Update docker file to run as non-root user

mozilla-releng · Dec 5, 2023 · 9062335 · 9062335
1 parent 27e05cd
commit 9062335
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 4 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -8,14 +8,29 @@ RUN apt-get update \
     && apt-get clean \
     && rm -rf /var/lib/apt/lists/*
 
+# Create a new user and group (e.g., 'worker')
+# and set the home directory for the user
+RUN groupadd -r -g 15731 worker && useradd -r -u 15731 -g worker -d /home/worker -m worker
+
+# Set the home directory as an environment variable
+ENV HOME=/home/worker
+
 # Set the working directory in the container
-WORKDIR /usr/src/app
+WORKDIR $HOME/app
 
 # Copy the project files into the container
-COPY . .
+COPY . $HOME/app
+
+# Change the ownership of the working directory to the new user
+RUN chown -R worker:worker $HOME/app
+
+# Switch to the non-root user
+USER worker
 
 # Install dependencies using Poetry
-RUN poetry config virtualenvs.create false \
+# The virtualenv will be created in the user's home directory
+RUN poetry config virtualenvs.create true \
+    && poetry config virtualenvs.in-project true \
     && poetry install --only main
 
 # Run mozilla-linux-pkg-manager when the container launches

diff --git a/README.md b/README.md
@@ -67,7 +67,7 @@ docker run --rm \
 -e GOOGLE_CLOUD_PROJECT=$GOOGLE_CLOUD_PROJECT \
 -e GOOGLE_APPLICATION_CREDENTIALS=/tmp/keys/google/key.json \
 -v $GOOGLE_APPLICATION_CREDENTIALS:/tmp/keys/google/key.json:ro \
-mozillareleases/mozilla-linux-pkg-manager:0.3.0 \
+mozillareleases/mozilla-linux-pkg-manager:0.4.0 \
 clean-up \
 --product firefox \
 --channel nightly \