Run docker container as non-root user

Closes #528
master
James Curtin 5 years ago committed by James Curtin
parent 4011fb1b50
commit e85ce98167
  1. 9
      Dockerfile
  2. 15
      {{cookiecutter.app_name}}/Dockerfile

@ -1,10 +1,9 @@
FROM python:3.7-alpine FROM python:3.7-slim-buster
RUN apk update \
&& apk upgrade \
&& apk add --no-cache git
RUN pip install \ RUN pip install \
cookiecutter==1.6.0 cookiecutter==1.6.0
RUN useradd -m sid
USER sid
ENTRYPOINT [ "python", "-m", "cookiecutter" ] ENTRYPOINT [ "python", "-m", "cookiecutter" ]

@ -1,6 +1,6 @@
# ==================================== BASE ==================================== # ==================================== BASE ====================================
ARG INSTALL_PYTHON_VERSION=${INSTALL_PYTHON_VERSION:-3.7} ARG INSTALL_PYTHON_VERSION=${INSTALL_PYTHON_VERSION:-3.7}
FROM python:${INSTALL_PYTHON_VERSION}-slim-stretch AS base FROM python:${INSTALL_PYTHON_VERSION}-slim-buster AS base
RUN apt-get update RUN apt-get update
RUN apt-get install -y \ RUN apt-get install -y \
@ -21,6 +21,11 @@ COPY requirements requirements
{%- endif %} {%- endif %}
COPY [ "assets", "package.json", "webpack.config.js", "./" ] COPY [ "assets", "package.json", "webpack.config.js", "./" ]
RUN useradd -m sid
RUN chown -R sid:sid /app
USER sid
ENV PATH="/home/sid/.local/bin:${PATH}"
RUN npm install RUN npm install
# ================================= DEVELOPMENT ================================ # ================================= DEVELOPMENT ================================
@ -28,7 +33,7 @@ FROM base AS development
{%- if cookiecutter.use_pipenv == "yes" %} {%- if cookiecutter.use_pipenv == "yes" %}
RUN pipenv install --dev RUN pipenv install --dev
{%- else %} {%- else %}
RUN pip install -r requirements/dev.txt RUN pip install --user -r requirements/dev.txt
{%- endif %} {%- endif %}
EXPOSE 2992 EXPOSE 2992
EXPOSE 5000 EXPOSE 5000
@ -39,7 +44,7 @@ FROM base AS production
{%- if cookiecutter.use_pipenv == "yes" %} {%- if cookiecutter.use_pipenv == "yes" %}
RUN pipenv install RUN pipenv install
{%- else %} {%- else %}
RUN pip install -r requirements/prod.txt RUN pip install --user -r requirements/prod.txt
{%- endif %} {%- endif %}
COPY supervisord.conf /etc/supervisor/supervisord.conf COPY supervisord.conf /etc/supervisor/supervisord.conf
COPY supervisord_programs /etc/supervisor/conf.d COPY supervisord_programs /etc/supervisor/conf.d
@ -50,8 +55,8 @@ CMD ["-c", "/etc/supervisor/supervisord.conf"]
# =================================== MANAGE =================================== # =================================== MANAGE ===================================
FROM base AS manage FROM base AS manage
{%- if cookiecutter.use_pipenv == "yes" %} {%- if cookiecutter.use_pipenv == "yes" %}
COPY --from=development /root/.local/share/virtualenvs/ /root/.local/share/virtualenvs/ COPY --from=development /sid/.local/share/virtualenvs/ /sid/.local/share/virtualenvs/
{%- else %} {%- else %}
RUN pip install -r requirements/dev.txt RUN pip install --user -r requirements/dev.txt
{%- endif %} {%- endif %}
ENTRYPOINT [ {% if cookiecutter.use_pipenv == 'yes' %}"pipenv", "run", {% endif %}"flask" ] ENTRYPOINT [ {% if cookiecutter.use_pipenv == 'yes' %}"pipenv", "run", {% endif %}"flask" ]

Loading…
Cancel
Save