
-COPY docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
-COPY docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
+COPY --chown=shenyu:shenyu --from=prepare ${LOCAL_PATH} ${LOCAL_PATH}
+COPY --chown=shenyu:shenyu docker/logback.xml ${LOCAL_PATH}/conf/logback.xml
+COPY --chown=shenyu:shenyu docker/entrypoint.sh ${LOCAL_PATH}/entrypoint.sh
RUN chmod +x ${LOCAL_PATH}/entrypoint.sh
WORKDIR ${LOCAL_PATH}
+USER shenyu
+
EXPOSE 9195
ENTRYPOINT ["/bin/sh", "entrypoint.sh"]
