From 1d45f6a5c020e6a5139cc44e79187e4f316938f5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Philip=20Dub=C3=A9?= <serprex@users.noreply.github.com>
Date: Wed, 15 May 2024 14:13:22 +0000
Subject: [PATCH] flow/nexus docker: nonroot (#1724)

ui container already nonroot
---
 stacks/flow.Dockerfile          | 8 +++++---
 stacks/peerdb-server.Dockerfile | 8 +++++---
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/stacks/flow.Dockerfile b/stacks/flow.Dockerfile
index a8ac567d86..276cf13f18 100644
--- a/stacks/flow.Dockerfile
+++ b/stacks/flow.Dockerfile
@@ -19,9 +19,11 @@ ENV CGO_ENABLED=1
 RUN go build -ldflags="-s -w" -o /root/peer-flow
 
 FROM alpine:3.19 AS flow-base
-RUN apk add --no-cache ca-certificates geos
-WORKDIR /root
-COPY --from=builder /root/peer-flow .
+RUN apk add --no-cache ca-certificates geos && \
+  adduser -s /bin/sh -D peerdb
+USER peerdb
+WORKDIR /home/peerdb
+COPY --from=builder --chown=peerdb /root/peer-flow .
 
 FROM flow-base AS flow-api
 
diff --git a/stacks/peerdb-server.Dockerfile b/stacks/peerdb-server.Dockerfile
index 63c78624e9..ac85f63dce 100644
--- a/stacks/peerdb-server.Dockerfile
+++ b/stacks/peerdb-server.Dockerfile
@@ -23,7 +23,9 @@ RUN CARGO_REGISTRIES_CRATES_IO_PROTOCOL=sparse cargo build --release --bin peerd
 
 FROM alpine:3.19
 RUN apk add --no-cache ca-certificates postgresql-client curl iputils && \
-  mkdir -p /var/log/peerdb
-WORKDIR /root
-COPY --from=builder /root/nexus/target/release/peerdb-server .
+  adduser -s /bin/sh -D peerdb && \
+  install -d -m 0755 -o peerdb /var/log/peerdb
+USER peerdb
+WORKDIR /home/peerdb
+COPY --from=builder --chown=peerdb /root/nexus/target/release/peerdb-server .
 CMD ["./peerdb-server"]