Skip to content

Commit

Permalink
Set secure SHELL options before RUN
Browse files Browse the repository at this point in the history 
Docker only evaluates the exit code of the last operation after the pipe
in a RUN statement to determine success. Specifying 'pipefail' will cause
the build to fail due to an error at any stage of a RUN command with
pipes.

Setting the -e option instructs bash to immediately exit if any command
in a RUN statement has a non-zero exit status.

Setting the -u option triggers an error if a variable is referenced that
has not been previously defined.

Setting runDeps using a list passed to 'apk info --installed' returns a
non zero exit status if one of the packages listed is not installed.
Added '|| true' to force an exit status of 0.
  • Loading branch information
@sbreker
sbreker committed Apr 25, 2024
1 parent 5029b0b commit d6a1af1
Showing 1 changed file with 4 additions and 3 deletions.
7 changes: 4 additions & 3 deletions 1.1.21.2/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,10 +3,11 @@ FROM alpine:3.19.1
ENV GEARMAND_VERSION 1.1.21
ENV GEARMAND_SHA1 472d2a0019e69edefcd0c1ff57e9352982e6d3f5

SHELL ["/bin/sh", "-euxo", "pipefail", "-c"]

RUN addgroup -S gearman && adduser -G gearman -S -D -H -s /bin/false -g "Gearman Server" gearman

RUN set -x \
&& apk add --no-cache --virtual .build-deps \
RUN apk add --no-cache --virtual .build-deps \

Check failure on line 10 in 1.1.21.2/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Dockerfiles with Hadolint 

DL3003 info: Use WORKDIR to switch to a directory

Check failure on line 10 in 1.1.21.2/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Dockerfiles with Hadolint 

DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`

Check failure on line 10 in 1.1.21.2/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Dockerfiles with Hadolint 

DL3047 info: Avoid use of wget without progress bar. Use `wget --progress=dot:giga <url>`. Or consider using `-q` or `-nv` (shorthands for `--quiet` or `--no-verbose`).

Check failure on line 10 in 1.1.21.2/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Dockerfiles with Hadolint 

DL3019 info: Use the `--no-cache` switch to avoid the need to use `--update` and remove `/var/cache/apk/*` when done installing packages

Check failure on line 10 in 1.1.21.2/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Dockerfiles with Hadolint 

SC2086 info: Double quote to prevent globbing and word splitting.

Check failure on line 10 in 1.1.21.2/Dockerfile

View workflow job for this annotation

GitHub Actions / Lint Dockerfiles with Hadolint 

DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
wget \
tar \
ca-certificates \
Expand Down Expand Up @@ -44,7 +45,7 @@ RUN set -x \
scanelf --needed --nobanner --recursive /usr/local \
| awk '{ gsub(/,/, "\nso:", $2); print "so:" $2 }' \
| sort -u \
| xargs -r apk info --installed \
| xargs -r apk info --installed || true \
| sort -u \
)" \
&& apk add --virtual .gearmand-rundeps $runDeps \
Expand Down

0 comments on commit d6a1af1

Please sign in to comment.