Merge pull request #13 from esune/fix/image-permissions

Actually fix user permissions
bcgov · Oct 23, 2024 · eeaf4c3 · eeaf4c3
2 parents f14d721 + 8d6bebb
commit eeaf4c3
Showing 1 changed file with 15 additions and 7 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -1,13 +1,21 @@
 FROM python:3.12-slim
 
-# Create unprivileged user and group for service
-RUN addgroup vcservice
-RUN useradd -g vcservice vcservice
-
 WORKDIR /app
 
-# make user owner of app folder
-RUN chown -R vcservice:vcservice /app
+ARG uid=1001
+ARG user=vcservice
+
+# Add vcservice user
+RUN useradd -U -ms /bin/bash -u $uid $user
+
+# - In order to drop the root user, we have to make some directories writable
+#   to the root group as OpenShift default security model is to run the container
+#   under random UID.
+RUN usermod -a -G 0 $user
+
+# The root group needs access the directories under /app for the container to function in OpenShift.
+RUN chown -R $user:root /app && \
+    chmod -R ug+rw /app
 
 RUN pip install --no-cache-dir --upgrade pip
 RUN pip install poetry
@@ -19,6 +27,6 @@ RUN poetry install --no-root --only main
 
 COPY ../ ./
 
-USER vcservice
+USER $user
 
 CMD ["fastapi", "run", "main.py", "--port", "8080", "--proxy-headers"]