build: containers will now run as the non-root rafiki user (#3277)

bosbaber · web-flow · commit cef072641c1a · 2025-02-28T08:24:49.000+02:00
* build: containers will now run as the non-root rafiki user
* build: frontend build image will now also have read-only access to packages folder
diff --git a/packages/auth/Dockerfile.dev b/packages/auth/Dockerfile.dev
@@ -1,24 +1,37 @@
 FROM node:20-alpine3.20
 
+RUN adduser -D rafiki
 WORKDIR /home/rafiki
 
-RUN corepack enable
+# Install Corepack and pnpm as the Rafiki user
+USER rafiki
+RUN mkdir -p /home/rafiki/.local/bin
+ENV PATH="/home/rafiki/.local/bin:$PATH"
+RUN corepack enable --install-directory ~/.local/bin
 RUN corepack prepare pnpm@8.7.4 --activate
 
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 
+# Fetch the pnpm dependencies, but use a local cache.
+USER rafiki
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     pnpm fetch \
     | grep -v "cross-device link not permitted\|Falling back to copying packages from store"
 
+# Copy the source code and chown the relevant folders back to the Rafiki user
+USER root
 COPY . ./
+RUN chown -v -R rafiki:rafiki /home/rafiki/localenv
+RUN chown -v -R rafiki:rafiki /home/rafiki/packages
+RUN chown -v -R rafiki:rafiki /home/rafiki/test
 
+# As the Rafiki user, install the rest of the dependencies and build the source code
+USER rafiki
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     pnpm install \
     --recursive \
     --offline \
     --frozen-lockfile
-
 RUN pnpm --filter auth build:deps
 
 CMD pnpm --filter auth dev
diff --git a/packages/auth/Dockerfile.prod b/packages/auth/Dockerfile.prod
@@ -45,6 +45,8 @@ RUN pnpm --filter auth build
 
 FROM node:20-alpine3.20 AS runner
 
+RUN adduser -D rafiki
+
 WORKDIR /home/rafiki
 
 COPY --from=prod-deps /home/rafiki/node_modules ./node_modules
@@ -58,4 +60,11 @@ COPY --from=builder /home/rafiki/packages/auth/migrations/ ./packages/auth/migra
 COPY --from=builder /home/rafiki/packages/auth/dist ./packages/auth/dist
 COPY --from=builder /home/rafiki/packages/token-introspection/dist ./packages/token-introspection/dist
 
+USER root
+
+# For additional paranoia, we make it so that the Rafiki user has no write access to the packages
+RUN chown -R :rafiki /home/rafiki/packages
+RUN chmod -R 750 /home/rafiki/packages
+
+USER rafiki
 CMD ["node", "/home/rafiki/packages/auth/dist/index.js"]
diff --git a/packages/backend/Dockerfile.dev b/packages/backend/Dockerfile.dev
@@ -1,24 +1,35 @@
 FROM node:20-alpine3.20
 
+RUN adduser -D rafiki
 WORKDIR /home/rafiki
 
-RUN corepack enable
+# Install Corepack and pnpm as the Rafiki user
+USER rafiki
+RUN mkdir -p /home/rafiki/.local/bin
+ENV PATH="/home/rafiki/.local/bin:$PATH"
+RUN corepack enable --install-directory ~/.local/bin
 RUN corepack prepare pnpm@8.7.4 --activate
-
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 
+# Fetch the pnpm dependencies, but use a local cache.
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     pnpm fetch \
     | grep -v "cross-device link not permitted\|Falling back to copying packages from store"
 
+# Copy the source code and chown the relevant folders back to the Rafiki user
+USER root
 COPY . ./
+RUN chown -v -R rafiki:rafiki /home/rafiki/localenv
+RUN chown -v -R rafiki:rafiki /home/rafiki/packages
+RUN chown -v -R rafiki:rafiki /home/rafiki/test
 
+# As the Rafiki user, install the rest of the dependencies and build the source code
+USER rafiki
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     pnpm install \
     --recursive \
     --offline \
     --frozen-lockfile
-
 RUN pnpm --filter backend build:deps
 
 CMD pnpm --filter backend dev
diff --git a/packages/backend/Dockerfile.prod b/packages/backend/Dockerfile.prod
@@ -45,6 +45,8 @@ RUN pnpm --filter backend build
 
 FROM node:20-alpine3.20 AS runner
 
+# Since this is from a fresh image, we need to first create the Rafiki user
+RUN adduser -D rafiki
 WORKDIR /home/rafiki
 
 COPY --from=prod-deps /home/rafiki/node_modules ./node_modules
@@ -59,4 +61,11 @@ COPY --from=builder /home/rafiki/packages/backend/dist ./packages/backend/dist
 COPY --from=builder /home/rafiki/packages/token-introspection/dist ./packages/token-introspection/dist
 COPY --from=builder /home/rafiki/packages/backend/knexfile.js ./packages/backend/knexfile.js
 
+USER root
+
+# For additional paranoia, we make it so that the Rafiki user has no write access to the packages
+RUN chown -R :rafiki /home/rafiki/packages
+RUN chmod -R 750 /home/rafiki/packages
+
+USER rafiki
 CMD ["node", "-r", "/home/rafiki/packages/backend/dist/telemetry/index.js", "/home/rafiki/packages/backend/dist/index.js"]
diff --git a/packages/frontend/Dockerfile.dev b/packages/frontend/Dockerfile.dev
@@ -1,16 +1,24 @@
 FROM node:20-alpine3.20 AS base
 
+RUN adduser -D rafiki
 WORKDIR /home/rafiki
 
-ENV PNPM_HOME="/pnpm"
-ENV PATH="$PNPM_HOME:$PATH"
-
-RUN corepack enable
+# Install Corepack and pnpm as the Rafiki user
+USER rafiki
+RUN mkdir -p /home/rafiki/.local/bin
+ENV PATH="/home/rafiki/.local/bin:$PATH"
+RUN corepack enable --install-directory ~/.local/bin
 RUN corepack prepare pnpm@8.7.4 --activate
 
 COPY pnpm-lock.yaml package.json pnpm-workspace.yaml .npmrc tsconfig.json tsconfig.build.json ./
 COPY packages/frontend ./packages/frontend
 
+# Chown the copied packages folder back to the Rafiki user
+USER root
+RUN chown -v -R rafiki:rafiki /home/rafiki/packages
+
+# Fetch the pnpm dependencies, but use a local cache.
+USER rafiki
 RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
     pnpm fetch \
     | grep -v "cross-device link not permitted\|Falling back to copying packages from store"
diff --git a/packages/frontend/Dockerfile.prod b/packages/frontend/Dockerfile.prod
@@ -41,7 +41,7 @@ RUN --mount=type=cache,id=pnpm,target=/pnpm/store \
 RUN pnpm --filter frontend build
 
 FROM node:20-alpine3.20 AS runner
-
+RUN adduser -D rafiki
 WORKDIR /home/rafiki
 
 COPY --from=prod-deps /home/rafiki/node_modules ./node_modules
@@ -51,5 +51,11 @@ COPY --from=prod-deps /home/rafiki/packages/frontend/package.json ./packages/fro
 COPY --from=builder /home/rafiki/packages/frontend/build ./packages/frontend/build
 COPY --from=builder /home/rafiki/packages/frontend/public ./packages/frontend/public
 
+USER root
+RUN chown -R :rafiki /home/rafiki/packages
+RUN chmod -R 750 /home/rafiki/packages
+
+USER rafiki
+
 WORKDIR /home/rafiki/packages/frontend
 CMD ["sh", "./node_modules/.bin/remix-serve", "./build/index.js"]
