diff options
author | Trevor Bramwell <tbramwell@linuxfoundation.org> | 2017-06-21 11:26:43 -0700 |
---|---|---|
committer | Trevor Bramwell <tbramwell@linuxfoundation.org> | 2017-06-22 09:32:43 -0700 |
commit | 83557fd9970eb89129a5ee93e4ce36c9dff51bf6 (patch) | |
tree | c7116b0282a4b1e8d9d73dfee99c94637ff6c8d4 | |
parent | 7f69464d9e184b69e5d6fb70517e48f43d4c56c0 (diff) |
Run Anteater under Docker as Non-Root User
Instead of violating the priciple of least privilage, anteater should
be ran by a non-root user.
Anteater doesn't need access to anything owned by root to perform
security scanning, and running as a non-root user should prevent it from
creating file owned by root in the future.
JIRA: RELENG-238
Change-Id: I7b75255ff460444763acbcc5d7752e1223860a2b
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
-rw-r--r-- | docker/Dockerfile | 21 |
1 files changed, 14 insertions, 7 deletions
diff --git a/docker/Dockerfile b/docker/Dockerfile index a625e42..7a82583 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -15,10 +15,13 @@ LABEL version="0.1" description="Anteater - OPNFV Gerrit Security Gate Checks" # environment variables ARG BRANCH=master +ARG ANTEATER_USER=opnfv -ENV HOME /home/opnfv -ENV ANT_HOME ${HOME}/anteater -RUN mkdir -p ${ANT_HOME} +# Anteater is run as user 'opnfv' +RUN useradd -U -m -s /bin/bash ${ANTEATER_USER} + +ENV HOME /home/${ANTEATER_USER} +ENV ANTEATER_HOME ${HOME}/anteater # Packaged dependencies RUN yum -y install epel-release @@ -26,8 +29,12 @@ RUN yum -y update RUN yum -y install git python-devel python-pip RUN yum clean all +# Run all following commands and container as non-root user +USER ${ANTEATER_USER} + # Commands to clone and install -RUN git clone https://gerrit.opnfv.org/gerrit/releng-anteater ${ANT_HOME} -WORKDIR ${ANT_HOME} -RUN /usr/bin/pip install -r ${ANT_HOME}/requirements.txt -RUN python ${ANT_HOME}/setup.py install +RUN mkdir -p ${ANTEATER_HOME} +RUN git clone https://gerrit.opnfv.org/gerrit/releng-anteater ${ANTEATER_HOME} +WORKDIR ${ANTEATER_HOME} +RUN /usr/bin/pip install -r ${ANTEATER_HOME}/requirements.txt +RUN python ${ANTEATER_HOME}/setup.py install |