From a28d1a3b293efb3d034b0d55a75b9735d0e5d46f Mon Sep 17 00:00:00 2001 From: Matthew Feickert Date: Wed, 5 Jul 2023 12:00:12 -0500 Subject: [PATCH] feat: Use non-root default user for Docker image (#2243) * Add non-root default user 'moby' with uid 1000 that owns the Python virtual environment. - Set default working directory to /home/moby/work/. * Add .dockerignore for local builds. --- .dockerignore | 2 ++ docker/Dockerfile | 35 +++++++++++++++++++++++++++++++++-- 2 files changed, 35 insertions(+), 2 deletions(-) create mode 100644 .dockerignore diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000000..37269f7472 --- /dev/null +++ b/.dockerignore @@ -0,0 +1,2 @@ +.nox +.*cache diff --git a/docker/Dockerfile b/docker/Dockerfile index 93b4751711..50c2f31e95 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -16,16 +16,47 @@ RUN apt-get -qq -y update && \ python -m venv /usr/local/venv && \ cd /code && \ python -m pip --no-cache-dir install --upgrade pip setuptools wheel && \ - python -m pip --no-cache-dir install .[xmlio,contrib] && \ + python -m pip --no-cache-dir install '.[xmlio,contrib]' && \ python -m pip list FROM base + +USER root + +SHELL [ "/bin/bash", "-c" ] ENV PATH=/usr/local/venv/bin:"${PATH}" + RUN apt-get -qq -y update && \ apt-get -qq -y install --no-install-recommends \ curl && \ apt-get -y autoclean && \ apt-get -y autoremove && \ rm -rf /var/lib/apt/lists/* -COPY --from=builder /usr/local/venv /usr/local/venv + +# Create non-root user "moby" with uid 1000 +RUN adduser \ + --shell /bin/bash \ + --gecos "default user" \ + --uid 1000 \ + --disabled-password \ + moby && \ + chown -R moby /home/moby && \ + mkdir /work && \ + chown -R moby /work && \ + echo -e "\nexport PATH=/usr/local/venv/bin:${PATH}\n" >> /home/moby/.bashrc + +COPY --from=builder --chown=moby /usr/local/venv /usr/local/venv/ + +USER moby + +ENV USER ${USER} +ENV HOME /home/moby +WORKDIR ${HOME}/work + +# Use C.UTF-8 locale to avoid issues with ASCII encoding +ENV LC_ALL=C.UTF-8 +ENV LANG=C.UTF-8 + +ENV PATH=${HOME}/.local/bin:${PATH} + ENTRYPOINT ["/usr/local/venv/bin/pyhf"]