Stop running frontend and processor with root user (#451)

kitspace · Nov 4, 2022 · 7f1aa16 · 7f1aa16
1 parent 5174479
commit 7f1aa16
Show file tree

Hide file tree

Showing 6 changed files with 30 additions and 12 deletions.
diff --git a/docker-compose.override.yml b/docker-compose.override.yml
@@ -40,6 +40,7 @@ services:
       dockerfile: Dockerfile
 
   processor:
+    user: root
     build:
       context: processor/
       dockerfile: Dockerfile

diff --git a/docker-compose.yml b/docker-compose.yml
@@ -80,7 +80,7 @@ services:
       - redis
       - meilisearch
     volumes:
-      - gitea-data:/gitea-data
+      - gitea-data:/gitea-data:ro
       - processor-data:/data
       # share docker daemon when running docker inside docker
       - /var/run/docker.sock:/var/run/docker.sock

diff --git a/frontend/Dockerfile b/frontend/Dockerfile
@@ -22,12 +22,20 @@ COPY yarn.lock .
 RUN yarn --frozen-lockfile
 
 FROM base AS production
-COPY --from=build /build/.next/ .next/
-COPY --from=build /deps/node_modules/ node_modules/
-COPY package.json .
-COPY next.config.js .
-COPY public/ public/
-RUN mkdir src/
-COPY src/server.js src/server.js
+
 ENV NODE_ENV=production
-CMD yarn start
+# give the node user read-only permissions
+ARG PERMISSION=644
+COPY --chmod=${PERMISSION} --from=build /deps/node_modules/ node_modules/
+COPY --chmod=${PERMISSION} package.json .
+COPY --chmod=${PERMISSION} next.config.js .
+COPY --chmod=${PERMISSION} public/ public/
+COPY --chmod=${PERMISSION} src/server.js server.js
+
+# The `.next` directory is used by `next/image` to cache optimized images.
+# So it needs to be owned by the `node` user.
+COPY --chown=node:node --from=build /build/.next/ .next/
+
+USER node
+
+CMD ["node", "server.js"]
diff --git a/processor/.dockerignore b/processor/.dockerignore
@@ -2,3 +2,4 @@
 *Dockerfile*
 *docker-compose*
 node_modules
+dist
diff --git a/processor/Dockerfile b/processor/Dockerfile
@@ -19,14 +19,17 @@ RUN apt-get update -qq && apt-get install -qq --no-install-recommends -y \
     python3-pip \
     git
 
-RUN mkdir /app
 WORKDIR /app
-
 COPY . .
-
 RUN pip3 install -r requirements.txt
 RUN yarn install
 RUN yarn tsc
 RUN yarn cp-assets
 
+RUN addgroup --gid 1000 node && \
+    adduser -u 1000 --gid 1000 node --shell /bin/bash --home /home/node && \
+    mkdir /data /gitea-data && \
+    chown -R node /data /gitea-data
+
+USER node
 CMD ["node", "dist/src/server.js"]
diff --git a/scripts/clear_volumes_and_test_processor.sh b/scripts/clear_volumes_and_test_processor.sh
@@ -20,7 +20,12 @@ docker-compose down -v
 
 # you can pass arguments to mocha e.g. `-g multi`
 args="$(concatenate_args "$@")"
+
+# We need to install packages, compile ts, and move assets before running the actual testing code.
+# The `node` user doesn't have permission to do any of these tasks.
 docker-compose run \
+    -u root \
+    --rm \
     -e LOG_LEVEL=debug \
     -e DATA_DIR=/data/test \
     processor sh -c "yarn install && yarn tsc && yarn cp-assets && yarn cp-test-assets && yarn test ${args}"