From e85ce9816776ec1e5cfead4770666e9b0eb866f8 Mon Sep 17 00:00:00 2001
From: James Curtin <jameswcurtin@gmail.com>
Date: Sat, 14 Sep 2019 18:23:52 -0400
Subject: [PATCH] Run docker container as non-root user Closes #528

---
 Dockerfile                           |  9 ++++-----
 {{cookiecutter.app_name}}/Dockerfile | 15 ++++++++++-----
 2 files changed, 14 insertions(+), 10 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index ba4fdb4..eb71044 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,10 +1,9 @@
-FROM python:3.7-alpine
-
-RUN apk update \
-    && apk upgrade \
-    && apk add --no-cache git
+FROM python:3.7-slim-buster
 
 RUN pip install \
     cookiecutter==1.6.0
 
+RUN useradd -m sid
+USER sid
+
 ENTRYPOINT [ "python", "-m", "cookiecutter" ]
diff --git a/{{cookiecutter.app_name}}/Dockerfile b/{{cookiecutter.app_name}}/Dockerfile
index 1d6572a..239631b 100644
--- a/{{cookiecutter.app_name}}/Dockerfile
+++ b/{{cookiecutter.app_name}}/Dockerfile
@@ -1,6 +1,6 @@
 # ==================================== BASE ====================================
 ARG INSTALL_PYTHON_VERSION=${INSTALL_PYTHON_VERSION:-3.7}
-FROM python:${INSTALL_PYTHON_VERSION}-slim-stretch AS base
+FROM python:${INSTALL_PYTHON_VERSION}-slim-buster AS base
 
 RUN apt-get update
 RUN apt-get install -y \
@@ -21,6 +21,11 @@ COPY requirements requirements
 {%- endif %}
 
 COPY [ "assets", "package.json", "webpack.config.js", "./" ]
+
+RUN useradd -m sid
+RUN chown -R sid:sid /app
+USER sid
+ENV PATH="/home/sid/.local/bin:${PATH}"
 RUN npm install
 
 # ================================= DEVELOPMENT ================================
@@ -28,7 +33,7 @@ FROM base AS development
 {%- if cookiecutter.use_pipenv == "yes" %}
 RUN pipenv install --dev
 {%- else %}
-RUN pip install -r requirements/dev.txt
+RUN pip install --user -r requirements/dev.txt
 {%- endif %}
 EXPOSE 2992
 EXPOSE 5000
@@ -39,7 +44,7 @@ FROM base AS production
 {%- if cookiecutter.use_pipenv == "yes" %}
 RUN pipenv install
 {%- else %}
-RUN pip install -r requirements/prod.txt
+RUN pip install --user -r requirements/prod.txt
 {%- endif %}
 COPY supervisord.conf /etc/supervisor/supervisord.conf
 COPY supervisord_programs /etc/supervisor/conf.d
@@ -50,8 +55,8 @@ CMD ["-c", "/etc/supervisor/supervisord.conf"]
 # =================================== MANAGE ===================================
 FROM base AS manage
 {%- if cookiecutter.use_pipenv == "yes" %}
-COPY --from=development /root/.local/share/virtualenvs/ /root/.local/share/virtualenvs/
+COPY --from=development /sid/.local/share/virtualenvs/ /sid/.local/share/virtualenvs/
 {%- else %}
-RUN pip install -r requirements/dev.txt
+RUN pip install --user -r requirements/dev.txt
 {%- endif %}
 ENTRYPOINT [ {% if cookiecutter.use_pipenv == 'yes' %}"pipenv", "run", {% endif %}"flask" ]