feat (backport): Use non-root default user for Docker image (#2287)

* Backport PR #2243 * Add non-root default user 'moby' with uid 1000 that owns the Python virtual environment. - Set default working directory to /home/moby/work/. * Add .dockerignore for local builds.
scikit-hep · Aug 16, 2023 · 616966d · 616966d
1 parent 97f94f0
commit 616966d
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 1 deletion.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,2 @@
+.nox
+.*cache
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -20,12 +20,43 @@ RUN apt-get -qq -y update && \
     python -m pip list
 
 FROM base
+
+USER root
+
+SHELL [ "/bin/bash", "-c" ]
 ENV PATH=/usr/local/venv/bin:"${PATH}"
+
 RUN apt-get -qq -y update && \
     apt-get -qq -y install --no-install-recommends \
         curl && \
     apt-get -y autoclean && \
     apt-get -y autoremove && \
     rm -rf /var/lib/apt/lists/*
-COPY --from=builder /usr/local/venv /usr/local/venv
+
+# Create non-root user "moby" with uid 1000
+RUN adduser \
+      --shell /bin/bash \
+      --gecos "default user" \
+      --uid 1000 \
+      --disabled-password \
+      moby && \
+    chown -R moby /home/moby && \
+    mkdir /work && \
+    chown -R moby /work && \
+    echo -e "\nexport PATH=/usr/local/venv/bin:${PATH}\n" >> /home/moby/.bashrc
+
+COPY --from=builder --chown=moby /usr/local/venv /usr/local/venv/
+
+USER moby
+
+ENV USER ${USER}
+ENV HOME /home/moby
+WORKDIR ${HOME}/work
+
+# Use C.UTF-8 locale to avoid issues with ASCII encoding
+ENV LC_ALL=C.UTF-8
+ENV LANG=C.UTF-8
+
+ENV PATH=${HOME}/.local/bin:${PATH}
+
 ENTRYPOINT ["/usr/local/venv/bin/pyhf"]