Merge pull request #592 from Uninett/bugfix/anti-root-in-docker-conta…

…iner Run nginx completely unprivileged in container
Uninett · Oct 25, 2024 · 92381ec · 92381ec
2 parents 4ccb9a5 + ab73ddc
commit 92381ec
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 2 deletions.
diff --git a/changelog.d/591.fixed.md b/changelog.d/591.fixed.md
@@ -0,0 +1 @@
+Do not run processes as `root` in Docker production container
diff --git a/docker/Dockerfile b/docker/Dockerfile
@@ -14,15 +14,21 @@ RUN npm run build
 # production environment consisting only of nginx and the statically compiled
 # Argus Frontend application files produced by the build stage
 # FROM: https://mherman.org/blog/dockerizing-a-react-app/
-FROM nginx:stable-alpine
+FROM ghcr.io/nginxinc/nginx-unprivileged:stable-alpine
 
 COPY --from=build /app/build /usr/share/nginx/html
 
-RUN apk add --update tini tree
+USER root
+RUN apk add --no-cache --update tini
 COPY docker/nginx.conf /etc/nginx/conf.d/default.conf
 COPY docker/docker-entrypoint.sh /
 COPY docker/runtime-config-template.json /
 
+# Ensure the unprivileged nginx user can write Argus JS config
+RUN chown nginx /usr/share/nginx/html
+
+USER nginx
+
 ENV REACT_APP_BACKEND_URL=http://fake
 ENV REACT_APP_ENABLE_WEBSOCKETS_SUPPORT=true
 ENV REACT_APP_BACKEND_WS_URL=ws://fake