target allocator don't run as root (#3385)

open-telemetry · Oct 23, 2024 · 22e8c06 · 22e8c06
1 parent f374ea3
commit 22e8c06
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/.chloggen/ta-no-root.yaml b/.chloggen/ta-no-root.yaml
@@ -0,0 +1,16 @@
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: bug_fix
+
+# The name of the component, or a single word describing the area of concern, (e.g. collector, target allocator, auto-instrumentation, opamp, github action)
+component: target allocator
+
+# A brief description of the change. Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Change docker image to run as non-root
+
+# One or more tracking issues related to the change
+issues: [3378]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
diff --git a/cmd/otel-allocator/Dockerfile b/cmd/otel-allocator/Dockerfile
@@ -1,5 +1,5 @@
 # Get CA certificates from the Alpine package repo
-FROM alpine:3.20 as certificates
+FROM alpine:3.20 AS certificates
 
 RUN apk --no-cache add ca-certificates
 
@@ -8,12 +8,14 @@ FROM scratch
 
 ARG TARGETARCH
 
-WORKDIR /root/
+WORKDIR /
 
 # Copy the certs
 COPY --from=certificates /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 
 # Copy binary built on the host
 COPY bin/targetallocator_${TARGETARCH} ./main
 
+USER 65532:65532
+
 ENTRYPOINT ["./main"]