[Docker] Do not run container as root (#5314)

[Docker] Do not run container as root Fixes #5311 Signed-off-by: Jan Høydahl <[email protected]>
opensearch-project · Jan 14, 2025 · 81be7e3 · 81be7e3
1 parent c614f95
commit 81be7e3
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 4 deletions.
diff --git a/build.gradle b/build.gradle
@@ -350,7 +350,8 @@ coreProjects.each { coreProject ->
     def assembleTasks = collectTasksRecursively(coreProject, 'assemble')
     def publishTasks = collectTasksRecursively(coreProject, 'publish')
 
-    // Add these tasks as dependencies of the release task
-    release.dependsOn assembleTasks
-    release.dependsOn publishTasks
+    // Explicitly declare release task for better gradle compatibility
+    def releaseTask = tasks.named('release').get()
+    releaseTask.dependsOn assembleTasks
+    releaseTask.dependsOn publishTasks
 }
diff --git a/release/docker/Dockerfile b/release/docker/Dockerfile
@@ -11,9 +11,12 @@ ENV ENV_PIPELINE_FILEPATH=$PIPELINE_FILEPATH
 
 # Update all packages
 RUN dnf -y update
-RUN dnf -y install bash bc
+RUN dnf -y install bash bc shadow-utils
 RUN dnf -y upgrade
 
+# Create a dedicated user and group with specific UID/GID
+RUN useradd -u 1000 -M -U -d / -s /sbin/nologin -c "Data Prepper" data_prepper
+
 # Setup the Adoptium package repo and install Temurin Java
 ADD adoptium.repo /etc/yum.repos.d/adoptium.repo
 RUN dnf -y install temurin-17-jdk
@@ -25,5 +28,8 @@ RUN mv /usr/share/$ARCHIVE_FILE_UNPACKED /usr/share/data-prepper
 COPY default-data-prepper-config.yaml $ENV_CONFIG_FILEPATH
 COPY default-keystore.p12 /usr/share/data-prepper/keystore.p12
 
+RUN chown -R 1000:1000 $DATA_PREPPER_PATH /var/log/data-prepper
+USER data_prepper
+
 WORKDIR $DATA_PREPPER_PATH
 CMD ["bin/data-prepper"]