Security hardening of image

[janhoy]

We already run Cantaloupe as non-root user, but it has become more common for K8S environements to also require a more tight securityContext such as this one:

          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            capabilities:
              drop:
                - ALL

The runAsNonRoot setting requires a numeric USER directive, i.e. USER 101.

The readOnlyRootFilesystem is a bit hard to fix in a downstream Dockerfile today as the docker-entrypoint.sh script writes to several locations, re-packages logback.xml into war file etc. Some rewrite of entrypoint script and perhaps loading logback config from a different location than inside war is needed here. Also documenting what image paths needs writing to so users can mount up volmes for those (ideally only one?)

[ksclarke]

Changing USER cantaloupe to USER 101 sounds simple enough if you want to submit a PR for that.

The other sounds like a good idea, but one we won't get to in the near term. I've wanted to do something different in our docker-entrypoint for awhile, but it's not been a priority. We'd be willing to see PRs with other solutions, but that's a lower priority for us at this time.