Skip to content

Commit ddf2ca6

Browse files
dolfinusdolfinus
committed
[DOP-25348] Change image user to non-root
1 parent c1b10fb commit ddf2ca6

File tree

3 files changed

+21
-3
lines changed

3 files changed

+21
-3
lines changed

docker/Dockerfile.scheduler

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -14,7 +14,8 @@ ENTRYPOINT ["/app/entrypoint.sh"]
1414

1515
FROM base AS builder
1616

17-
RUN pip install poetry
17+
RUN --mount=type=cache,target=/root/.cache/pip \
18+
pip install poetry
1819

1920
COPY ./pyproject.toml ./poetry.lock ./
2021
RUN --mount=type=cache,target=/root/.cache/pypoetry \
@@ -34,6 +35,11 @@ COPY --from=builder /app/.venv/ /app/.venv/
3435
COPY ./syncmaster/ /app/syncmaster/
3536
RUN python -m compileall -b syncmaster
3637

38+
# Do not run production as root, to improve security.
39+
# Also user does not own anything inside the image, including venv and source code.
40+
RUN useradd syncmaster
41+
USER syncmaster
42+
3743

3844
FROM builder AS test
3945

docker/Dockerfile.server

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -36,7 +36,8 @@ ENTRYPOINT ["/app/entrypoint.sh"]
3636

3737
FROM base AS builder
3838

39-
RUN pip install poetry
39+
RUN --mount=type=cache,target=/root/.cache/pip \
40+
pip install poetry
4041

4142
COPY ./pyproject.toml ./poetry.lock* ./
4243
RUN --mount=type=cache,target=/root/.cache/pypoetry \
@@ -54,6 +55,11 @@ COPY --from=builder /app/.venv/ /app/.venv/
5455
COPY ./syncmaster/ /app/syncmaster/
5556
RUN python -m compileall -b syncmaster
5657

58+
# Do not run production as root, to improve security.
59+
# Also user does not own anything inside the image, including venv and source code.
60+
RUN useradd syncmaster
61+
USER syncmaster
62+
5763

5864
FROM builder AS test
5965

docker/Dockerfile.worker

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -29,7 +29,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
2929
libkrb5-dev \
3030
&& rm -rf /var/lib/apt/lists/* /var/cache/*
3131

32-
RUN pip install poetry
32+
RUN --mount=type=cache,target=/root/.cache/pip \
33+
pip install poetry
3334

3435
COPY ./pyproject.toml ./poetry.lock ./
3536
RUN --mount=type=cache,target=/root/.cache/pypoetry \
@@ -47,6 +48,11 @@ COPY --from=builder /app/.venv/ /app/.venv/
4748
COPY ./syncmaster/ /app/syncmaster/
4849
RUN python -m compileall syncmaster
4950

51+
# Do not run production as root, to improve security.
52+
# Also user does not own anything inside the image, including venv and source code.
53+
RUN useradd syncmaster
54+
USER syncmaster
55+
5056

5157
FROM builder AS test
5258

0 commit comments

Comments
 (0)