A small proof of concept project to show how a container with tini and gosu can be set up in order to get proper signal forwarding and zombie reaping along with non-root execution of your program.
⚠️ Intended to be used as a base template for other projects!
This image is not really intended to be used directly, but rather as a template to be inspired from in case you are doing something similar. I mean, if you are investigating how to assert that the binaries downloaded really are what they claim to be, you probably want to copy this code into your own repo instead of pulling a Docker image from some random dude on the internet ;)
Nevertheless, it is possible for you to building the final image with a simple
make build
# OR
make build-alpineand then seeing how execution (with different permissions) is carried out by calling
make runIt is then up to you to take the parts necessary for your project and adapt them to your needs.
Easiest way to get a keyfile for verification like here (i.e. keeping the key included in the source code instead of downloading from a keyserver every time), you can go to http://keyserver.ubuntu.com/ and search for the key signature
tini: 595E85A6B1B4779EA4DAAEC70B588DFF0527A9B7gosu: B42F6819007F00F88E364FD4036A9C25BF357DD4
You then just download the pub entry which should yield you a .asc file
that is equal to what we have here (unless they have been revoked or similar).
To me this feels like a more robust solution that avoids calling out to a
remote system every time we build to fetch the key we need to verify the binary
we are about to download.