non-root user for running node in Dockerfile (#369)

9bf33c15 · Federico Gimenez · Gavin Wood · f7f311ae · 9bf33c15
Commit 9bf33c15 authored Aug 16, 2019 by Federico Gimenez Committed by Gavin Wood Aug 16, 2019
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
-FROM phusion/baseimage:0.10.1 as builder
+FROM phusion/baseimage:0.10.2 as builder
 LABEL maintainer "chevdor@gmail.com"
 LABEL description="This is the build stage for Polkadot. Here we create the binary."
@@ -17,7 +17,7 @@ RUN curl https://sh.rustup.rs -sSf | sh -s -- -y && \
 # ===== SECOND STAGE ======
-FROM phusion/baseimage:0.10.0
+FROM phusion/baseimage:0.10.2
 LABEL maintainer "chevdor@gmail.com"
 LABEL description="This is the 2nd stage: a very small image where we copy the Polkadot binary."
 ARG PROFILE=release
@@ -27,11 +27,13 @@ RUN mv /usr/share/ca* /tmp && \
 	rm -rf /usr/share/*  && \
 	mv /tmp/ca-certificates /usr/share/ && \
 	rm -rf /usr/lib/python* && \
-	mkdir -p /root/.local/share/polkadot && \
+	rm -rf /usr/bin /usr/sbin && \
-	ln -s /root/.local/share/polkadot /data
+	useradd -m -u 1000 -U -s /bin/sh -d /polkadot polkadot && \
+	mkdir -p /polkadot/.local/share/polkadot && \
-RUN	rm -rf /usr/bin /usr/sbin
+	chown -R polkadot:polkadot /polkadot/.local && \
+	ln -s /polkadot/.local/share/polkadot /data
+USER polkadot
 EXPOSE 30333 9933 9944
 VOLUME ["/data"]