Use secret seed for internal database passwords Getting root-only read permissions into the Postgres image would be tricky due to its init script nature. But it isn't exposed to the outside anyway.

commit: 472cfc7ff58cbd52f7ce2831fd11288b2e7630e8 [log] [tgz]
author: Nico Huber <nico.h@gmx.de> Tue Jul 25 14:20:55 2023 +0000
committer: Nico Huber <nico.h@gmx.de> Tue Jul 25 16:55:06 2023 +0000
tree: a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent: 177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]
diff --git a/keycloak/docker/Dockerfile b/keycloak/docker/Dockerfile
index 84c07dd..e38782f 100644
--- a/keycloak/docker/Dockerfile
+++ b/keycloak/docker/Dockerfile

@@ -14,14 +14,19 @@
 RUN /opt/keycloak/bin/kc.sh build
 
 
+FROM registry.access.redhat.com/ubi9 AS ubi-micro-build
+RUN dnf install --releasever 9 --setopt install_weak_deps=false --nodocs -y util-linux
+
+
 FROM quay.io/keycloak/keycloak:${KC_TAG}
 
 COPY --from=builder /opt/keycloak/ /opt/keycloak/
+COPY --from=ubi-micro-build /usr/lib64/libcap-ng.so.0* /usr/lib64/
+COPY --from=ubi-micro-build /usr/bin/setpriv /usr/bin
 
 USER root
 COPY entrypoint /sa-entrypoint
 RUN chmod 544 /sa-entrypoint
 
-USER keycloak
 ENTRYPOINT ["/bin/sh", "/sa-entrypoint"]
 CMD ["start", "--optimized"]
commit	472cfc7ff58cbd52f7ce2831fd11288b2e7630e8	[log] [tgz]
author	Nico Huber <nico.h@gmx.de>	Tue Jul 25 14:20:55 2023 +0000
committer	Nico Huber <nico.h@gmx.de>	Tue Jul 25 16:55:06 2023 +0000
tree	a7b834ab4c73b35a81c39e1135f67e4b20bab69f
parent	177e6109c46c407bd40e0cfe902add9f58949c33 [diff] [blame]