tmdinosaurcenter/kiosk-guestbook
1
0
Fork 0
mirror of https://github.com/tmdinosaurcenter/kiosk-guestbook.git synced 2026-06-04 00:28:21 -06:00
Code Issues Packages Projects Releases Wiki Activity

feat: run container as non-root user

Browse Source 
Create appuser with configurable UID/GID (default 1000, matching
example.env PID/GID vars) and switch to it before starting Gunicorn.
Override at build time with --build-arg UID=... --build-arg GID=...

Note: the /data volume mount must be owned by the matching UID on the
host for the DB to remain writable.
This commit is contained in:
Steve Dogiakos
2026-03-09 20:13:21 -06:00
parent 1a0a1371bc
commit 0c8491ce7a
1 changed files with 7 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Dockerfile
+7 -4
View File
@@ -24,10 +24,13 @@ ENV FLASK_ENV=production
# Expose the port (Gunicorn will run on 8000) # Expose the port (Gunicorn will run on 8000)
EXPOSE 8000 EXPOSE 8000
# TODO: No USER directive — container runs as root. Add a non-root user for security. # Create a non-root user. UID/GID match the PID/GID vars in example.env (default 1000).
# example.env has PID/GID=1000 vars suggesting this was intended. e.g.: # Override at build time with: docker build --build-arg UID=1001 --build-arg GID=1001
# RUN useradd -u 1000 -g 1000 appuser && chown -R appuser /app /data ARG UID=1000
# USER appuser ARG GID=1000
RUN groupadd -g ${GID} appuser && useradd -u ${UID} -g ${GID} -s /bin/sh -M appuser
RUN chown -R appuser:appuser /app /entrypoint.sh
USER appuser
# Use the entrypoint script as the container's command # Use the entrypoint script as the container's command
CMD ["/entrypoint.sh"] CMD ["/entrypoint.sh"]