diff --git a/code-samples/serving/cloudevents/cloudevents-dotnet/Dockerfile b/code-samples/serving/cloudevents/cloudevents-dotnet/Dockerfile index 4cdc8f2e2c..912fad7818 100644 --- a/code-samples/serving/cloudevents/cloudevents-dotnet/Dockerfile +++ b/code-samples/serving/cloudevents/cloudevents-dotnet/Dockerfile @@ -13,6 +13,11 @@ # limitations under the License. FROM mcr.microsoft.com/dotnet/core/sdk:3.1-alpine AS build-env + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + WORKDIR /app # Copy csproj and restore as distinct layers @@ -25,6 +30,14 @@ RUN dotnet publish -c Release -o out # Build runtime image FROM mcr.microsoft.com/dotnet/core/aspnet:3.1-alpine + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + WORKDIR /app COPY --from=build-env /app/out . + +USER appuser + ENTRYPOINT ["dotnet", "CloudEventsSample.dll"] diff --git a/code-samples/serving/cloudevents/cloudevents-go/Dockerfile b/code-samples/serving/cloudevents/cloudevents-go/Dockerfile index 87c4eeff3b..e5a97e8b34 100644 --- a/code-samples/serving/cloudevents/cloudevents-go/Dockerfile +++ b/code-samples/serving/cloudevents/cloudevents-go/Dockerfile @@ -3,6 +3,10 @@ # https://hub.docker.com/_/golang FROM golang:1.13 as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -25,10 +29,17 @@ RUN go mod download # https://hub.docker.com/_/alpine # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM alpine:3 + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + RUN apk add --no-cache ca-certificates # Copy the binary to the production image from the builder stage. COPY --from=builder /app/server /server +USER appuser + # Run the web service on container startup. CMD ["/server"] diff --git a/code-samples/serving/cloudevents/cloudevents-nodejs/Dockerfile b/code-samples/serving/cloudevents/cloudevents-nodejs/Dockerfile index 42d6bb7f8e..4e07e89c34 100644 --- a/code-samples/serving/cloudevents/cloudevents-nodejs/Dockerfile +++ b/code-samples/serving/cloudevents/cloudevents-nodejs/Dockerfile @@ -14,6 +14,10 @@ FROM registry.access.redhat.com/ubi8/nodejs-12 +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy application dependency manifests to the container image. # A wildcard is used to ensure both package.json AND package-lock.json are copied. # Copying this separately prevents re-running npm install on every code change. @@ -31,6 +35,8 @@ ARG ENV=production ENV NODE_ENV $ENV +USER appuser + # Run the web service on container startup. CMD npm run $NODE_ENV diff --git a/code-samples/serving/cloudevents/cloudevents-rust/Dockerfile b/code-samples/serving/cloudevents/cloudevents-rust/Dockerfile index c6450533bc..3f5f710495 100644 --- a/code-samples/serving/cloudevents/cloudevents-rust/Dockerfile +++ b/code-samples/serving/cloudevents/cloudevents-rust/Dockerfile @@ -14,7 +14,13 @@ FROM scratch +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # To build it: cargo build --target x86_64-unknown-linux-musl --release COPY target/x86_64-unknown-linux-musl/release/knative-cloudevents-example /app +USER appuser + CMD ["/app"] diff --git a/code-samples/serving/gitwebhook-go/Dockerfile b/code-samples/serving/gitwebhook-go/Dockerfile index 807bae9eb9..061cd2f7cd 100644 --- a/code-samples/serving/gitwebhook-go/Dockerfile +++ b/code-samples/serving/gitwebhook-go/Dockerfile @@ -14,6 +14,10 @@ FROM golang AS builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -32,7 +36,13 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -o /go/bin/webh FROM golang:alpine +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + EXPOSE 8080 COPY --from=builder /go/bin/webhook-sample /app/webhook-sample +USER appuser + ENTRYPOINT ["/app/webhook-sample"] diff --git a/code-samples/serving/grpc-ping-go/Dockerfile b/code-samples/serving/grpc-ping-go/Dockerfile index 3fba178798..26a0f26a2e 100644 --- a/code-samples/serving/grpc-ping-go/Dockerfile +++ b/code-samples/serving/grpc-ping-go/Dockerfile @@ -17,6 +17,10 @@ # https://hub.docker.com/_/golang FROM golang as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -37,9 +41,15 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -tags=grpcping # https://github.com/GoogleContainerTools/distroless#readme FROM gcr.io/distroless/static +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy the binaries to the production image from the builder stage. COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-server /server COPY --from=builder /go/src/github.com/knative/docs/code-samples/serving/grpc-ping-go/ping-client /client +USER