chore: run container as non-root user
Build and publish container / build (pull_request) Successful in 9m17s
Build and publish container / build (pull_request) Successful in 9m17s
Create a dedicated appuser/appuser system user and group, ensure the copied application file is owned by it, and switch to that user with USER before CMD. EXPOSE 110 25 is unchanged; ports are published via the host -p mapping, so binding them as non-root works in the default Docker network namespace without CAP_NET_BIND_SERVICE. Fixes #7 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
+6
-1
@@ -3,11 +3,16 @@ FROM python:3.12-slim
|
|||||||
WORKDIR /app
|
WORKDIR /app
|
||||||
ENV PYTHONUNBUFFERED=1
|
ENV PYTHONUNBUFFERED=1
|
||||||
|
|
||||||
|
# Create a dedicated non-root user and group to run the proxy.
|
||||||
|
RUN groupadd --system appuser && useradd --system --gid appuser appuser
|
||||||
|
|
||||||
COPY requirements.txt ./
|
COPY requirements.txt ./
|
||||||
RUN pip install --no-cache-dir -r requirements.txt
|
RUN pip install --no-cache-dir -r requirements.txt
|
||||||
|
|
||||||
COPY proxy_server.py ./
|
COPY --chown=appuser:appuser proxy_server.py ./
|
||||||
|
|
||||||
EXPOSE 110 25
|
EXPOSE 110 25
|
||||||
|
|
||||||
|
USER appuser
|
||||||
|
|
||||||
CMD ["python", "proxy_server.py"]
|
CMD ["python", "proxy_server.py"]
|
||||||
|
|||||||
Reference in New Issue
Block a user