fix: ensure that compute functions are running as non-root

Signed-off-by: SdgJlbl <sarah.diot-girard@owkin.com>
Substra · Jul 22, 2024 · 9086b1e · 9086b1e
1 parent c4bdf50
commit 9086b1e
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 0 deletions.
diff --git a/changes/228.fixed b/changes/228.fixed
@@ -0,0 +1,4 @@
+Add a non-root user to the generated Dockerfile for the compute functions.
+
+Compute pods were already running as non-root (ensured by a security context in the backend), we are making it more
+explicit here.
diff --git a/substrafl/remote/register/register.py b/substrafl/remote/register/register.py
@@ -37,6 +37,13 @@
 # update image
 RUN apt update -y
 
+# create a non-root user
+RUN addgroup --gid 1001 group
+RUN adduser --disabled-password --gecos "" --uid 1001 --gid 1001 --home /home/user user
+ENV PYTHONPATH /home/user
+WORKDIR /home/user
+USER user
+
 # install dependencies
 RUN python{python_version} -m pip install -U pip
 

diff --git a/tests/remote/register/test_register.py b/tests/remote/register/test_register.py
@@ -70,6 +70,13 @@ def test_create_dockerfile(tmp_path, mocker, local_installable_module):
 # update image
 RUN apt update -y
 
+# create a non-root user
+RUN addgroup --gid 1001 group
+RUN adduser --disabled-password --gecos "" --uid 1001 --gid 1001 --home /home/user user
+ENV PYTHONPATH /home/user
+WORKDIR /home/user
+USER user
+
 # install dependencies
 RUN python{python_version} -m pip install -U pip