appuser + # Run the service on container startup. CMD ["/server"] diff --git a/code-samples/serving/hello-world/helloworld-csharp/Dockerfile b/code-samples/serving/hello-world/helloworld-csharp/Dockerfile index 1022659683..3907bbdf91 100644 --- a/code-samples/serving/hello-world/helloworld-csharp/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-csharp/Dockerfile @@ -1,5 +1,10 @@ # Use Microsoft's official build .NET image. FROM mcr.microsoft.com/dotnet/sdk:6.0 AS build-env + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + WORKDIR /app # Copy csproj and restore as distinct layers @@ -12,8 +17,15 @@ RUN dotnet publish -c Release -o out # Build runtime image FROM mcr.microsoft.com/dotnet/aspnet:6.0 + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + WORKDIR /app COPY --from=build-env /app/out . +USER appuser + # Run the web service on container startup. ENTRYPOINT ["dotnet", "helloworld-csharp.dll"] diff --git a/code-samples/serving/hello-world/helloworld-go/Dockerfile b/code-samples/serving/hello-world/helloworld-go/Dockerfile index 4de3b9eec9..c7ff583da2 100644 --- a/code-samples/serving/hello-world/helloworld-go/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-go/Dockerfile @@ -2,6 +2,10 @@ # This is based on Debian and sets the GOPATH to /go. FROM golang:latest as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -24,10 +28,17 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -mod=readonly - # https://hub.docker.com/_/alpine # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM alpine:3 + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + RUN apk add --no-cache ca-certificates # Copy the binary to the production image from the builder stage. COPY --from=builder /app/server /server +USER appuser + # Run the web service on container startup. CMD ["/server"] diff --git a/code-samples/serving/hello-world/helloworld-java-spark/Dockerfile b/code-samples/serving/hello-world/helloworld-java-spark/Dockerfile index 3d31391f38..160afa346d 100644 --- a/code-samples/serving/hello-world/helloworld-java-spark/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-java-spark/Dockerfile @@ -2,6 +2,10 @@ # https://hub.docker.com/_/maven FROM maven:3.5-jdk-8-alpine as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy local code to the container image. WORKDIR /app COPY pom.xml . @@ -15,6 +19,10 @@ RUN mvn package -DskipTests # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM openjdk:8-jre-alpine +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy the jar to the production image from the builder stage. COPY --from=builder /app/target/helloworld-0.0.1-SNAPSHOT-jar-with-dependencies.jar helloworld.jar @@ -22,6 +30,8 @@ ENV PORT 8080 EXPOSE 8080 +USER appuser + # Run the web service on container startup. CMD ["java","-jar","helloworld.jar"] diff --git a/code-samples/serving/hello-world/helloworld-java-spring/Dockerfile b/code-samples/serving/hello-world/helloworld-java-spring/Dockerfile index 35300394b6..513b5b65c0 100644 --- a/code-samples/serving/hello-world/helloworld-java-spring/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-java-spring/Dockerfile @@ -1,6 +1,10 @@ # Use the official maven/Java 8 image to create a build artifact: https://hub.docker.com/_/maven FROM maven:3.5-jdk-8-alpine as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy local code to the container image. WORKDIR /app COPY pom.xml . @@ -14,8 +18,14 @@ RUN mvn package -DskipTests # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM openjdk:8-jre-alpine +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy the jar to the production image from the builder stage. COPY --from=builder /app/target/helloworld-*.jar /helloworld.jar +USER appuser + # Run the web service on container startup. CMD ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/helloworld.jar"] diff --git a/code-samples/serving/hello-world/helloworld-kotlin/Dockerfile b/code-samples/serving/hello-world/helloworld-kotlin/Dockerfile index c29fb3e8b1..56d4072da0 100644 --- a/code-samples/serving/hello-world/helloworld-kotlin/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-kotlin/Dockerfile @@ -2,6 +2,10 @@ # https://hub.docker.com/_/gradle FROM gradle:6.7 as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy local code to the container image. COPY build.gradle . COPY src ./src @@ -14,8 +18,14 @@ RUN gradle clean build --no-daemon # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM openjdk:8-jre-alpine +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy