From 86176ff770eb2efbae0bb2d84cc56b533d910118 Mon Sep 17 00:00:00 2001
From: Mathias <mathias@mediamixx.de>
Date: Thu, 25 Jun 2020 17:51:29 +0200
Subject: [PATCH] GUACAMOLE-1110: Shrinks container footprint, higher security
 and reliability check

Dockage image size will reduced by install only package dependencies (without recommendations). The guacd process runs as a non-privileged user and will be checked by netcat.
---
 Dockerfile | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 83bce0fb..c5e2edb8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -90,6 +90,7 @@ ENV LD_LIBRARY_PATH=${PREFIX_DIR}/lib
 ENV GUACD_LOG_LEVEL=info
 
 ARG RUNTIME_DEPENDENCIES="            \
+        netcat-openbsd                \
         ca-certificates               \
         ghostscript                   \
         fonts-liberation              \
@@ -100,15 +101,21 @@ ARG RUNTIME_DEPENDENCIES="            \
 COPY --from=builder ${PREFIX_DIR} ${PREFIX_DIR}
 
 # Bring runtime environment up to date and install runtime dependencies
-RUN apt-get update                                          && \
-    apt-get install -y $RUNTIME_DEPENDENCIES                && \
-    apt-get install -y $(cat "${PREFIX_DIR}"/DEPENDENCIES)  && \
+RUN apt-get update                                                                  && \
+    apt-get install -y --no-install-recommends $RUNTIME_DEPENDENCIES                && \
+    apt-get install -y --no-install-recommends $(cat "${PREFIX_DIR}"/DEPENDENCIES)  && \
     rm -rf /var/lib/apt/lists/*
 
 # Link FreeRDP plugins into proper path
 RUN ${PREFIX_DIR}/bin/link-freerdp-plugins.sh \
         ${PREFIX_DIR}/lib/freerdp2/libguac*.so
 
+# Checks the operating status every 5 minutes with a timeout of 5 seconds
+HEALTHCHECK --interval=5m --timeout=5s CMD nc -z 127.0.0.1 4822 || exit 1
+
+# Run with user nobody
+USER nobody
+
 # Expose the default listener port
 EXPOSE 4822