From 8d6bebb77c79b90e02d46e895ef5f5f46639e747 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Emiliano=20Su=C3=B1=C3=A9?= <emiliano.sune@gmail.com>
Date: Tue, 22 Oct 2024 12:55:04 -0700
Subject: [PATCH] Actually fix user permissions
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Emiliano Suñé <emiliano.sune@gmail.com>
---
 docker/Dockerfile | 22 +++++++++++++++-------
 1 file changed, 15 insertions(+), 7 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index e5b1ab6..db75cd7 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,13 +1,21 @@
 FROM python:3.12-slim
 
-# Create unprivileged user and group for service
-RUN addgroup vcservice
-RUN useradd -g vcservice vcservice
-
 WORKDIR /app
 
-# make user owner of app folder
-RUN chown -R vcservice:vcservice /app
+ARG uid=1001
+ARG user=vcservice
+
+# Add vcservice user
+RUN useradd -U -ms /bin/bash -u $uid $user
+
+# - In order to drop the root user, we have to make some directories writable
+#   to the root group as OpenShift default security model is to run the container
+#   under random UID.
+RUN usermod -a -G 0 $user
+
+# The root group needs access the directories under /app for the container to function in OpenShift.
+RUN chown -R $user:root /app && \
+    chmod -R ug+rw /app
 
 RUN pip install --no-cache-dir --upgrade pip
 RUN pip install poetry
@@ -19,6 +27,6 @@ RUN poetry install --no-root --only main
 
 COPY ../ ./
 
-USER vcservice
+USER $user
 
 CMD ["fastapi", "run", "main.py", "--port", "8080", "--proxy-headers"]
\ No newline at end of file