Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The current dockerfile for dspace-backend runs the backend as root. The user instruction is not transferred to the last stage, after copying to
FROM tomcat:9-jdk${JDK_VERSION}
.If i login with
docker exec -it ... /bin/bash
and doI see that the owner of the running process is currently root.
Update dockerfile.depencies
Update dockerfile
USER 10001 # dspace uid
instruction to the last stageUpdated the merge request after attending a workshop with our IT department on kubernetes deployment. We are testing a kubernetes platform https://elastisys.io/compliantkubernetes which has been set up for us.
Some additional changes and their rationale are:
fixed user id with a number above 10000
a user uid above 10000 was also mentioned during the course. See for example https://github.com/hexops-graveyard/dockerfile?tab=readme-ov-file#do-not-use-a-uid-below-10000
Using a numeric user to allow the platform to check if the user is actually not running as root
https://elastisys.io/compliantkubernetes/user-guide/safeguards/enforce-no-root/