New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add non-root user 'app' to all images #57
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
@joe-braley can you please write some tests on these images to check if they really run as |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Approving since looks good. Though I do have a question for some of the docker files.
@@ -20,6 +20,15 @@ RUN mkdir -p /usr/lib/jvm && \ | |||
RUN mkdir /staging \ | |||
&& tdnf install -y --releasever=2.0 --installroot /staging zlib | |||
|
|||
# Create a non-root user and group (just like .NET's image) | |||
RUN tdnf install -y gawk shadow-utils \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Q: Do we want to run a tdnf clean all
after the tdnf install
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Same question for the other tdnf commands through out. I think that might help clean out any temp files and caches. But if there are not any then adding that command might not do anything useful.
Sure! I will create a ticket to track this internally. |
This PR adds a non-root user, named
app
.Consumers of the image may choose to run Java applications with a non-root user.
By default, the image still runs as
root
.Example of a consuming Dockefile: