From 8afecdd026789762b1204b3a05d05944ad00c4b5 Mon Sep 17 00:00:00 2001 From: Jean-Michel Crepel Date: Thu, 23 Jan 2025 17:06:54 +0100 Subject: [PATCH 1/4] make nginx not a root image --- frontend/Dockerfile | 11 +++++++++++ frontend/nginx.conf | 2 +- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/frontend/Dockerfile b/frontend/Dockerfile index 68de181..e93b50c 100644 --- a/frontend/Dockerfile +++ b/frontend/Dockerfile @@ -19,3 +19,14 @@ ENV CUSTOM_SCRIPTS_DIRECTORY "" COPY --from=builder /app/dist /app COPY nginx.conf /etc/nginx/nginx.conf COPY ./docker-entrypoint.sh / + +## add permissions +RUN chown -R nginx:nginx /app && chmod -R 755 /app && \ + chown -R nginx:nginx /var/cache/nginx && \ + chown -R nginx:nginx /var/log/nginx && \ + chown -R nginx:nginx /etc/nginx/conf.d +RUN touch /var/run/nginx.pid && \ + chown -R nginx:nginx /var/run/nginx.pid + +## switch to non-root user +USER nginx \ No newline at end of file diff --git a/frontend/nginx.conf b/frontend/nginx.conf index 6d28d8f..610601b 100644 --- a/frontend/nginx.conf +++ b/frontend/nginx.conf @@ -1,4 +1,4 @@ -user nginx; +# user nginx; worker_processes 1; error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; From 6f296721d8f33d020352e0e9f8b24d5477054163 Mon Sep 17 00:00:00 2001 From: Jean-Michel Crepel Date: Thu, 23 Jan 2025 18:18:02 +0100 Subject: [PATCH 2/4] make backend not a root image --- backend/Dockerfile | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index f4579f4..f10e899 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -1,10 +1,16 @@ FROM python:3.12-slim-bullseye AS poetry +# set fixed UID and GID - see github.com/hexops/dockerfile +ARG UID=10000 +ARG GID=10001 + +RUN addgroup --gid ${GID} appgroup +RUN adduser --uid ${UID} --disabled-password --home /app --shell /bin/sh --ingroup appgroup appuser + RUN --mount=type=cache,target=/root/.cache \ pip install poetry RUN poetry config virtualenvs.create false -RUN mkdir /app WORKDIR /app COPY pyproject.toml /app @@ -14,10 +20,15 @@ RUN --mount=type=cache,target=/root/.cache \ poetry install --no-root COPY . /app +RUN chown -R appuser:appgroup /app RUN --mount=type=cache,target=/root/.cache \ poetry install +RUN chown -R appuser:appgroup /app + +USER appuser + CMD ["serve_prod"] FROM server as check From 01b1e865ebf7b83a52b5da822ee4e88ba499b02a Mon Sep 17 00:00:00 2001 From: Jean-Michel Crepel Date: Thu, 23 Jan 2025 18:20:07 +0100 Subject: [PATCH 3/4] fix ci checks --- backend/Dockerfile | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index f10e899..820be0b 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -32,8 +32,10 @@ USER appuser CMD ["serve_prod"] FROM server as check - +USER root RUN --mount=type=cache,target=/root/.cache \ poetry install --no-root --with check +RUN chown -R appuser:appgroup /app +USER appuser CMD ["/app/maelstro/scripts/code_check.sh"] From aefacee4b662e598da3a3a88752b3aacf70bdc42 Mon Sep 17 00:00:00 2001 From: Jean-Michel Crepel Date: Thu, 23 Jan 2025 18:30:57 +0100 Subject: [PATCH 4/4] fix ci checks remove user --- backend/Dockerfile | 2 -- 1 file changed, 2 deletions(-) diff --git a/backend/Dockerfile b/backend/Dockerfile index 820be0b..50d5498 100644 --- a/backend/Dockerfile +++ b/backend/Dockerfile @@ -36,6 +36,4 @@ USER root RUN --mount=type=cache,target=/root/.cache \ poetry install --no-root --with check -RUN chown -R appuser:appgroup /app -USER appuser CMD ["/app/maelstro/scripts/code_check.sh"]