Add Dockerfiles to change from using root (#68)

This commit changes the Dockerfile for the azureeyemodule so that the image contains a non-root user by default. This is a requirement from the security team (and is good practice). Co-authored-by: Devin Wong <[email protected]>
microsoft · Dec 15, 2021 · 8ed49d3 · 8ed49d3
1 parent cd94a5a
commit 8ed49d3
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/azureeyemodule/Dockerfile.amd64 b/azureeyemodule/Dockerfile.amd64
@@ -45,7 +45,7 @@ RUN rpm -i /rpm/gstreamer1-1.14.0-3.el8.${ARCH}.rpm && \
     rpm -i /rpm/libwebp-1.0.0-1.el8.${ARCH}.rpm && \
     rpm -i --nodeps /rpm/gstreamer1-plugins-bad-free-1.16.1-1.el8.${ARCH}.rpm && \
     # gstreamer1-rtsp-server
-    rpm -i /rpm/gstreamer1-rtsp-server-1.14.0-1.fc28.${ARCH}.rpm && \															   
+    rpm -i /rpm/gstreamer1-rtsp-server-1.14.0-1.fc28.${ARCH}.rpm && \
     rpm -i --nodeps /rpm/gstreamer1-devel-1.14.0-3.el8.${ARCH}.rpm && \
     rpm -i --nodeps /rpm/gstreamer1-plugins-base-devel-1.14.0-4.el8.${ARCH}.rpm && \
     rpm -i --nodeps /rpm/gstreamer1-rtsp-server-devel-1.14.0-1.fc28.${ARCH}.rpm && \
@@ -81,4 +81,13 @@ RUN cd /app && \
     rm -rf /app/*.h* && \
     rm -rf /app/*.txt
 
+ARG USERNAME=apdk_app \
+    UID=5001 \
+    GROUPNAME=apdk_accessories \
+    GID=5000
+RUN groupadd -g $GID $GROUPNAME && \
+    useradd -m -u $UID -s /bin/bash $USERNAME && usermod -G $GROUPNAME -a $USERNAME && \
+    chown -R $USERNAME: /app/
+USER $USERNAME
+
 CMD ["/bin/bash", "-c", "./app/inference"]
diff --git a/azureeyemodule/Dockerfile.arm64v8 b/azureeyemodule/Dockerfile.arm64v8
@@ -82,4 +82,13 @@ RUN cd /app && \
     rm -rf /app/*.h* && \
     rm -rf /app/*.txt
 
+ARG USERNAME=apdk_app \
+    UID=5001 \
+    GROUPNAME=apdk_accessories \
+    GID=5000
+RUN groupadd -g $GID $GROUPNAME && \
+    useradd -m -u $UID -s /bin/bash $USERNAME && usermod -G $GROUPNAME -a $USERNAME && \
+    chown -R $USERNAME: /app/
+USER $USERNAME
+
 CMD ["/bin/bash", "-c", "./app/inference"]