Switch to nonroot users in containers

Nuckal777 · Mar 13, 2024 · 2b13af6 · 2b13af6
1 parent b7d021b
commit 2b13af6
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/api.Dockerfile b/api.Dockerfile
@@ -1,12 +1,12 @@
-FROM rust:1.75-bookworm as build
+FROM rust:1.76-bookworm as build
 WORKDIR /app
 COPY . /app
 ENV RUSTFLAGS="-C target-cpu=native"
 RUN cargo build --release
 
-FROM gcr.io/distroless/cc-debian12
+FROM gcr.io/distroless/cc-debian12:nonroot
 COPY --from=build /app/target/release/fastreach-api /
 ENV FASTREACH_GRAPH=/data/graph.bin
 EXPOSE 8080
 STOPSIGNAL SIGINT
-CMD ["./fastreach-api"]
+CMD ["/fastreach-api"]
diff --git a/fastreach-ui/src/lib/IsochroneForm.svelte b/fastreach-ui/src/lib/IsochroneForm.svelte
@@ -79,7 +79,7 @@
                 id="minutes"
                 min={minMinutes}
                 max={maxMinutes}
-                step="5"
+                step="1"
                 bind:value={minutes}
             />
         </div>

diff --git a/ui.Dockerfile b/ui.Dockerfile
@@ -9,3 +9,5 @@ RUN xcaddy build --with github.com/RussellLuo/caddy-ext/ratelimit
 FROM caddy:2.7-alpine
 COPY --from=caddy-build /usr/bin/caddy /usr/bin/caddy
 COPY --from=ui-build /app/fastreach-ui/dist /usr/share/caddy
+RUN addgroup -g 4200 nonroot && adduser -h /home/nonroot -s /sbin/nologin -G nonroot -D -u 4200 nonroot && chown -R nonroot /data/caddy
+USER 4200:4200