From dab46eacfed815d5cc9e6c6a7d6f7b41d1533b86 Mon Sep 17 00:00:00 2001 From: Liyang Wang Date: Fri, 14 Oct 2022 15:12:41 -0400 Subject: [PATCH] feat(dockerfile): make docker image run as non root user by default (#12) --- backwork/Dockerfile | 48 +++++++++++++++++++++++++++------------------ 1 file changed, 29 insertions(+), 19 deletions(-) diff --git a/backwork/Dockerfile b/backwork/Dockerfile index 756f5ea..4990317 100644 --- a/backwork/Dockerfile +++ b/backwork/Dockerfile @@ -5,24 +5,24 @@ LABEL maintainer="leonsp@ca.ibm.com" # Apply security patches # hadolint ignore=DL3018 RUN echo 'http://dl-3.alpinelinux.org/alpine/edge/community' >> /etc/apk/repositories \ - && echo 'http://dl-3.alpinelinux.org/alpine/edge/main' >> /etc/apk/repositories \ - && apk add --no-cache \ - bash \ - curl \ - libressl \ - mariadb-client \ - mongodb-tools \ - mysql \ - postgresql \ - tini \ - && apk add --upgrade --no-cache \ - db \ - expat \ - freetype \ - fontconfig \ - libpng \ - ncurses \ - zlib + && echo 'http://dl-3.alpinelinux.org/alpine/edge/main' >> /etc/apk/repositories \ + && apk add --no-cache \ + bash \ + curl \ + libressl \ + mariadb-client \ + mongodb-tools \ + mysql \ + postgresql \ + tini \ + && apk add --upgrade --no-cache \ + db \ + expat \ + freetype \ + fontconfig \ + libpng \ + ncurses \ + zlib # RUN curl -sL https://sentry.io/get-cli/ | bash @@ -35,7 +35,17 @@ RUN python -m pip install --upgrade pip RUN pip install setuptools==57.5.0 RUN pip install -r ./requirements.txt -COPY ./docker-entrypoint.sh / +# install sudo as root +RUN apk add --no-cache --update sudo + +# add new user +RUN adduser -D myapp \ + && echo "myapp ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/myapp \ + && chmod 0440 /etc/sudoers.d/myapp + +COPY --chown=myapp ./docker-entrypoint.sh / +RUN mkdir /backups && chown myapp /backups +USER myapp VOLUME ["/backups"] ENTRYPOINT ["/sbin/tini", "--"]