From 59af9204bf6e5430c66727fba34875cc91aa4b82 Mon Sep 17 00:00:00 2001 From: Thomas Bernard Date: Wed, 30 Aug 2023 18:08:30 +0200 Subject: [PATCH] Make backend image rootless --- backend/Dockerfile | 13 +++++++++++++ docker-compose-dev.yml | 1 + 2 files changed, 14 insertions(+) diff --git a/backend/Dockerfile b/backend/Dockerfile index 07b58d52..2e880d5e 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -1,6 +1,19 @@ FROM python:3.9-slim-buster as base + WORKDIR /app +# Create a non-privileged user that the app will run under. +# See https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user +ARG UID=10001 +RUN adduser \ + --disabled-password \ + --gecos "" \ + --home "/nonexistent" \ + --shell "/sbin/nologin" \ + --no-create-home \ + --uid "${UID}" \ + appuser + # certificates config ARG CACERT_LOCATION COPY ./cert/. /etc/ssl/certs/ diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index 914a5ba8..01846c52 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -11,6 +11,7 @@ services: context: ./backend target: ${BUILD_TARGET:-dev} container_name: basegun-backend + user: appuser environment: - PATH_LOGS=/app/logs - OS_USERNAME