Merge pull request #97 from macbre/docker/run-as-non-root

macbre · web-flow · commit d9abd74a5d36 · 2022-12-19T12:16:39.000Z
Run as non root by default
diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml
@@ -50,9 +50,13 @@ jobs:
       run: |
         docker images | head -n3
 
+    - name: Are we running as non-root?
+      run: |
+        docker run --rm -t macbre/nginx whoami | grep nginx
+
     - name: Run nginx -V and njs -v
       run: |
-        docker run -t macbre/nginx nginx -V | sed 's/\-\-/\n\t--/g' | tee
+        docker run --rm -t macbre/nginx nginx -V | sed 's/\-\-/\n\t--/g' | tee
         echo "njs v$(docker run -t macbre/nginx njs -v)"
 
     - name: Serve a static asset
diff --git a/Dockerfile b/Dockerfile
@@ -218,8 +218,8 @@ COPY --from=base /usr/sbin/njs /usr/sbin/njs
 
 # hadolint ignore=SC2046
 RUN \
-	addgroup -S nginx \
-	&& adduser -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
+	addgroup --gid 101 -S nginx \
+	&& adduser --uid 100 -D -S -h /var/cache/nginx -s /sbin/nologin -G nginx nginx \
 	&& apk add --no-cache --virtual .nginx-rundeps tzdata $(cat /tmp/runDeps.txt) \
 	&& rm /tmp/runDeps.txt \
 	&& ln -s /usr/lib/nginx/modules /etc/nginx/modules \
@@ -241,8 +241,13 @@ RUN njs -v
 # test the configuration
 RUN nginx -V; nginx -t
 
-EXPOSE 80 443
+EXPOSE 8080 8443
 
 STOPSIGNAL SIGTERM
 
+# prepare to switching to non-root - update file permissions
+RUN chown --verbose nginx:nginx \
+	/var/run/nginx.pid
+
+USER nginx
 CMD ["nginx", "-g", "daemon off;"]
diff --git a/nginx.conf b/nginx.conf
@@ -5,8 +5,6 @@
 # http://nginx.org/en/docs/ngx_core_module.html#load_module
 include /etc/nginx/main.d/*.conf;
 
-
-user  nginx;
 worker_processes  1;
 
 error_log  /var/log/nginx/error.log warn;
