From 85dbac4f36baef7544001ac04c653a2d7b78d931 Mon Sep 17 00:00:00 2001
From: Szajerski Krzysztof <krzysztof.szajerski@nokia.com>
Date: Tue, 1 Sep 2020 18:35:13 +0200
Subject: [PATCH] Avoid granting Linux capabilities

---
 Makefile                          |  2 +-
 docker/payment/Dockerfile         | 24 ++++++++++++++++++++----
 docker/payment/Dockerfile-release | 18 ++++++++----------
 scripts/build.sh                  |  2 +-
 test/container.py                 | 11 ++++++++---
 5 files changed, 38 insertions(+), 19 deletions(-)

diff --git a/Makefile b/Makefile
index 9f1816d..d9ff4e3 100644
--- a/Makefile
+++ b/Makefile
@@ -7,7 +7,7 @@ default: test
 
 copy:
 	docker create --name $(INSTANCE) $(NAME)-dev
-	docker cp $(INSTANCE):/app/main $(shell pwd)/app
+	docker cp $(INSTANCE):/app $(shell pwd)/app
 	docker rm $(INSTANCE)
 
 release:
diff --git a/docker/payment/Dockerfile b/docker/payment/Dockerfile
index 4a05cbd..3bad00a 100644
--- a/docker/payment/Dockerfile
+++ b/docker/payment/Dockerfile
@@ -1,13 +1,29 @@
 FROM golang:1.7
 
-RUN mkdir /app
 COPY . /go/src/github.com/microservices-demo/payment/
 
 RUN go get -u github.com/FiloSottile/gvt
 RUN cd /go/src/github.com/microservices-demo/payment/ && gvt restore
 
-RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o /app/main github.com/microservices-demo/payment/cmd/paymentsvc
+RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o /app github.com/microservices-demo/payment/cmd/paymentsvc
 
-CMD ["/app/main", "-port=80"]
+FROM alpine:3.4
 
-#EXPOSE 80
+WORKDIR /
+COPY --from=0 /app /app
+
+ENV	SERVICE_USER=myuser \
+	SERVICE_UID=10001 \
+	SERVICE_GROUP=mygroup \
+	SERVICE_GID=10001
+
+RUN	addgroup -g ${SERVICE_GID} ${SERVICE_GROUP} && \
+	adduser -g "${SERVICE_NAME} user" -D -H -G ${SERVICE_GROUP} -s /sbin/nologin -u ${SERVICE_UID} ${SERVICE_USER} && \
+	chmod +x /app && \
+    chown -R ${SERVICE_USER}:${SERVICE_GROUP} /app
+
+USER ${SERVICE_USER}
+
+CMD ["/app", "-port=8080"]
+
+EXPOSE 8080
diff --git a/docker/payment/Dockerfile-release b/docker/payment/Dockerfile-release
index 9745e27..dca61a7 100644
--- a/docker/payment/Dockerfile-release
+++ b/docker/payment/Dockerfile-release
@@ -1,5 +1,8 @@
 FROM alpine:3.4
 
+WORKDIR /
+COPY app /
+
 ENV	SERVICE_USER=myuser \
 	SERVICE_UID=10001 \
 	SERVICE_GROUP=mygroup \
@@ -7,16 +10,11 @@ ENV	SERVICE_USER=myuser \
 
 RUN	addgroup -g ${SERVICE_GID} ${SERVICE_GROUP} && \
 	adduser -g "${SERVICE_NAME} user" -D -H -G ${SERVICE_GROUP} -s /sbin/nologin -u ${SERVICE_UID} ${SERVICE_USER} && \
-	apk add --update libcap
-
-WORKDIR /
-EXPOSE 80
-COPY app /
-
-RUN	chmod +x /app && \
-	chown -R ${SERVICE_USER}:${SERVICE_GROUP} /app && \
-	setcap 'cap_net_bind_service=+ep' /app
+	chmod +x /app && \
+    chown -R ${SERVICE_USER}:${SERVICE_GROUP} /app
 
 USER ${SERVICE_USER}
 
-CMD ["/app", "-port=80"]
+CMD ["/app", "-port=8080"]
+
+EXPOSE 8080
diff --git a/scripts/build.sh b/scripts/build.sh
index beae1a3..8a530a2 100755
--- a/scripts/build.sh
+++ b/scripts/build.sh
@@ -30,6 +30,6 @@ REPO=${GROUP}/$(basename payment);
 
 $DOCKER_CMD build -t ${REPO}-dev -f $CODE_DIR/docker/payment/Dockerfile $CODE_DIR/docker/payment;
 $DOCKER_CMD create --name payment ${REPO}-dev;
-$DOCKER_CMD cp payment:/app/main $CODE_DIR/docker/payment/app;
+$DOCKER_CMD cp payment:/app $CODE_DIR/docker/payment/app;
 $DOCKER_CMD rm payment;
 $DOCKER_CMD build -t ${REPO}:${COMMIT} -f $CODE_DIR/docker/payment/Dockerfile-release $CODE_DIR/docker/payment;
diff --git a/test/container.py b/test/container.py
index d1beb60..fc339f7 100644
--- a/test/container.py
+++ b/test/container.py
@@ -11,6 +11,8 @@
 
 class PaymentContainerTest(unittest.TestCase):
     TAG = "latest"
+    PORT = "8080"
+
     container_name = Docker().random_container_name('payment')
 
     def __init__(self, methodName='runTest'):
@@ -22,7 +24,8 @@ def setUp(self):
                    '-d',
                    '--name', PaymentContainerTest.container_name,
                    '-h', 'payment',
-                   'weaveworksdemos/payment-dev:' + self.TAG]
+                   'weaveworksdemos/payment-dev:' + self.TAG,
+                   '/app', '-port=' + PaymentContainerTest.PORT]
         Docker().execute(command)
         self.ip = Docker().get_container_ip(PaymentContainerTest.container_name)
 
@@ -31,14 +34,16 @@ def tearDown(self):
 
     def test_api_validated(self):
         limit = 30
-        while Api().noResponse('http://' + self.ip + ':80/payments/'):
+        url = f'http://{self.ip}:{PaymentContainerTest.PORT}/'
+        
+        while Api().noResponse(url + 'payments/'):
             if limit == 0:
                 self.fail("Couldn't get the API running")
             limit = limit - 1
             sleep(1)
         
         out = Dredd().test_against_endpoint("payment",
-                                            'http://' + self.ip + ':80/',
+                                            url,
                                             links=[self.container_name],
                                             dump_streams=True)