chore: install libssl3, create sinker user

Updates the sinker dockerfile following what iox does for a runtime image with libssl3 libraries, also create sinker user and group on the container.
influxdata · Dec 26, 2023 · 2dbe878 · 2dbe878
1 parent a152009
commit 2dbe878
Showing 1 changed file with 11 additions and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,6 +1,6 @@
 # Leveraging the pre-built Docker images with
 # cargo-chef and the Rust toolchain
-FROM lukemathwalker/cargo-chef:latest-rust-1.73.0@sha256:09ec7a922dc592d980f3fcfa97b873e1a678ad2fb252671569a65187f1cd4a75 AS chef
+FROM lukemathwalker/cargo-chef:latest-rust-1.74-bookworm@sha256:f2f6e652c5aa759f9ff6b1f97062da912babc9c92641156c0c1723690448d384 AS chef
 WORKDIR app
 
 FROM chef AS planner
@@ -16,7 +16,16 @@ COPY . .
 RUN cargo build --release --bin sinker
 
 # We do not need the Rust toolchain to run the binary!
-FROM debian:bookworm-slim@sha256:45287d89d96414e57c7705aa30cb8f9836ef30ae8897440dd8f06c4cff801eec AS runtime
+FROM debian:bookworm-slim@sha256:45287d89d96414e57c7705aa30cb8f9836ef30ae8897440dd8f06c4cff801eec
+
+RUN apt update \
+    && apt install --yes ca-certificates libssl3 --no-install-recommends \
+    && rm -rf /var/lib/{apt,dpkg,cache,log} \
+    && groupadd --gid 1500 sinker \
+    && useradd --uid 1500 --gid sinker --shell /bin/bash --create-home sinker
+
+USER sinker
+
 WORKDIR app
 COPY --from=builder /app/target/release/sinker /usr/local/bin
 ENTRYPOINT ["/usr/local/bin/sinker"]