diff --git a/template/csharp/Dockerfile b/template/csharp/Dockerfile index 82bbaeef4..63d9da847 100644 --- a/template/csharp/Dockerfile +++ b/template/csharp/Dockerfile @@ -4,12 +4,13 @@ ENV DOTNET_CLI_TELEMETRY_OPTOUT 1 # Optimize for Docker builder caching by adding projects first. -RUN mkdir -p /root/src/function -WORKDIR /root/src/function +RUN mkdir -p /home/app/src/function +WORKDIR /home/app/src/function COPY ./function/Function.csproj . -WORKDIR /root/src/ +WORKDIR /home/app/src COPY ./root.csproj . + RUN dotnet restore ./root.csproj COPY . . @@ -17,6 +18,7 @@ COPY . . RUN dotnet publish -c release -o published FROM microsoft/dotnet:2.0-runtime +RUN useradd app #ADD https://github.com/openfaas/faas/releases/download/0.6.1/fwatchdog /usr/bin RUN apt-get update -qy \ @@ -28,8 +30,11 @@ RUN apt-get update -qy \ && apt-get clean \ && rm -rf /var/lib/apt/lists/* -WORKDIR /root/ -COPY --from=builder /root/src/published . +WORKDIR /home/app/ +COPY --from=builder /home/app/src/published . + +RUN chown -R app ./ +USER app ENV fprocess="dotnet ./root.dll" EXPOSE 8080 diff --git a/template/node/Dockerfile b/template/node/Dockerfile index 30e6057b0..f49632bf3 100644 --- a/template/node/Dockerfile +++ b/template/node/Dockerfile @@ -9,8 +9,6 @@ RUN apk --no-cache add curl \ && chmod +x /usr/bin/fwatchdog \ && apk del curl --no-cache -WORKDIR /root/ - # Turn down the verbosity to default level. ENV NPM_CONFIG_LOGLEVEL warn diff --git a/template/python/Dockerfile b/template/python/Dockerfile index 29afbd6cf..8f49b3d50 100644 --- a/template/python/Dockerfile +++ b/template/python/Dockerfile @@ -1,5 +1,7 @@ FROM python:2.7-alpine +RUN adduser app -D + # Alternatively use ADD https:// (which will not be cached by Docker builder) RUN apk --no-cache add curl \ && echo "Pulling watchdog binary from Github." \ @@ -7,21 +9,26 @@ RUN apk --no-cache add curl \ && chmod +x /usr/bin/fwatchdog \ && apk del curl --no-cache -WORKDIR /root/ +RUN mkdir -p /home/app/function + +COPY index.py /home/app +COPY requirements.txt /home/app -COPY index.py . -COPY requirements.txt . +WORKDIR /home/app RUN pip install -r requirements.txt COPY function function RUN touch ./function/__init__.py -WORKDIR /root/function/ +WORKDIR /home/app/function/ COPY function/requirements.txt . RUN pip install -r requirements.txt -WORKDIR /root/ +WORKDIR /home/app + +RUN chown -R app ./ +USER app ENV fprocess="python index.py" diff --git a/template/python3/Dockerfile b/template/python3/Dockerfile index a44c00030..0e6e5b9c5 100644 --- a/template/python3/Dockerfile +++ b/template/python3/Dockerfile @@ -1,5 +1,7 @@ FROM python:3-alpine +RUN adduser app -D + # Alternatively use ADD https:// (which will not be cached by Docker builder) RUN apk --no-cache add curl \ && echo "Pulling watchdog binary from Github." \ @@ -7,7 +9,7 @@ RUN apk --no-cache add curl \ && chmod +x /usr/bin/fwatchdog \ && apk del curl --no-cache -WORKDIR /root/ +WORKDIR /home/app COPY index.py . COPY requirements.txt . @@ -17,11 +19,15 @@ COPY function function RUN touch ./function/__init__.py -WORKDIR /root/function/ +WORKDIR /home/app/function/ + COPY function/requirements.txt . RUN pip install -r requirements.txt -WORKDIR /root/ +WORKDIR /home/app + +RUN chown -R app ./ +USER app ENV fprocess="python3 index.py" diff --git a/template/ruby/Dockerfile b/template/ruby/Dockerfile index 621fddfbf..dd96bb321 100644 --- a/template/ruby/Dockerfile +++ b/template/ruby/Dockerfile @@ -1,5 +1,7 @@ FROM ruby:2.4-alpine3.6 +RUN adduser app -D + # Alternatively use ADD https:// (which will not be cached by Docker builder) RUN apk --no-cache add curl \ && echo "Pulling watchdog binary from Github." \ @@ -7,17 +9,22 @@ RUN apk --no-cache add curl \ && chmod +x /usr/bin/fwatchdog \ && apk del curl --no-cache -WORKDIR /root/ +RUN mkdir -p /home/app/ +WORKDIR /home/app/ COPY Gemfile . COPY index.rb . COPY function function RUN bundle install -WORKDIR /root/function/ +WORKDIR /home/app/function/ RUN bundle install -WORKDIR /root/ +WORKDIR /home/app/ + +RUN chown -R app ./ +USER app + ENV fprocess="ruby index.rb" HEALTHCHECK --interval=2s CMD [ -e /tmp/.lock ] || exit 1