Rework creation of unprivileged user and installation of dependencies

Also add a section to update pip and setuptools via pip.
cisagov · Nov 4, 2022 · 4a41b91 · 4a41b91
1 parent 5841955
commit 4a41b91
Showing 1 changed file with 55 additions and 7 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -13,17 +13,65 @@ ARG VERSION
 LABEL org.opencontainers.image.authors="mark.feldhousen@cisa.dhs.gov"
 LABEL org.opencontainers.image.vendor="Cybersecurity and Infrastructure Security Agency"
 
-ARG CISA_UID=421
+###
+# Unprivileged user setup variables
+###
+ARG CISA_GID=421
+ARG CISA_UID=${CISA_GID}
+ENV CISA_USER="cisa"
+ENV CISA_GROUP=${CISA_USER}
 ENV CISA_HOME="/home/cisa"
 ENV ECHO_MESSAGE="Hello World from Dockerfile"
 
-RUN addgroup --system --gid ${CISA_UID} cisa \
-  && adduser --system --uid ${CISA_UID} --ingroup cisa cisa
+###
+# Unprivileged user setup dependencies
+#
+# Install shadow, so we have adduser and addgroup.
+#
+# Note that we use apk --no-cache to avoid writing to a local cache.
+# This results in a smaller final image, at the cost of slightly
+# longer install times.
+#
+# Setup user dependencies are only needed for setting up the user and
+# will be removed at the end of that process.
+###
+ENV SETUP_USER_DEPS \
+    shadow
+RUN apk --update --no-cache --quiet upgrade
+RUN apk --no-cache --quiet add ${SETUP_USER_DEPS}
+
+###
+# Create unprivileged user
+###
+RUN addgroup --system --gid ${CISA_UID} ${CISA_GROUP} \
+    && adduser --system --uid ${CISA_UID} --ingroup ${CISA_GROUP} ${CISA_USER}
+
+###
+# Remove build dependencies for unprivileged user
+###
+RUN apk --no-cache --quiet del ${SETUP_USER_DEPS}
+
+###
+# Dependencies
+#
+# Note that we use apk --no-cache to avoid writing to a local cache.
+# This results in a smaller final image, at the cost of slightly
+# longer install times.
+###
+ENV DEPS \
+    ca-certificates \
+    openssl \
+    py-pip
+RUN apk --no-cache --quiet add ${DEPS}
 
-RUN apk --update --no-cache add \
-ca-certificates \
-openssl \
-py-pip
+###
+# Make sure pip and setuptools are the latest versions
+#
+# Note that we use pip --no-cache-dir to avoid writing to a local
+# cache.  This results in a smaller final image, at the cost of
+# slightly longer install times.
+###
+RUN pip install --no-cache-dir --upgrade pip setuptools
 
 WORKDIR ${CISA_HOME}