feat: End Dockerfiles with non-root user

Fixes hadolint rule DL3002.
DSD-DBS · Sep 12, 2023 · 5bd06f6 · 5bd06f6
1 parent a1ccbfb
commit 5bd06f6
Show file tree

Hide file tree

Showing 8 changed files with 25 additions and 3 deletions.
diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -4,6 +4,5 @@
 failure-threshold: warning
 override:
   info:
-    - DL3002
     - DL3006
     - DL3008
diff --git a/base/Dockerfile b/base/Dockerfile
@@ -55,3 +55,5 @@ RUN ln -s "$(which python3.11)" /usr/bin/python && \
     python -m venv /opt/.venv && \
     chmod -R 777 /opt/.venv/bin/ && \
     chmod -R 777 /opt/.venv/lib/python3.11/site-packages
+
+USER techuser
diff --git a/capella/Dockerfile b/capella/Dockerfile
@@ -12,6 +12,9 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
 FROM base as old_gtk_true
+
+ONBUILD USER root
+
 # Install WebKit with GTK
 ONBUILD COPY libs /tmp/libs
 ONBUILD ARG INJECT_PACKAGES=false
@@ -38,6 +41,8 @@ ONBUILD RUN if [ "$INJECT_PACKAGES" = "true" ]; then \
     rm -rf /var/lib/apt/lists/*;
 
 FROM base as old_gtk_false
+
+ONBUILD USER root
 ONBUILD COPY libs /tmp/libs
 ONBUILD RUN apt-get update && \
     apt-get install -y \
@@ -157,3 +162,5 @@ COPY startup.sh /startup.sh
 ENTRYPOINT [ "/tini", "--", "/startup.sh" ]
 
 ENV BASE_TYPE=capella
+
+USER techuser
diff --git a/ease/Dockerfile b/ease/Dockerfile
@@ -9,6 +9,8 @@ FROM $BASE_IMAGE as prebuild
 SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
+USER root
+
 # Somehow OpenJDK does not install in one shot due to a (cyclic?) dependency on
 # package ca-certificates-java. Performing the install again fixes it.
 RUN apt-get update && \
@@ -27,6 +29,8 @@ ENV DISPLAY :99
 
 RUN pip install --no-cache-dir py4j==0.10.9.7
 
+USER techuser
+
 # Offline build (fixed version)
 FROM prebuild as build_offline
 ONBUILD COPY extensions /tmp/extensions
@@ -42,8 +46,6 @@ ONBUILD ENV SWTBOT_REPOSITORY=https://download.eclipse.org/technology/swtbot/rel
 
 FROM build_${BUILD_TYPE}
 
-USER techuser
-
 # Install EASE Dependencies
 # - org.py4j.feature.feature.group
 RUN /opt/capella/capella \
@@ -109,4 +111,7 @@ RUN chmod +rx /etc/git_askpass.py
 
 COPY startup.sh /opt/startup.sh
 RUN chmod +x /opt/startup.sh
+
+USER techuser
+
 ENTRYPOINT [ "/opt/startup.sh" ]
diff --git a/ease/debug/Dockerfile b/ease/debug/Dockerfile
@@ -25,3 +25,5 @@ RUN if [ "$NETWORK_ACCESS" = "restricted" ]; then \
     fi && \
     rm -rf /var/lib/apt/lists/* && \
     rm -r /tmp/libs;
+
+USER techuser
diff --git a/eclipse/Dockerfile b/eclipse/Dockerfile
@@ -11,6 +11,7 @@ SHELL ["/bin/bash", "-euo", "pipefail", "-c"]
 ENV SHELL=/bin/bash
 
 FROM base as build_online
+ONBUILD USER root
 ONBUILD ENV EGIT_REPOSITORY=https://download.eclipse.org/egit/updates/
 
 FROM base as build_offline
@@ -64,3 +65,5 @@ ENV ECLIPSE_INSTALLATION_PATH=/opt/eclipse
 ENV ECLIPSE_EXECUTABLE=/opt/eclipse/eclipse
 
 ENV BASE_TYPE=eclipse
+
+USER techuser
diff --git a/jupyter-notebook/Dockerfile b/jupyter-notebook/Dockerfile
@@ -4,6 +4,8 @@
 ARG BASE_IMAGE=base
 FROM $BASE_IMAGE
 
+USER root
+
 RUN apt-get update && \
     apt-get install --yes --no-install-recommends \
     git \

diff --git a/t4c/Dockerfile b/t4c/Dockerfile
@@ -60,4 +60,6 @@ RUN chown techuser /opt/capella/capella.ini && \
 WORKDIR /opt
 ENV BASE_TYPE=t4c
 
+USER techuser
+
 ENTRYPOINT [ "/tini", "--", "/docker_entrypoint.sh" ]
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,6 +4,5 @@ @@
     failure-threshold: warning
     override:
       info:
-        - DL3002
         - DL3006
         - DL3008