the jar to the production image from the builder stage. COPY --from=builder /home/gradle/build/libs/gradle.jar /helloworld.jar +USER appuser + # Run the web service on container startup. CMD [ "java", "-jar", "-Djava.security.egd=file:/dev/./urandom", "/helloworld.jar" ] diff --git a/code-samples/serving/hello-world/helloworld-nodejs/Dockerfile b/code-samples/serving/hello-world/helloworld-nodejs/Dockerfile index 14fc5a7f4b..92822a7b04 100644 --- a/code-samples/serving/hello-world/helloworld-nodejs/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-nodejs/Dockerfile @@ -2,6 +2,10 @@ # https://hub.docker.com/_/node FROM node:12-slim +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Create and change to the app directory. WORKDIR /usr/src/app @@ -16,5 +20,7 @@ RUN npm install --only=production # Copy local code to the container image. COPY . ./ +USER appuser + # Run the web service on container startup. CMD [ "npm", "start" ] diff --git a/code-samples/serving/hello-world/helloworld-php/Dockerfile b/code-samples/serving/hello-world/helloworld-php/Dockerfile index 681c9c943c..d3afec61ce 100644 --- a/code-samples/serving/hello-world/helloworld-php/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-php/Dockerfile @@ -2,6 +2,12 @@ # https://hub.docker.com/_/php FROM php:7.3-apache +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + +USER appuser + # Copy local code to the container image. COPY index.php /var/www/html/ diff --git a/code-samples/serving/hello-world/helloworld-python/Dockerfile b/code-samples/serving/hello-world/helloworld-python/Dockerfile index a84faddcbb..da44c3d640 100644 --- a/code-samples/serving/hello-world/helloworld-python/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-python/Dockerfile @@ -2,6 +2,10 @@ # https://hub.docker.com/_/python FROM python:3.7-slim +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Allow statements and log messages to immediately appear in the Knative logs ENV PYTHONUNBUFFERED True @@ -13,6 +17,8 @@ COPY . ./ # Install production dependencies. RUN pip install Flask gunicorn +USER appuser + # Run the web service on container startup. Here we use the gunicorn # webserver, with one worker process and 8 threads. # For environments with multiple CPU cores, increase the number of workers diff --git a/code-samples/serving/hello-world/helloworld-ruby/Dockerfile b/code-samples/serving/hello-world/helloworld-ruby/Dockerfile index 4239794e83..52106782cf 100644 --- a/code-samples/serving/hello-world/helloworld-ruby/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-ruby/Dockerfile @@ -2,6 +2,10 @@ # https://hub.docker.com/_/ruby FROM ruby:2.6-slim +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Install production dependencies. WORKDIR /usr/src/app COPY Gemfile Gemfile.lock ./ @@ -11,5 +15,7 @@ RUN gem install bundler && bundle install # Copy local code to the container image. COPY . ./ +USER appuser + # Run the web service on container startup. CMD ["ruby", "./app.rb"] diff --git a/code-samples/serving/hello-world/helloworld-scala/Dockerfile b/code-samples/serving/hello-world/helloworld-scala/Dockerfile index c73e3a2544..14406150e8 100644 --- a/code-samples/serving/hello-world/helloworld-scala/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-scala/Dockerfile @@ -1,6 +1,10 @@ # Use an SBT image matching the Scala and JDK version. FROM hseeberger/scala-sbt:8u265_1.4.2_2.13.3 as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy local code to the container image. WORKDIR /app COPY build.sbt . @@ -15,8 +19,14 @@ RUN sbt assembly # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM openjdk:8-jre-alpine +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Copy the jar to the production image from the builder stage. COPY --from=builder /app/target/scala-2.13/helloworld-*.jar /helloworld.jar +USER appuser + # Run the web service on container startup. CMD ["java", "-Djava.security.egd=file:/dev/./urandom", "-jar", "/helloworld.jar"] diff --git a/code-samples/serving/hello-world/helloworld-shell/Dockerfile b/code-samples/serving/hello-world/helloworld-shell/Dockerfile index 2c6fdc768a..9fdd1bafc8 100644 --- a/code-samples/serving/hello-world/helloworld-shell/Dockerfile +++ b/code-samples/serving/hello-world/helloworld-shell/Dockerfile @@ -2,6 +2,10 @@ # https://git.busybox.net/busybox/tree/networking/httpd.c FROM busybox +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Serve from this directory WORKDIR /var/www @@ -13,5 +17,7 @@ RUN echo "::sysinit:httpd -vv -p 8080 -u daemon -h /var/www" > /etc/inittab COPY --chown=daemon:daemon script.sh cgi-bin/index.cgi RUN chmod 755 cgi-bin/index.cgi +USER appuser + # Startup init which in turn starts httpd CMD init diff --git a/code-samples/serving/knative-routing-go/Dockerfile b/code-samples/serving/knative-routing-go/Dockerfile index 2deb314781..cbc9c4326d 100644 --- a/code-samples/serving/knative-routing-go/Dockerfile +++ b/code-samples/serving/knative-routing-go/Dockerfile @@ -14,6 +14,10 @@ FROM golang AS builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -24,7 +28,13 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build ./code-samples/ FROM gcr.io/distroless/base +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + EXPOSE 8080 COPY --from=builder /go/src/github.com/knative/docs/knative-routing-go /sample +USER appuser + ENTRYPOINT ["/sample"] diff --git a/code-samples/serving/kong-routing-go/Dockerfile b/code-samples/serving/kong-routing-go/Dockerfile index ee41b299f5..238c40c958 100644 --- a/code-samples/serving/kong-routing-go/Dockerfile +++ b/code-samples/serving/kong-routing-go/Dockerfile @@ -14,6 +14,10 @@ FROM golang AS builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -24,7 +28,13 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build ./code-samples/ FROM gcr.io/distroless/base +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + EXPOSE 8080 COPY --from=builder /go/src/github.com/knative/docs/kong-routing-go /sample +USER appuser + ENTRYPOINT ["/sample"] diff --git a/code-samples/serving/multi-container/servingcontainer/Dockerfile b/code-samples/serving/multi-container/servingcontainer/Dockerfile index 89d9d1c6e6..de69913a23 100644 --- a/code-samples/serving/multi-container/servingcontainer/Dockerfile +++ b/code-samples/serving/multi-container/servingcontainer/Dockerfile @@ -3,6 +3,10 @@ # https://hub.docker.com/_/golang FROM golang:1.15 as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -25,10 +29,17 @@ RUN CGO_ENABLED=0 GOOS=linux GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -mod # https://hub.docker.com/_/alpine # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM alpine:3 + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + RUN apk add --no-cache ca-certificates # Copy the binary to the production image from the builder stage. COPY --from=builder /app/servingcontainer /servingcontainer +USER appuser + # Run the web service on container startup. CMD ["/servingcontainer"] diff --git a/code-samples/serving/multi-container/sidecarcontainer/Dockerfile b/code-samples/serving/multi-container/sidecarcontainer/Dockerfile index a26b29461d..d88bd8d97e 100644 --- a/code-samples/serving/multi-container/sidecarcontainer/Dockerfile +++ b/code-samples/serving/multi-container/sidecarcontainer/Dockerfile @@ -3,6 +3,10 @@ # https://hub.docker.com/_/golang FROM golang:1.15 as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -25,10 +29,17 @@ RUN CGO_ENABLED=0 GOOS=linux GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -mod # https://hub.docker.com/_/alpine # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM alpine:3 + +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + RUN apk add --no-cache ca-certificates # Copy the binary to the production image from the builder stage. COPY --from=builder /app/sidecarcontainer /sidecarcontainer +USER appuser + # Run the web service on container startup. CMD ["/sidecarcontainer"] diff --git a/code-samples/serving/secrets-go/Dockerfile b/code-samples/serving/secrets-go/Dockerfile index 3f1d286ff5..3434116046 100644 --- a/code-samples/serving/secrets-go/Dockerfile +++ b/code-samples/serving/secrets-go/Dockerfile @@ -3,6 +3,10 @@ # https://hub.docker.com/_/golang FROM golang as builder +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + ARG TARGETOS ARG TARGETARCH @@ -17,11 +21,17 @@ RUN CGO_ENABLED=0 GOOS=linux GOOS=${TARGETOS} GOARCH=${TARGETARCH} go build -v - # https://docs.docker.com/develop/develop-images/multistage-build/#use-multi-stage-builds FROM alpine +# Add a user so the server will run as a non-root user. +RUN addgroup -g 1000 appuser && \ + adduser -S -u 1000 -G appuser appuser + # Enable the use of outbound https RUN apk add --no-cache ca-certificates # Copy the binary to the production image from the builder stage. COPY --from=builder /go/src/github.com/knative/docs/hellosecrets/hellosecrets /hellosecrets +USER appuser + # Run the web service on container startup. CMD ["/hellosecrets"]