由于强化Docker镜像等原因,我希望本地用户无法使用wget。由于wget是/bin/busybox的函数,因此删除似乎是合适的,即使有点激烈,并且显然会在运行时和运行时工作。
但是,当在Kubernetes或本地运行时,RUN rm /bin/busybox将导致go堆栈跟踪。
是否有构建时间解决方案?
示例是
FROM haproxy:1.6-alpine
RUN addgroup -S haproxy && adduser -S -g haproxy haproxy
RUN rm /bin/busybox
COPY haproxy.cfg /usr/local/etc/haproxy/haproxy.cfg
使用HAProxy的默认ENTRYPOINT
#!/bin/sh
set -e
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- haproxy "$@"
fi
if [ "$1" = 'haproxy' ]; then
# if the user wants "haproxy", let's use "haproxy-systemd-wrapper" instead so we can have proper reloadability implemented by upstream
shift # "haproxy"
set -- "$(which haproxy-systemd-wrapper)" -p /run/haproxy.pid "$@"
fi
exec "$@"
答案 0 :(得分:1)
如果您的@Bean
LocalContainerEntityManagerFactoryBean yourEntityManagerFactory() {
final LocalContainerEntityManagerFactoryBean factoryBean = new LocalContainerEntityManagerFactoryBean();
factoryBean.setDataSource(arcEditorsDataSource());
final HibernateJpaVendorAdapter jpaVendorAdapter = new HibernateJpaVendorAdapter();
jpaVendorAdapter.setDatabase(Database.POSTGRESQL);
factoryBean.setJpaVendorAdapter(jpaVendorAdapter);
factoryBean.setPackagesToScan(
"your.model",
"your.jpa.config" //where converter is placed
);
return factoryBean;
}
由busybox提供,而您的入口点使用 /bin/sh,那么您需要在输入点之后仅删除
更简单的入口点定义(不需要shell)可能类似于:
/bin/sh