Use non-root user in Dockerfile (#214)

2026-06-16 12:31:07 +00:00 · 2025-10-01 20:04:08 +02:00
parent b6755497e4
commit c151f4f76e
1 changed files with 11 additions and 4 deletions
--- a/15
+++ b/15
@@ -8,11 +8,15 @@ RUN apt-get update \
  && apt-get install -y --no-install-recommends chromium curl \
  && rm -rf /var/lib/apt/lists/*

+# Use predefined node user (UID 1000, GID 1000)
+# Set home directory ownership for node user
+RUN usermod -d /fredy node
+
 ENV PUPPETEER_SKIP_CHROMIUM_DOWNLOAD=true \
    PUPPETEER_EXECUTABLE_PATH=/usr/bin/chromium

 # Copy lockfiles first to leverage cache for dependencies
-COPY package.json yarn.lock .
+COPY --chown=node:node package.json yarn.lock .

 # Set Yarn timeout, install dependencies and PM2 globally
 RUN yarn config set network-timeout 600000 \
@@ -20,13 +24,13 @@ RUN yarn config set network-timeout 600000 \
  && yarn global add pm2

 # Copy application source and build production assets
-COPY . .
+COPY --chown=node:node . .
 RUN yarn build:frontend

 # Prepare runtime directories and symlinks for data and config
 RUN mkdir -p /db /conf \
-  && chown 1000:1000 /db /conf \
-  && chmod 777 /db /conf \
+  && chown -R node:node /fredy /db /conf \
+  && chmod 755 /db /conf \
  && ln -s /db /fredy/db \
  && ln -s /conf /fredy/conf

@@ -34,5 +38,8 @@ EXPOSE 9998
 VOLUME /db
 VOLUME /conf

+# Switch to non-root user
+USER node
+
 # Start application using PM2 runtime
 CMD ["pm2-runtime", "index.js"]