Run as non-root user in docker

opensafely-core · Dec 12, 2023 · 2de02e8 · 2de02e8
1 parent a4321bf
commit 2de02e8
Show file tree

Hide file tree

Showing 3 changed files with 17 additions and 0 deletions.
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -149,6 +149,10 @@ ARG GITREF=unknown
 LABEL org.opencontainers.image.revision=$GITREF
 
 
+ARG USERID=10001
+ARG GROUPID=10001
+USER ${USERID}:${GROUPID}
+
 ##################################################
 #
 # Dev image
@@ -167,3 +171,8 @@ RUN --mount=type=cache,target=/root/.cache \
 
 # Override ENTRYPOINT rather than CMD so we can pass arbitrary commands to the entrypoint script
 ENTRYPOINT ["/app/docker/entrypoints/dev.sh"]
+
+# Run as non root user. Required when building image.
+ARG USERID
+ARG GROUPID
+USER ${USERID}:${GROUPID}
diff --git a/docker/docker-compose.yaml b/docker/docker-compose.yaml
@@ -44,6 +44,10 @@ services:
     build:
       # the dev stage in the Dockerfile
       target: opencodelists-dev
+      args:
+        # user developer uid:gid in dev
+        - USERID=${DEV_USERID:-1000}
+        - GROUPID=${DEV_GROUPID:-1000}
     # paths relative to docker-compose.yaml file
     volumes:
       - ..:/app

diff --git a/docker/justfile b/docker/justfile
@@ -10,6 +10,10 @@ export COMPOSE_DOCKER_CLI_BUILD := "1"
 
 export BIN := "/opt/venv/bin"
 
+export DEV_USERID := `id -u`
+export DEV_GROUPID := `id -g`
+
+
 build env="dev":
     #!/usr/bin/env bash