Makefile/Dockerfile: fix nonroot user usage

When using distroless tag `nonroot` we don't need to use the USER directive in the Dockerfile. Plus, nonroot can't write to /app or anywhere else so we should prefix the db path with nonroot's home as well in order to avoid a sketchy permission denied. Signed-off-by: Antonio Murdaca <amurdaca@redhat.com>
fido-device-onboard · Nov 4, 2024 · d08b49a · d08b49a
1 parent 0207e1f
commit d08b49a
Show file tree

Hide file tree

Showing 2 changed files with 1 addition and 2 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -14,7 +14,6 @@ FROM gcr.io/distroless/static-debian12:nonroot
 
 WORKDIR /app
 COPY --from=builder /app/fdo_server /app/fdo_server
-USER nonroot
 
 ENTRYPOINT ["./fdo_server"]
 CMD []
diff --git a/Makefile b/Makefile
@@ -26,7 +26,7 @@ build:
 # Run the Docker container with all flags
 run:
 	${CONTAINER_RUNTIME} run -v $(PWD)/app-data:/app-data:rw --name $(CONTAINER_NAME) -d --network=$(NETWORK) $(IMAGE_NAME) \
-		-db $(DB_PATH) \
+		-db /home/nonroot/$(DB_PATH) \
 		$(if $(DB_PASS),-db-pass $(DB_PASS)) \
 		$(DEBUG) \
 		-http $(HTTP_ADDR) \