From 81be7e36f62a481f105c4b23ca6a12a17e1f6cab Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Jan=20H=C3=B8ydahl?= Date: Tue, 14 Jan 2025 17:26:37 +0100 Subject: [PATCH] [Docker] Do not run container as root (#5314) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit [Docker] Do not run container as root Fixes #5311 Signed-off-by: Jan Høydahl --- build.gradle | 7 ++++--- release/docker/Dockerfile | 8 +++++++- 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/build.gradle b/build.gradle index 7f78c2424f..7c957ade81 100644 --- a/build.gradle +++ b/build.gradle @@ -350,7 +350,8 @@ coreProjects.each { coreProject -> def assembleTasks = collectTasksRecursively(coreProject, 'assemble') def publishTasks = collectTasksRecursively(coreProject, 'publish') - // Add these tasks as dependencies of the release task - release.dependsOn assembleTasks - release.dependsOn publishTasks + // Explicitly declare release task for better gradle compatibility + def releaseTask = tasks.named('release').get() + releaseTask.dependsOn assembleTasks + releaseTask.dependsOn publishTasks } \ No newline at end of file diff --git a/release/docker/Dockerfile b/release/docker/Dockerfile index dcc586dc52..4052d59909 100644 --- a/release/docker/Dockerfile +++ b/release/docker/Dockerfile @@ -11,9 +11,12 @@ ENV ENV_PIPELINE_FILEPATH=$PIPELINE_FILEPATH # Update all packages RUN dnf -y update -RUN dnf -y install bash bc +RUN dnf -y install bash bc shadow-utils RUN dnf -y upgrade +# Create a dedicated user and group with specific UID/GID +RUN useradd -u 1000 -M -U -d / -s /sbin/nologin -c "Data Prepper" data_prepper + # Setup the Adoptium package repo and install Temurin Java ADD adoptium.repo /etc/yum.repos.d/adoptium.repo RUN dnf -y install temurin-17-jdk @@ -25,5 +28,8 @@ RUN mv /usr/share/$ARCHIVE_FILE_UNPACKED /usr/share/data-prepper COPY default-data-prepper-config.yaml $ENV_CONFIG_FILEPATH COPY default-keystore.p12 /usr/share/data-prepper/keystore.p12 +RUN chown -R 1000:1000 $DATA_PREPPER_PATH /var/log/data-prepper +USER data_prepper + WORKDIR $DATA_PREPPER_PATH CMD ["bin/data-prepper"]