Working on a version of the container that doesn't execute as root.

ballenspectric · ballenspectric · commit ce506718034e · 2023-04-17T19:06:07.000-04:00
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
@@ -6,6 +6,8 @@ on:
 
 env:
   REGISTRY: ghcr.io
+  DOCKER_BUILDKIT: 1
+  BUILDKIT_PROGRESS: plain
 
 jobs:
   build-and-push-image:
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -6,6 +6,8 @@ on:
 
 env:
   REGISTRY: ghcr.io
+  DOCKER_BUILDKIT: 1
+  BUILDKIT_PROGRESS: plain
 
 jobs:
   test:
diff --git a/Dockerfile b/Dockerfile
@@ -13,16 +13,18 @@ RUN poetry build
 
 FROM python:3.10 AS deployment
 LABEL maintainer="foss@spectric.com"
+RUN useradd -d /home/datashader datashader && \
+    mkdir -p /home/datashader /opt/elastic_datashader/tms-cache && \
+    chown -R datashader:datashader /home/datashader /opt/elastic_datashader
 
-ENV PIP_ROOT_USER_ACTION=ignore
-
-COPY --from=builder /build/dist/*.whl /opt/elastic_datashader/
-RUN mkdir -p /opt/elastic_datashader/tms-cache && \
-    pip install --upgrade pip && \
-    pip install --no-cache-dir /opt/elastic_datashader/*.whl && \
+USER datashader
+RUN mkdir /home/datashader/tmp
+COPY --from=builder /build/dist/*.whl /home/datashader/tmp/
+RUN pip install --upgrade pip && \
+    pip install --no-cache-dir /home/datashader/*.whl && \
     pip install uvicorn
 
-COPY deployment/logging_config.yml /opt/elastic_datashader
+COPY deployment/logging_config.yml /opt/elastic_datashader/
 
 VOLUME ["/opt/elastic_datashader/tms-cache"]
 ENV DATASHADER_CACHE_DIRECTORY=/opt/elastic_datashader/tms-cache
