From 71ec7f72109af41aa69c3832981927386bfc3d11 Mon Sep 17 00:00:00 2001 From: Aaron Scheiner Date: Wed, 22 Nov 2023 15:22:24 +0000 Subject: [PATCH] Run as non-root users (#121) * Add non-root users to Dockerfile --- Dockerfile | 22 ++++++++++++++++++++-- 1 file changed, 20 insertions(+), 2 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4534f9ed..a5b665dc 100644 --- a/Dockerfile +++ b/Dockerfile @@ -34,20 +34,38 @@ RUN pnpm run --recursive build # Create a separate stage for pusher package. We create a temporary stage for deployment and then copy the result into # the final stage. Only the production dependencies and package implementation is part of this last stage. +LABEL application="deployed-pusher" description="Deployed Pusher container" + FROM build AS deployed-pusher + RUN pnpm --filter=pusher --prod deploy deployed-pusher FROM node:18-alpine as pusher WORKDIR /app ENV NODE_ENV=production -COPY --from=deployed-pusher /app/deployed-pusher . + +RUN addgroup -S deployed-pusher && \ + adduser -h /app -s /bin/false -S -D -H -G deployed-pusher deployed-pusher && \ + chown -R deployed-pusher /app +USER deployed-pusher + +COPY --chown=deployed-pusher:deployed-pusher --from=deployed-pusher /app/deployed-pusher . ENTRYPOINT ["node", "dist/src/index.js"] # Create a separate stage for api package. We create a temporary stage for deployment and then copy the result into # the final stage. Only the production dependencies and package implementation is part of this last stage. +LABEL application="deployed-api" description="Deployed API container" + FROM build AS deployed-api + RUN pnpm --filter=api --prod deploy deployed-api FROM node:18-alpine as api WORKDIR /app ENV NODE_ENV=production -COPY --from=deployed-api /app/deployed-api . + +RUN addgroup -S deployed-api && \ + adduser -h /app -s /bin/false -S -D -H -G deployed-api deployed-api && \ + chown -R deployed-api /app +USER deployed-api + +COPY --chown=deployed-api:deployed-api --from=deployed-api /app/deployed-api . ENTRYPOINT ["node", "dist/index.js"]