Update docker/substrate_builder.Dockerfile

Co-authored-by: Denis Pisarev <denis.pisarev@parity.io>
paritytech · Oct 4, 2021 · 787378b · 787378b
1 parent 48ae205
commit 787378b
Showing 1 changed file with 7 additions and 9 deletions.
diff --git a/docker/substrate_builder.Dockerfile b/docker/substrate_builder.Dockerfile
@@ -15,23 +15,21 @@ LABEL description="Multistage Docker image for Substrate: a platform for web3" \
 	io.parity.image.source="https://github.com/paritytech/polkadot/blob/${VCS_REF}/docker/substrate_builder.Dockerfile" \
 	io.parity.image.documentation="https://github.com/paritytech/polkadot/"
 
-RUN useradd -m -u 1000 -U -s /bin/sh -d /substrate substrate && \
-	mkdir -p /data /substrate/.local/share/substrate && \
-	chown -R substrate:substrate /data && \
-	ln -s /data /substrate/.local/share/substrate
-
 COPY --from=builder /substrate/target/release/substrate /usr/local/bin
 COPY --from=builder /substrate/target/release/subkey /usr/local/bin
 COPY --from=builder /substrate/target/release/node-template /usr/local/bin
 COPY --from=builder /substrate/target/release/chain-spec-builder /usr/local/bin
 
+RUN useradd -m -u 1000 -U -s /bin/sh -d /substrate substrate && \
+	mkdir -p /data /substrate/.local/share/substrate && \
+	chown -R substrate:substrate /data && \
+	ln -s /data /substrate/.local/share/substrate && \
+# unclutter and minimize the attack surface
+	rm -rf /usr/bin /usr/sbin && \
 # Sanity checks
-RUN ldd /usr/local/bin/substrate && \
+	ldd /usr/local/bin/substrate && \
 	/usr/local/bin/substrate --version
 
-# Remove whatever not required
-RUN rm -rf /usr/bin /usr/sbin
-
 USER substrate
 EXPOSE 30333 9933 9944 9615
 VOLUME ["/data"]