feat(Dockerfile)!: use an unprivileged user to run application (!134) · Merge requests · Information Services / DevOps / Boilerplate Web Application

Add an unprivileged user to the Dockerfile in both production and development images.

This MR is based on uis/devops/regent-house-ballots/ballots-webapp!83 which was successfully deployed to the development instance with no deployment-side changes needed.

Regent house ballots is a good test because, unlike the bare boilerplate, it installs some system dependencies in order to run tox. This required adding a workaround to the container:tox image in order to run tests as the unprivileged user but still install dependencies.

Specifically the .gitlab/webapp.gitlab-ci.yml file needed the docker command which runs tests changed to:

docker run --rm --network host --entrypoint=""
-e TEST_USE_EXTERNAL_DATABASE -e EXTERNAL_SETTING_DATABASES
--user root
"$APPLICATION_IMAGE"
"/bin/bash" "-c" "apt-get -y update && apt-get -y install pkg-config build-essential libxmlsec1-dev && su --shell=/usr/bin/bash '--command=poetry install --no-root --sync' webapp && su --shell=/usr/bin/bash '--command=poetry run pytest' webapp"

Since some other downstream projects may need similar workarounds, this change is marked as BREAKING.

Closes #122

feat(Dockerfile)!: use an unprivileged user to run application

Merge request reports