Use non-root users in Dockerfiles (#440)

* feat: use 'app'  user in production images

* chore: run debug containers on port 8080

* ci: use new port in docker-compose.test.yml

* fix: expose correct port

* ci: fix health check in docker-compose.test.yml

* feat: change port inthe helm chart's  values.yaml

.ci/docker-compose.test.yml

@@ -9,7 +9,7 @@ services:
     environment:
       - ASPNETCORE_ENVIRONMENT=Development
     ports:
-      - "5000:80"
+      - "5000:8080"
     depends_on:
       database:
         condition: service_started
@@ -20,7 +20,7 @@ services:
       azure-storage-emulator:
         condition: service_started
     healthcheck:
-      test: ["CMD", "wget", "http://localhost/health"]
+      test: ["CMD", "wget", "http://localhost:8080/health", "-O", "/dev/null"]
       interval: 5s
       timeout: 2s
       retries: 40
@@ -37,7 +37,7 @@ services:
     environment:
       - ASPNETCORE_ENVIRONMENT=Development
     ports:
-      - "5173:80"
+      - "5173:8080"
     depends_on:
       database:
         condition: service_started

AdminUi/src/AdminUi/Dockerfile

@@ -1,6 +1,6 @@
 FROM mcr.microsoft.com/dotnet/aspnet:8.0 AS base
 WORKDIR /app
-EXPOSE 80
+EXPOSE 8080
 
 FROM mcr.microsoft.com/dotnet/sdk:8.0 AS build
 
@@ -50,8 +50,11 @@ RUN dotnet publish /property:WarningLevel=0 /p:UseAppHost=false --no-restore --c
 
 FROM base AS final
 
-ENV ASPNETCORE_URLS=http://0.0.0.0:80
-
 WORKDIR /app
 COPY --from=publish /app/publish .
+
+ENV ASPNETCORE_URLS=http://0.0.0.0:8080
+
+USER $APP_UID
+
 ENTRYPOINT ["dotnet", "Backbone.AdminUi.dll"]

AdminUi/src/AdminUi/Dockerfile.debug

@@ -1,8 +1,8 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0
-EXPOSE 80
+EXPOSE 8080
 
 WORKDIR /app
 
-ENV ASPNETCORE_URLS=http://0.0.0.0:80
+ENV ASPNETCORE_URLS=http://0.0.0.0:8080
 
 ENTRYPOINT ["dotnet", "watch", "--non-interactive", "--project", "AdminUi/src/AdminUi/AdminUi.csproj"]

ConsumerApi/Dockerfile

@@ -9,16 +9,18 @@ RUN dotnet publish /property:WarningLevel=0 --configuration Release --output /ap
 
 # Run
 FROM mcr.microsoft.com/dotnet/aspnet:8.0-alpine3.18
-EXPOSE 80
+EXPOSE 8080
 WORKDIR /app
 
-ENV ASPNETCORE_URLS=http://0.0.0.0:80
-
 ENV Logging__Console__FormatterName=
 ENV DOTNET_SYSTEM_GLOBALIZATION_INVARIANT=0
 RUN apk add icu-libs
 COPY --from=build-env /app .
 
 LABEL org.opencontainers.image.source = "https://github.com/nmshd/backbone"
 
+ENV ASPNETCORE_URLS=http://0.0.0.0:8080
+
+USER $APP_UID
+
 ENTRYPOINT ["dotnet", "Backbone.ConsumerApi.dll"]

ConsumerApi/Dockerfile.debug

@@ -1,9 +1,9 @@
 FROM mcr.microsoft.com/dotnet/sdk:8.0
 
-EXPOSE 80
+EXPOSE 8080
 
 WORKDIR /app
 
-ENV ASPNETCORE_URLS=http://0.0.0.0:80
+ENV ASPNETCORE_URLS=http://0.0.0.0:8080
 
 ENTRYPOINT ["dotnet", "watch", "--non-interactive", "--project", "ConsumerApi/ConsumerApi.csproj"]

docker-compose/docker-compose.yml

@@ -13,7 +13,7 @@ services:
       - Modules__Synchronization__Infrastructure__BlobStorage__ConnectionInfo=${ENMESHED_BLOB_STORAGE_CONNECTION_STRING} # set this environment variable on your local system to an appropriate value (DefaultEndpointsProtocol=https;AccountName=<account-name>;AccountKey=<account-key>;EndpointSuffix=core.windows.net)
 
     ports:
-      - "8080:80"
+      - "8080:8080"
     depends_on:
       # - ms-sql-server
       - rabbitmq
@@ -102,7 +102,7 @@ services:
     environment:
       - ASPNETCORE_ENVIRONMENT=Local
     ports:
-      - "5173:80"
+      - "5173:8080"
     depends_on:
       # - ms-sql-server
       - rabbitmq

helm/values.yaml

@@ -44,7 +44,7 @@ consumerapi:
 
   service:
     type: "ClusterIP"
-    port: 80
+    port: 8080
     loadBalancer:
       # ip - the static ip address the LoadBalancer should use
       ip: ""
@@ -119,7 +119,7 @@ adminui:
 
   service:
     type: "ClusterIP"
-    port: 80
+    port: 8080
 
   image:
     repository: "ghcr.io/nmshd/backbone-admin-ui"