Change Dockerfile to run app under non-root user

[dmeremyanin]

This PR updates the Dockerfile to improve security by running the application as a non-root user inside the container. This change ensures that the application no longer runs with root privileges, following best practices for containerized environments.

For more information, refer to the following resources:

• Sysdig's Dockerfile Best Practices
• Kubernetes Security Checklist

[dmeremyanin]

Hey @FZambia, just wanted to make sure you're aware of this PR. We'd love to get this change merged into the main branch to address the concerns raised by our security team.

[FZambia]

Hello @dmeremyanin ,

Thanks!

Yep, I've seen. Generally the improvement is useful, but did not have time to test it out. In general, I'd like to have sth like this in Dockerfile eventually:

FROM alpine:3.18

ARG USER=centrifugo
ARG UID=1000
ARG GID=1000

RUN addgroup -S -g $GID $USER && \
    adduser -S -G $USER -u $UID $USER

RUN apk --no-cache upgrade && \
    apk --no-cache add ca-certificates && \
    update-ca-certificates

WORKDIR /centrifugo

COPY --chown=$USER:$USER centrifugo /usr/local/bin/centrifugo

USER $USER

CMD ["centrifugo"]

So I may eventually change it to this version. Please tell me whether you have any concerns about this version compared to the one you submitted?

[dmeremyanin]

Thanks for reviewing the PR. Regarding your suggestion, I have a couple of points I'd like to clarify:

1. COPY --chown=$USER:$USER centrifugo /usr/local/bin/centrifugo

I understand the intent behind this line, but I think changing the file ownership in the Dockerfile could present a security risk. Specifically, it opens up the possibility of the files being altered by the process itself, which could lead to unintended consequences. As a best practice, I would generally avoid using --chown in the COPY command for this reason.

See #1.3 in Sysdis's recommendations:
https://sysdig.com/learn-cloud-native/dockerfile-best-practices/#1-3-make-executables-owned-by-root-and-not-writable

2. WORKDIR /centrifugo and user access

As for the WORKDIR, in my initial approach, I had to make sure the USER had write access to the working directory. I ran into an issue where Centrifugo wouldn't start properly if the Centrifugo user didn't own the directory, but I can't fully recall the exact cause of the issue now 😬

In any case, I'd be happy to adjust my approach to align with your recommendations, if you don't mind.

[FZambia]

Thx, let's drop chown, was my mistake to assume that user won't be able to execute binary without it. Regarding WORKDIR – I guess sth may go wrong since user can't read config which is volumed into it.

If you can update your PR taking best parts of both my suggestions and your concerns - please do, I'll try to test it out as soon as I can.

[dmeremyanin]

@FZambia I've updated the PR to include your suggestions.

[FZambia]

👍 👍

[FZambia]

Many thanks @dmeremyanin

[dmeremyanin]

Thank you for the review and for merging the PR. Looking forward to the new release!

[FZambia]

https://github.com/centrifugal/centrifugo/releases/tag/v5.4.9