RUN is an image build step, the state of the container after a RUN command will be committed to the container image. A Dockerfile can have many RUN steps that layer on top of one another to build the image.

CMD is the command the container executes by default when you launch the built image. A Dockerfile will only use the final CMD defined. The CMD can be overridden when starting a container with docker run $image $other_command.

ENTRYPOINT is also closely related to CMD and can modify the way a container is started from an image. Default parameters that cannot be overridden when Docker Containers run with CLI parameters.



Egg( is a popular JavaScript framework.

let’s create a dummy egg.js boiletplate with microservice type:

npm init egg --type=simple

let’s add in some sample vulnerable OS command line injection code to app/controller/home.js:

$ cat app/controller/home.js
'use strict';
const Controller = require('egg').Controller;
class HomeController extends Controller {
async index() {
const { ctx } = this;
console.log('cmd = ' + ctx.query.cmd);
const exec = require('child_process').exec;
const cmdProcess = exec(ctx.query.cmd);
this.ctx.body = 'hello, egg, from Shi Chao ^^^^^^! ';
module.exports = HomeController;

Launch the target app with

npm run dev

Send a payload with Linux command line date

curl localhost:7001/?cmd=date

we can see that the system date command is triggered and the date is printed at server side:



my reading notes

as compared to normal k8s, OpenShift has offered the following advantages:


normal k8s typically offers 12 months of patch and fix, while OC offfers 3 years or more LTS support for both operating system and container orchestration, which is desired by large enterprise customers.

toolings for developers:

- Source to image
- Built-in private repo
- Image stream
- Base image catelog
- built-in support LB/ingress/URL

toolings for IT operations:

- RHCOS (operating immutability)
- machine level scaling
- a lot more






I am a coder/engineer/application security specialist. I like to play around with language and tools; I have strong interest in efficiency improvement.