Merge pull request #1275 from CDCgov/dockerfile-user

Low Privilege User for Running the Application Take 2
CDCgov · Aug 27, 2024 · a8dd8a1 · a8dd8a1
2 parents 727d128 + f46bff3
commit a8dd8a1
Showing 1 changed file with 14 additions and 10 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,18 +1,22 @@
-# Use Linux-Alpine image
 FROM amazoncorretto:17.0.12-alpine
 
-RUN apk -U upgrade
+# Uppdate dependencies and clear the dependency cache.
+RUN apk update && apk -U upgrade && rm -rf /var/cache/apk/*
 
-ARG JAR_LIB_FILE=./app/build/libs/app-all.jar
+# Create and use a lower permission (non-root) user.
+RUN adduser -S myLowPrivilegeUser
+USER myLowPrivilegeUser
 
-# Create directory and switch to it
-WORKDIR /app
+# Set the workdir to a location that the running application can write to
+# which is in the myLowPrivilegeUser home folder because we are running as that user instead of root.
+WORKDIR /home/myLowPrivilegeUser/app/
 
-# Add application JAR to created folder
-COPY ${JAR_LIB_FILE} app.jar
+# Copy the jar file into /usr/local/bin/ because it seemingly needs to go to a location that any user can access.
+# If we put the jar file into the myLowPrivilegeUser's home directly, the container fails to run in Azure.
+COPY --chown=myLowPrivilegeUser ./app/build/libs/app-all.jar /usr/local/bin/app.jar
 
-# Run the api
-CMD ["java", "-jar", "app.jar"]
+# Run the service.
+CMD ["java", "-jar", "/usr/local/bin/app.jar"]
 
-# Use port 8080
+# Inform Docker that this container listens on the specified port.
 EXPOSE 8080