Run Drill using a new non-root "drilluser" account, fix default JDK b…

…ase image. (#2328)
apache · Oct 10, 2021 · d210b3f · d210b3f
1 parent 317f164
commit d210b3f
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -24,7 +24,7 @@
 #
 # {docker|podman} build \
 #    --build-arg BUILD_BASE_IMAGE=maven:3.8.2-openjdk-11 \
-#    --build-arg BASE_IMAGE=openjdk:11-jre \
+#    --build-arg BASE_IMAGE=openjdk:11 \
 #    -t apache/drill-openjdk-11 
 
 # Unless otherwise specified, the intermediate container image will be 
@@ -33,7 +33,7 @@ ARG BUILD_BASE_IMAGE=maven:3.8.2-openjdk-8
 
 # Unless otherwise specified, the final container image will be based on
 # the following default.
-ARG BASE_IMAGE=openjdk:8-jre
+ARG BASE_IMAGE=openjdk:8
 
 # Uses intermediate image for building Drill to reduce target image size
 FROM $BUILD_BASE_IMAGE as build
@@ -56,12 +56,18 @@ RUN VERSION=$(mvn -q -Dexec.executable=echo -Dexec.args='${project.version}' --n
 # Set the BASE_IMAGE build arg when you invoke docker build.  
 FROM $BASE_IMAGE
 
-ENV DRILL_HOME=/opt/drill
+ENV DRILL_HOME=/opt/drill DRILL_USER=drilluser
 
 RUN mkdir $DRILL_HOME
 
 COPY --from=build /opt/drill $DRILL_HOME
 
+RUN groupadd -g 999 $DRILL_USER \
+ && useradd -r -u 999 -g $DRILL_USER $DRILL_USER -m -d /var/lib/drill \
+ && chown -R $DRILL_USER: $DRILL_HOME
+
+USER $DRILL_USER
+
 # Starts Drill in embedded mode and connects to Sqlline
 ENTRYPOINT $DRILL_HOME/bin/drill-embedded
 
diff --git a/distribution/Dockerfile b/distribution/Dockerfile
@@ -17,16 +17,25 @@
 #
 
 # This Dockerfile may be used during development. It adds built binaries from distribution/target folder
-# into the target image based on openjdk:8u232-jdk image.
+# into the target image based on openjdk:8 image.  If you've built Drill using a JDK version greater than
+# the one in the FROM command in this Dockerfile then you should bump this one up to match or exceed that.
 
-FROM openjdk:8u232-jdk
+FROM openjdk:8
 
 # Project version defined in pom.xml is passed as an argument
 ARG VERSION
 
+ENV DRILL_HOME=/opt/drill DRILL_USER=drilluser
+
 RUN mkdir /opt/drill
 
 COPY target/apache-drill-$VERSION/apache-drill-$VERSION /opt/drill
 
+RUN groupadd -g 999 $DRILL_USER \
+ && useradd -r -u 999 -g $DRILL_USER $DRILL_USER -m -d /var/lib/drill \
+ && chown -R $DRILL_USER: $DRILL_HOME
+
+USER $DRILL_USER
+
 # Starts Drill in embedded mode and connects to Sqlline
 ENTRYPOINT /opt/drill/bin/drill-embedded