Add non-root user to images

- Improve packages management - Improve non-root security
mjanez · Sep 14, 2023 · 770bfef · 770bfef
1 parent 4b48d64
commit 770bfef
Show file tree

Hide file tree

Showing 6 changed files with 51 additions and 9 deletions.
diff --git a/.github/workflows/docker-dev.yaml b/.github/workflows/docker-dev.yaml
@@ -62,4 +62,7 @@ jobs:
  with:
  tag: ${{ env.IMAGE_NAME }}
  path: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}
- dockerfile: ${{ env.DOCKERFILE }}
+ dockerfile: ${{ env.DOCKERFILE }}
+ hadolint-severity: none
+ dockle-severity: FATAL
+ trivy-severity: CRITICAL
diff --git a/.github/workflows/docker.yaml b/.github/workflows/docker.yaml
@@ -62,4 +62,7 @@ jobs:
  with:
  tag: ${{ env.IMAGE_NAME }}
  path: ${{ env.CONTEXT }}${{ env.DOCKERFILE_PATH }}
- dockerfile: ${{ env.DOCKERFILE }}
+ dockerfile: ${{ env.DOCKERFILE }}
+ hadolint-severity: none
+ dockle-severity: FATAL
+ trivy-severity: CRITICAL
diff --git a/ckan-pycsw/Dockerfile b/ckan-pycsw/Dockerfile
@@ -1,6 +1,11 @@
 FROM python:3.11.5-slim-bullseye
 LABEL maintainer="[email protected]"
 
+# Production non-root user
+ENV USERNAME=ckan-pycsw
+ENV USER_UID=10001
+ENV USER_GID=$USER_UID
+# ckan-pycsw envvars
 ENV APP_DIR=/app
 ENV TZ=UTC
 RUN echo ${TZ} > /etc/timezone
@@ -13,14 +18,19 @@ ENV DEV_MODE=False
 ENV TIMEOUT=300
 ENV PYCSW_CRON_DAYS_INTERVAL=2
 
-RUN apt-get -q -y update && \
- apt-get install -y wget && \
+WORKDIR ${APP_DIR}
+
+RUN groupadd --gid $USER_GID $USERNAME \
+ && useradd --uid $USER_UID --gid $USER_GID -m $USERNAME && \
+ chown -R $USERNAME:$USERNAME $APP_DIR && \
+ apt-get -q -y update && apt-get install -y \
+ wget && \
  DEBIAN_FRONTEND=noninteractive apt-get -yq install gettext-base && \
  wget -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.3/wait-for && \
  chmod +x /wait-for && \
- python3 -m pip install pdm
+ python3 -m pip install pdm && \
+ rm -rf /var/lib/apt/lists/*
 
-WORKDIR ${APP_DIR}
 COPY pyproject.toml pdm.lock ./
 
 RUN pdm install --no-self --group prod
@@ -30,5 +40,7 @@ COPY ckan2pycsw ckan2pycsw
 
 EXPOSE ${PYCSW_PORT}/TCP
 
+USER $USERNAME
+
 ENTRYPOINT ["/bin/bash", "./entrypoint.sh"]
 CMD ["tail", "-f", "/dev/null"]
diff --git a/ckan-pycsw/Dockerfile.dev b/ckan-pycsw/Dockerfile.dev
@@ -1,6 +1,11 @@
 FROM python:3.11.5-slim-bullseye
 LABEL maintainer="[email protected]"
 
+# Production non-root user
+ENV USERNAME=ckan-pycsw
+ENV USER_UID=10001
+ENV USER_GID=$USER_UID
+# ckan-pycsw envvars
 ENV APP_DIR=/app
 ENV TZ=UTC
 RUN echo ${TZ} > /etc/timezone
@@ -13,14 +18,17 @@ ENV DEV_MODE=True
 ENV PYCSW_DEV_PORT=5678
 ENV TIMEOUT=300
 
-RUN apt-get -q -y update && \
- apt-get install -y wget procps && \
+RUN apt-get -q -y update && apt-get install -y \
+ wget \
+ procps && \
  DEBIAN_FRONTEND=noninteractive apt-get -yq install gettext-base && \
  wget -O /wait-for https://raw.githubusercontent.com/eficode/wait-for/v2.2.4/wait-for && \
  chmod +x /wait-for && \
- python3 -m pip install pdm debugpy
+ python3 -m pip install pdm debugpy && \
+ rm -rf /var/lib/apt/lists/*
 
 WORKDIR ${APP_DIR}
+
 COPY pyproject.toml pdm.lock ./
 
 RUN pdm install --no-self --group prod
@@ -31,6 +39,8 @@ COPY ckan2pycsw ckan2pycsw
 EXPOSE ${PYCSW_PORT}/TCP
 EXPOSE ${PYCSW_DEV_PORT}/TCP
 
+USER $USERNAME
+
 # Set entrypoint with debugpy
 ENTRYPOINT ["/bin/bash", "-c", "python3 -m debugpy --listen 0.0.0.0:${PYCSW_DEV_PORT} --wait-for-client ./entrypoint_dev.sh"]
 CMD ["pdm", "run", "python3", "-m", "gunicorn", "pycsw.wsgi:application", "-b", "0.0.0.0:${PYCSW_PORT}"]
diff --git a/ckan-pycsw/Dockerfile.ghcr b/ckan-pycsw/Dockerfile.ghcr
@@ -1,6 +1,11 @@
 FROM ghcr.io/mjanez/ckan-pycsw:latest
 LABEL maintainer="[email protected]"
 
+# Production non-root user
+ENV USERNAME=ckan-pycsw
+ENV USER_UID=10001
+ENV USER_GID=$USER_UID
+# ckan-pycsw envvars
 ENV APP_DIR=/app
 ENV TZ=UTC
 RUN echo ${TZ} > /etc/timezone
@@ -17,4 +22,6 @@ WORKDIR ${APP_DIR}
 
 COPY ckan-pycsw/conf/pycsw.conf.template ckan-pycsw/docker-entrypoint.d/entrypoint.sh ./
 
+USER $USERNAME
+
 ENTRYPOINT ["/bin/bash", "./entrypoint.sh"]
diff --git a/ckan-pycsw/Dockerfile.ghcr.dev b/ckan-pycsw/Dockerfile.ghcr.dev
@@ -1,6 +1,11 @@
 FROM ghcr.io/mjanez/ckan-pycsw-dev:latest
 LABEL maintainer="[email protected]"
 
+# Production non-root user
+ENV USERNAME=ckan-pycsw
+ENV USER_UID=10001
+ENV USER_GID=$USER_UID
+# ckan-pycsw envvars
 ENV APP_DIR=/app
 ENV TZ=UTC
 RUN echo ${TZ} > /etc/timezone
@@ -20,6 +25,8 @@ COPY ckan-pycsw/conf/pycsw.conf.template ckan-pycsw/docker-entrypoint.d/entrypoi
 EXPOSE ${PYCSW_PORT}/TCP
 EXPOSE ${PYCSW_DEV_PORT}/TCP
 
+USER $USERNAME
+
 # Set entrypoint with debugpy
 ENTRYPOINT ["/bin/bash", "-c", "python3 -m debugpy --listen 0.0.0.0:${PYCSW_DEV_PORT} --wait-for-client ./entrypoint_dev.sh"]
 CMD ["pdm", "run", "python3", "-m", "gunicorn", "pycsw.wsgi:application", "-b", "0.0.0.0:${PYCSW_PORT}"]