docker: use a normal user account to run the application

It's best practice to run as a normal account, so create one and use it. Thanks to Michael Halstead <michael@yoctoproject.org> for this. Signed-off-by: Paul Eggleton <paul.eggleton@linux.intel.com>
2025-07-19 20:59:01 +02:00 · 2018-07-10 10:52:25 +02:00 · 2018-07-10 10:52:25 +02:00 · c0d68848c7
commit c0d68848c7
parent eafd78de1e
1 changed files with 5 additions and 1 deletions
--- a/6
+++ b/6
@ -44,7 +44,6 @@ RUN pip install setuptools
 RUN pip3 install setuptools
 RUN pip install -r /requirements.txt
 RUN pip3 install -r /requirements.txt
-RUN mkdir /opt/workdir
 RUN apt-get purge -y autoconf g++ make python3-dev libjpeg-dev libmariadbclient-dev \
 	&& apt-get autoremove -y \
 	&& rm -rf /var/lib/apt/lists/* \
@ -60,5 +59,10 @@ COPY docker/migrate.sh /opt/migrate.sh
 ## do so, you will also have to edit .gitconfig appropriately
 #COPY docker/git-proxy /opt/bin/git-proxy

+RUN mkdir /opt/workdir \
+	&& adduser --system --uid=500 layers \
+	&& chown -R layers /opt
+USER layers
+
 # Start Gunicorn
 CMD ["/usr/local/bin/gunicorn", "wsgi:application", "--workers=4", "--bind=:5000", "--log-level=debug", "--chdir=/opt/layerindex"]