Merge pull request #12 from Granulate/feature/run-webapp-as-non-root

run webapp as non root
Granulate · Feb 25, 2024 · 483318e · 483318e
2 parents 30df507 + 07535b9
commit 483318e
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 4 deletions.
diff --git a/deploy/.env b/deploy/.env
@@ -35,7 +35,7 @@ REST_PASSWORD=pass
 
 BUCKET_NAME=performance_studio_bucket
 SQS_INDEXER_QUEUE_URL=performance_studio_queue
-WEBAPP_APP_LOG_FILE_PATH="${COMMON_LOGS_DIR}/webapp.log"
+WEBAPP_APP_LOG_FILE_PATH="webapp.log"
 
 # agents-logs:
 

diff --git a/deploy/docker-compose.yml b/deploy/docker-compose.yml
@@ -74,8 +74,6 @@ services:
 # for debug
 #    ports:
 #      - "8888:80"
-    volumes:
-      - "logs:${COMMON_LOGS_DIR}"
 
   # ---
   ch-rest-service:

diff --git a/src/gprofiler/Dockerfile b/src/gprofiler/Dockerfile
@@ -57,6 +57,18 @@ COPY --from=frontend_dependencies /frontend/build frontend
 COPY gprofiler/backend backend
 COPY gprofiler/nginx/logrotate.conf /etc/nginx/logrotate.conf
 
+RUN useradd -m -s /bin/bash -u 888 non_root && \
+    chown -R non_root:non_root /usr/src/app && \
+    chown -R non_root:non_root /etc/nginx && \
+    chown -R non_root:non_root /var/cache/nginx && \
+    chown -R non_root:non_root /var/log/nginx && \
+    chown -R non_root:non_root /tmp/nginx && \
+    chown -R non_root:non_root /var/run && \
+    chown -R non_root:non_root /run && \
+    chown -R non_root:non_root /var/lib/logrotate
+
+USER non_root
+
 # run logrotate
 RUN logrotate /etc/nginx/logrotate.conf
 

diff --git a/src/gprofiler/nginx/nginx.conf b/src/gprofiler/nginx/nginx.conf
@@ -1,4 +1,3 @@
-user root;
 worker_processes 32;
 worker_rlimit_nofile 100000;
 pid /run/nginx.pid;