Improve Dockerfile security by adding non-privileged user#10
Improve Dockerfile security by adding non-privileged user#10mhandl wants to merge 1 commit intoEvolveum:masterfrom
Conversation
- Standardize AS stage naming with uppercase - Create midpoint system user and group based on base image - Set proper ownership of midpoint directory - Switch to non-privileged user for container execution This change improves security by running the container as a non-privileged user instead of root.
|
Tested with the latest Docker images for Alpine, Ubuntu, and Rocky Linux. Note: Be aware that any MP_HOME persistent volumes created with previous MidPoint Docker images were created with privileged account permissions. Containers updated with new Docker images (using a non-privileged account) will not have write access to these persistent volumes. To fix the permissions, these volumes must be manually corrected, such as changing MP_HOME ownership to the account midpoint. |
|
Nice job ! Very interrested by this security improvement. |
FYI: this one is coming directly in the MP repo in the not-so-distant future: https://github.com/Evolveum/midpoint/tree/feature/docker/tools/docker |
|
@virgo47 nice that you are including the tool right into mp project, but i guess for older mp versions we will have to work with this one, so please consider merging this PR :-) |
4 participants
This change improves security by running the container as a non-privileged user instead of root.