hosting page as root is a bad idea even in docker

.github/workflows/test_docker.yml

@@ -18,12 +18,21 @@ jobs:
 
       - name: Create certificates
         run: |
-          openssl req -x509 -newkey rsa:4096 -nodes -out app/cert.pem -keyout app/key.pem -days 1 -subj "/C=PL/ST=State/L=/O=/OU=/CN=localhost"
+          openssl req -x509 -newkey rsa:4096 -nodes -out app/cert.pem -keyout app/key.pem -days 1 -subj "/C=PL/ST=State/L=Test/O=Test/OU=Test/CN=localhost"
+
+      - name: Verify cert files
+        run: |
+          id
+          echo $PWD:
+          ls -last
+          echo $PWD/app/:
+          ls -last app
 
       - name: Build and run test web
         run: |
           IMAGE_NAME="zostaw/multiarch-home-page"
           IMAGE_TAG="latest"
+          id
           docker build -t $IMAGE_NAME:$IMAGE_TAG .
           docker compose up -d
 
@@ -34,8 +43,9 @@ jobs:
 
       - name: Verify container
         run: |
-          sleep 3
-          docker ps
+          sleep 5
+          docker container ls -a
+          docker logs home-page-home-page-1
 
       - name: Execute tests
         run: |

.gitignore

@@ -13,10 +13,10 @@ cert.pem
 key.pem
 docker_rebuild.sh
 notes.txt
-tests/log.html
-tests/output.xml
-tests/report.html
-tests/selenium-screenshot*
+robot_tests/log.html
+robot_tests/output.xml
+robot_tests/report.html
+robot_tests/selenium-screenshot*
 
 
 # below are common python ignore lists

Dockerfile

@@ -12,10 +12,6 @@ COPY requirements.txt /tmp/requirements.txt
 RUN pip install --upgrade pip
 RUN pip install --no-cache-dir -r /tmp/requirements.txt
 
-RUN mkdir ~/.ssh
-RUN echo "Host *" >> ~/.ssh/config
-RUN echo "StrictHostKeyChecking no" >> ~/.ssh/config
-
 # URL under which static (not modified by Python) files will be requested
 # They will be served by Nginx directly, without being handled by uWSGI
 ENV STATIC_URL /static
@@ -33,14 +29,16 @@ WORKDIR /app
 # Make /app/* available to be imported by Python globally to better support several use cases like Alembic migrations.
 ENV PYTHONPATH=/app
 
-# Move the base entrypoint to reuse it
-#RUN mv /entrypoint.sh /uwsgi-nginx-entrypoint.sh
-# Copy the entrypoint that will generate Nginx additional configs
-#COPY entrypoint.sh /entrypoint.sh
-#RUN chmod +x /entrypoint.sh
-
-#ENTRYPOINT ["/entrypoint.sh"]
+# Create a group and user
+ENV USER="appuser"
+ENV GROUP="appgroup"
+ENV UID="1001"
+RUN addgroup -S $GROUP
+RUN adduser --uid $UID -D $USER -S $USER -G $GROUP
 
+# Change owner of the process
+RUN chown -R $USER:$GROUP /app
+USER appuser
 # Run the start script provided by the parent image tiangolo/uwsgi-nginx.
 # It will check for an /app/prestart.sh script (e.g. for migrations)
 # And then will start Supervisor, which in turn will start Nginx and uWSGI