Run containers as non-root

SUSE · Feb 22, 2023 · 98d0568 · 98d0568
1 parent f4b2d6b
commit 98d0568
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -28,5 +28,8 @@ VOLUME /pcw/db
 
 EXPOSE 8000/tcp
 
+RUN useradd --no-create-home --uid 1777 --user-group --shell /bin/false pcw && chown -R pcw:pcw /pcw
+USER pcw
+
 # Once we are certain that this runs nicely, replace this with ENTRYPOINT.
 CMD ["/pcw/container-startup", "run"]
diff --git a/Dockerfile_dev b/Dockerfile_dev
@@ -14,4 +14,7 @@ RUN zypper -n in python310-devel gcc libffi-devel aws-cli && pip install --no-ca
 
 WORKDIR /pcw
 
+RUN useradd --no-create-home --uid 1777 --user-group --shell /bin/false pcw && chown -R pcw:pcw /pcw
+USER pcw
+
 ENTRYPOINT ["sh", "-c"]
diff --git a/Dockerfile_k8s b/Dockerfile_k8s
@@ -17,4 +17,8 @@ COPY cleanup_k8s.py LICENSE README.md setup.cfg /pcw/
 ENV PATH ${PATH}:/opt/google-cloud-sdk/bin/
 
 WORKDIR /pcw
+
+RUN useradd --no-create-home --uid 1777 --user-group --shell /bin/false pcw && chown -R pcw:pcw /pcw
+USER pcw
+
 CMD ["python3", "cleanup_k8s.py"]
diff --git a/Dockerfile_k8s_dev b/Dockerfile_k8s_dev
@@ -14,4 +14,7 @@ ENV PATH ${PATH}:/opt/google-cloud-sdk/bin/
 
 WORKDIR /pcw
 
+RUN useradd --no-create-home --uid 1777 --user-group --shell /bin/false pcw && chown -R pcw:pcw /pcw
+USER pcw
+
 ENTRYPOINT ["sh", "-c"]