Update dockerfile to use a rootless user

rootstrap · Sep 25, 2024 · 254e743 · 254e743
1 parent e505e32
commit 254e743
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 9 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -61,19 +61,32 @@ RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y curl libpq-dev libvips libjemalloc2 && \
     apt-get clean
 
+ENV USERNAME rails_api_base
+ENV USER_UID 1000
+ENV USER_GID 1000
+
+# Create a rootless user.
+RUN groupadd --gid $USER_GID $USERNAME && \
+    useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
 # Create app directory.
-RUN mkdir -p $APP_HOME
+RUN mkdir -p $APP_HOME && chown -R $USERNAME:$USERNAME $APP_HOME && chmod -R 700 $APP_HOME
+
+# Change to the rootless user.
+USER $USERNAME
 
 # Setup work directory.
 WORKDIR $APP_HOME
 
 # Copy everything from the builder image
-COPY --link . .
-COPY --from=builder $APP_HOME/public/ $APP_HOME/public/
-COPY --from=builder $APP_HOME/tmp/ $APP_HOME/tmp/
-COPY --from=builder $APP_HOME/vendor/ $APP_HOME/vendor/
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 . .
+COPY --from=builder --chown=$USERNAME:$USERNAME --chmod=700 $APP_HOME/public/ $APP_HOME/public/
+COPY --from=builder --chown=$USERNAME:$USERNAME --chmod=700 $APP_HOME/tmp/ $APP_HOME/tmp/
+COPY --from=builder --chown=$USERNAME:$USERNAME --chmod=700 $APP_HOME/vendor/ $APP_HOME/vendor/
 
+USER root
 RUN ln -s /usr/lib/*-linux-gnu/libjemalloc.so.2 /usr/lib/libjemalloc.so.2
+USER $USERNAME
 
 # Deployment options
 ENV RAILS_LOG_TO_STDOUT true

diff --git a/Dockerfile.dev b/Dockerfile.dev
@@ -21,22 +21,33 @@ ENV WORK_ROOT /src
 ENV APP_HOME $WORK_ROOT/app/
 ENV LANG C.UTF-8
 
+ENV USERNAME rails_api_base
+ENV USER_UID 1000
+ENV USER_GID 1000
+
+# Create a rootless user.
+RUN groupadd --gid $USER_GID $USERNAME && \
+    useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
 # Create app directory.
-RUN mkdir -p $APP_HOME
+RUN mkdir -p $APP_HOME && chown -R $USERNAME:$USERNAME $APP_HOME && chmod -R 700 $APP_HOME
+
+# Change to the rootless user.
+USER $USERNAME
 
 # Setup work directory.
 WORKDIR $APP_HOME
 
 RUN gem install foreman bundler
 
 # Copy dependencies files and install libraries.
-COPY --link package.json yarn.lock ./
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 package.json yarn.lock ./
 RUN yarn install --frozen-lockfile
 
-COPY --link Gemfile Gemfile.lock ./
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 Gemfile Gemfile.lock ./
 RUN bundle install -j 4
 
-COPY --link . .
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 . .
 
 RUN yarn build