flow/nexus docker: nonroot (#1724)

ui container already nonroot
PeerDB-io · May 15, 2024 · 1d45f6a · 1d45f6a
1 parent 09dd75d
commit 1d45f6a
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 6 deletions.
diff --git a/stacks/flow.Dockerfile b/stacks/flow.Dockerfile
@@ -19,9 +19,11 @@ ENV CGO_ENABLED=1
 RUN go build -ldflags="-s -w" -o /root/peer-flow
 
 FROM alpine:3.19 AS flow-base
-RUN apk add --no-cache ca-certificates geos
-WORKDIR /root
-COPY --from=builder /root/peer-flow .
+RUN apk add --no-cache ca-certificates geos && \
+  adduser -s /bin/sh -D peerdb
+USER peerdb
+WORKDIR /home/peerdb
+COPY --from=builder --chown=peerdb /root/peer-flow .
 
 FROM flow-base AS flow-api
 

diff --git a/stacks/peerdb-server.Dockerfile b/stacks/peerdb-server.Dockerfile
@@ -23,7 +23,9 @@ RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build --release --bin peerd
 
 FROM alpine:3.19
 RUN apk add --no-cache ca-certificates postgresql-client curl iputils && \
-  mkdir -p /var/log/peerdb
-WORKDIR /root
-COPY --from=builder /root/nexus/target/release/peerdb-server .
+  adduser -s /bin/sh -D peerdb && \
+  install -d -m 0755 -o peerdb /var/log/peerdb
+USER peerdb
+WORKDIR /home/peerdb
+COPY --from=builder --chown=peerdb /root/nexus/target/release/peerdb-server .
 CMD ["./peerdb-server"]