feat: Improvement- use non root user for Web container (langgenius#8928)

cuiks · Oct 8, 2024 · 9b3c7d1 · 9b3c7d1
1 parent a10e788
commit 9b3c7d1
Showing 1 changed file with 10 additions and 4 deletions.
diff --git a/web/Dockerfile b/web/Dockerfile
@@ -46,21 +46,27 @@ ENV TZ=UTC
 RUN ln -s /usr/share/zoneinfo/${TZ} /etc/localtime \
     && echo ${TZ} > /etc/timezone
 
-# global runtime packages
-RUN yarn global add pm2 \
-    && yarn cache clean
 
 WORKDIR /app/web
 COPY --from=builder /app/web/public ./public
 COPY --from=builder /app/web/.next/standalone ./
 COPY --from=builder /app/web/.next/static ./.next/static
 
-
 COPY docker/pm2.json ./pm2.json
 COPY docker/entrypoint.sh ./entrypoint.sh
 
+
+# global runtime packages
+RUN yarn global add pm2 \
+    && yarn cache clean \
+    && mkdir /.pm2 \
+    && chown -R 1001:0 /.pm2 /app/web \
+    && chmod -R g=u /.pm2 /app/web
+
+
 ARG COMMIT_SHA
 ENV COMMIT_SHA=${COMMIT_SHA}
 
+USER 1001
 EXPOSE 3000
 ENTRYPOINT ["/bin/sh", "./entrypoint.sh"]