From fe3e66737f6db3765dd888bb00f72a934fd06eda Mon Sep 17 00:00:00 2001 From: Burton Rheutan Date: Thu, 6 Jun 2019 08:36:31 -0500 Subject: [PATCH] Non-root users for all templates Update all python-flask templates to use a non-root user Signed-off-by: Burton Rheutan --- template/python27-flask/Dockerfile | 26 +++++++++++++++++++------ template/python3-flask-armhf/Dockerfile | 26 +++++++++++++++++++------ template/python3-flask/Dockerfile | 26 +++++++++++++++++++------ 3 files changed, 60 insertions(+), 18 deletions(-) diff --git a/template/python27-flask/Dockerfile b/template/python27-flask/Dockerfile index 350fad4..bbb218e 100644 --- a/template/python27-flask/Dockerfile +++ b/template/python27-flask/Dockerfile @@ -8,20 +8,34 @@ ARG ADDITIONAL_PACKAGE # Alternatively use ADD https:// (which will not be cached by Docker builder) RUN apk --no-cache add ${ADDITIONAL_PACKAGE} -WORKDIR /root/ +# Add non root user +RUN addgroup -S app && adduser app -S -G app +RUN chown app /home/app +USER app + +ENV PATH=$PATH:/home/app/.local/bin + +WORKDIR /home/app/ + +COPY index.py . COPY requirements.txt . +USER root RUN pip install -r requirements.txt -COPY index.py . +USER app RUN mkdir -p function RUN touch ./function/__init__.py -WORKDIR /root/function/ +WORKDIR /home/app/function/ COPY function/requirements.txt . -RUN pip install -r requirements.txt +RUN pip install --user -r requirements.txt + +WORKDIR /home/app/ -WORKDIR /root/ -COPY function function +USER root +COPY function function +RUN chown -R app:app ./ +USER app ENV fprocess="python index.py" ENV cgi_headers="true" diff --git a/template/python3-flask-armhf/Dockerfile b/template/python3-flask-armhf/Dockerfile index 40d0a41..9be8e53 100644 --- a/template/python3-flask-armhf/Dockerfile +++ b/template/python3-flask-armhf/Dockerfile @@ -9,20 +9,34 @@ RUN apk --no-cache add curl \ RUN apk --no-cache add musl-dev gcc make openssl-dev libffi-dev -WORKDIR /root/ +# Add non root user +RUN addgroup -S app && adduser app -S -G app +RUN chown app /home/app +USER app + +ENV PATH=$PATH:/home/app/.local/bin + +WORKDIR /home/app/ + +COPY index.py . COPY requirements.txt . +USER root RUN pip install -r requirements.txt -COPY index.py . +USER app RUN mkdir -p function RUN touch ./function/__init__.py -WORKDIR /root/function/ +WORKDIR /home/app/function/ COPY function/requirements.txt . -RUN pip install -r requirements.txt +RUN pip install --user -r requirements.txt + +WORKDIR /home/app/ -WORKDIR /root/ -COPY function function +USER root +COPY function function +RUN chown -R app:app ./ +USER app ENV fprocess="python index.py" diff --git a/template/python3-flask/Dockerfile b/template/python3-flask/Dockerfile index 4100c4b..997eae7 100644 --- a/template/python3-flask/Dockerfile +++ b/template/python3-flask/Dockerfile @@ -7,20 +7,34 @@ RUN chmod +x /usr/bin/fwatchdog ARG ADDITIONAL_PACKAGE RUN apk --no-cache add musl-dev gcc make ${ADDITIONAL_PACKAGE} -WORKDIR /root/ +# Add non root user +RUN addgroup -S app && adduser app -S -G app +RUN chown app /home/app +USER app + +ENV PATH=$PATH:/home/app/.local/bin + +WORKDIR /home/app/ + +COPY index.py . COPY requirements.txt . +USER root RUN pip install -r requirements.txt -COPY index.py . +USER app RUN mkdir -p function RUN touch ./function/__init__.py -WORKDIR /root/function/ +WORKDIR /home/app/function/ COPY function/requirements.txt . -RUN pip install -r requirements.txt +RUN pip install --user -r requirements.txt + +WORKDIR /home/app/ -WORKDIR /root/ -COPY function function +USER root +COPY function function +RUN chown -R app:app ./ +USER app ENV fprocess="python index.py"