Use a non-root user in container for added security

[gheorghiuradu]

• use a non-root user & group to run the app inside the container for improved security
• use a high UID for compatibility with OpenShift

[hrj]

Hi @gheorghiuradu

I am not an expert in docker. Is this to avoid data/ directory having files owned by root, when running a container with docker?

Have you considered podman as an alternative? I believe it runs docker containers in daemon-less unprivileged mode. And podman and OpenShift are both from RedHat, so they should have good compatiblity.

[gheorghiuradu]

Hi @hrj, thanks for asking

Indeed one of the reasons is to avoid having files and folders owned by root.
OpenShift requires containers to run as non-root users. I tried to run it using the RunAs parameter on their cloud platform, but it did not work as it did not have access to the /data folder.

Also, following the principle of least required prvilege, other tools like postgres or redis, use their own user inside their container image.

[hrj]

@gheorghiuradu Got it. Can you try using podman instead of docker. I have updated the README with instructions for podman as well. podman runs the container without privileges and without the need for a daemon. I tried it on my local machine and it worked fine.

If that works on openshift, I would prefer keeping the Dockerfile simple.