forked from openbao/openbao
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDockerfile
More file actions
130 lines (99 loc) · 4.58 KB
/
Copy pathDockerfile
File metadata and controls
130 lines (99 loc) · 4.58 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0
# This is {docker.io,quay.io,ghcr.io}/openbao/openbao{,-hsm}.
FROM alpine:3.23.4 AS default
COPY LICENSE /licenses/mozilla.txt
# Create a non-root user to run the software.
RUN addgroup openbao && adduser -S -G openbao openbao
RUN apk add --no-cache ca-certificates libcap su-exec dumb-init tzdata gcompat
# The OpenBao binary is built externally in CI and copied into the container
# build.
ARG BIN_NAME
COPY ${BIN_NAME} /bin/
RUN ln -s /bin/${BIN_NAME} /bin/vault
# /openbao/logs is made available to use as a location to store audit logs, if
# desired; /openbao/file is made available to use as a location with the file
# storage backend, if desired; the server will be started with /openbao/config
# as the configuration directory so you can add additional config files in that
# location.
RUN mkdir -p /openbao/logs && \
mkdir -p /openbao/file && \
mkdir -p /openbao/config && \
chown -R openbao:openbao /openbao
# Expose the logs directory as a volume since there's potentially long-running
# state in there
VOLUME /openbao/logs
# Expose the file directory as a volume since there's potentially long-running
# state in there
VOLUME /openbao/file
# 8200/tcp is the primary interface that applications use to interact with
# OpenBao.
EXPOSE 8200
# Use the OpenBao user as the default user for starting this container.
USER openbao
# The entry point script uses dumb-init as the top-level process to reap any
# zombie processes created by OpenBao sub-processes.
COPY .release/docker/docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev", "-dev-no-store-token"]
# This is {docker.io,quay.io,ghcr.io}/openbao/openbao{,-hsm}-ubi.
FROM registry.access.redhat.com/ubi10-minimal:10.2 AS ubi
COPY LICENSE /licenses/mozilla.txt
# Set up ca-certificates & base tooling.
RUN microdnf install -y ca-certificates gnupg openssl libcap tzdata procps shadow-utils util-linux
# Create a non-root user to run the software.
RUN groupadd --gid 1000 openbao && \
adduser --uid 100 --system -g openbao openbao && \
usermod -a -G root openbao
# The OpenBao binary is built externally in CI and copied into the container
# build.
ARG BIN_NAME
COPY ${BIN_NAME} /bin/
RUN ln -s /bin/${BIN_NAME} /bin/vault
# /openbao/logs is made available to use as a location to store audit logs, if
# desired; /openbao/file is made available to use as a location with the file
# storage backend, if desired; the server will be started with /openbao/config
# as the configuration directory so you can add additional config files in that
# location.
ENV HOME=/home/openbao
RUN mkdir -p /openbao/logs && \
mkdir -p /openbao/file && \
mkdir -p /openbao/config && \
mkdir -p $HOME && \
chown -R openbao /openbao && chown -R openbao $HOME && \
chgrp -R 0 $HOME && chmod -R g+rwX $HOME && \
chgrp -R 0 /openbao && chmod -R g+rwX /openbao
# Expose the logs directory as a volume since there's potentially long-running
# state in there
VOLUME /openbao/logs
# Expose the file directory as a volume since there's potentially long-running
# state in there
VOLUME /openbao/file
# 8200/tcp is the primary interface that applications use to interact with
# OpenBao.
EXPOSE 8200
# Use the OpenBao user as the default user for starting this container.
USER openbao
# The entry point script uses dumb-init as the top-level process to reap any
# zombie processes created by OpenBao sub-processes.
COPY .release/docker/ubi-docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
ENTRYPOINT ["docker-entrypoint.sh"]
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
CMD ["server", "-dev", "-dev-no-store-token"]
# This is {docker.io,quay.io,ghcr.io}/openbao/openbao-distroless.
FROM gcr.io/distroless/static:nonroot@sha256:963fa6c544fe5ce420f1f54fb88b6fb01479f054c8056d0f74cc2c6000df5240 AS distroless
COPY LICENSE /licenses/mozilla.txt
# The OpenBao binary is built externally in CI and copied into the container
# build.
ARG BIN_NAME
COPY ${BIN_NAME} /bin/
# 8200/tcp is the primary interface that applications use to interact with
# OpenBao.
EXPOSE 8200
# By default you'll get a single-node development server that stores everything
# in RAM and bootstraps itself. Don't use this configuration for production.
ENTRYPOINT ["/bin/bao"]
CMD ["server", "-dev", "-dev-no-store-token"]