Update docker/substrate_builder.Dockerfile

chevdor · TriplEight · web-flow · commit c367862d7454 · 2021-10-04T16:22:39.000+02:00
Co-authored-by: Denis Pisarev &lt;denis.pisarev@parity.io&gt;
diff --git a/docker/substrate_builder.Dockerfile b/docker/substrate_builder.Dockerfile
@@ -15,23 +15,21 @@ LABEL description="Multistage Docker image for Substrate: a platform for web3" \
 	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/docker/substrate_builder.Dockerfile" \
 	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
 
-RUN useradd -m -u 1000 -U -s /bin/sh -d /substrate substrate && \
-	mkdir -p /data /substrate/.local/share/substrate && \
-	chown -R substrate:substrate /data && \
-	ln -s /data /substrate/.local/share/substrate
-
 COPY --from=builder /substrate/target/release/substrate /usr/local/bin
 COPY --from=builder /substrate/target/release/subkey /usr/local/bin
 COPY --from=builder /substrate/target/release/node-template /usr/local/bin
 COPY --from=builder /substrate/target/release/chain-spec-builder /usr/local/bin
 
+RUN useradd -m -u 1000 -U -s /bin/sh -d /substrate substrate && \
+	mkdir -p /data /substrate/.local/share/substrate && \
+	chown -R substrate:substrate /data && \
+	ln -s /data /substrate/.local/share/substrate && \
+# unclutter and minimize the attack surface
+	rm -rf /usr/bin /usr/sbin && \
 # Sanity checks
-RUN ldd /usr/local/bin/substrate && \
+	ldd /usr/local/bin/substrate && \
 	/usr/local/bin/substrate --version
 
-# Remove whatever not required
-RUN rm -rf /usr/bin /usr/sbin
-
 USER substrate
 EXPOSE 30333 9933 9944 9615
 VOLUME ["/data"]
