Skip to content

Commit

Permalink
Run tomcat as non-root user
Browse files Browse the repository at this point in the history
Based on PR georchestra#442
Updated according to suggestions from @edevosc2c on PR georchestra#612
  • Loading branch information
jeanpommier committed Oct 30, 2024
1 parent a64b9b0 commit 4dd778e
Showing 1 changed file with 13 additions and 4 deletions.
17 changes: 13 additions & 4 deletions Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -19,12 +19,20 @@ RUN if [ "$TOMCAT_EXTRAS" = false ]; then \
find "${CATALINA_BASE}/webapps/" -delete; \
fi

# Create a non-privileged tomcat user
ARG USER_GID=999
ARG USER_UID=999
RUN addgroup --gid ${USER_GID} tomcat && \
adduser --system -u ${USER_UID} --gid ${USER_GID} --no-create-home tomcat && \
chown -R tomcat:tomcat ${CATALINA_BASE}/ && \
chown tomcat:tomcat /docker-entrypoint.d

# Add application from first stage
COPY --from=extractwar /tmp/mapstore "${CATALINA_BASE}/webapps/mapstore"
COPY georchestra-docker-scripts/ /
COPY --chown=tomcat:tomcat --from=extractwar /tmp/mapstore "${CATALINA_BASE}/webapps/mapstore"
COPY --chown=tomcat:tomcat georchestra-docker-scripts/ /
# SHould be override in 2024.xx when a server.xml on 8080 will be available
COPY docker/server.xml "${CATALINA_BASE}/conf/"

COPY --chown=tomcat:tomcat docker/server.xml "${CATALINA_BASE}/conf/"
USER tomcat

# Geostore externalization template. Disabled by default
# COPY docker/geostore-datasource-ovr.properties "${CATALINA_BASE}/conf/"
Expand All @@ -38,4 +46,5 @@ ENV TERM xterm
# Necessary to execute tomcat and custom scripts
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["catalina.sh", "run"]

EXPOSE 8080

0 comments on commit 4dd778e

Please sign in to comment.