Run apps in containers as unprivileged user

Dockerfile

@@ -16,6 +16,8 @@ COPY nginx/nginx.conf /etc/nginx/nginx.conf
 
 COPY --from=builder /ng-app/dist /quotes/quotes/assets
 
+RUN addgroup -g 9999 lilia
+
 EXPOSE 80
 
 ENTRYPOINT ["nginx", "-g", "daemon off;"]

api/Dockerfile

@@ -5,6 +5,10 @@ COPY . .
 
 RUN pip install --no-cache-dir --requirement requirements.txt
 
+RUN addgroup -g 9999 lilia
+
 EXPOSE 5000
 
+USER nobody:lilia
+
 ENTRYPOINT ["python", "app.py"]

cms/Dockerfile

@@ -13,12 +13,18 @@ RUN sed -i 's/;cgi.fix_pathinfo=1/cgi.fix_pathinfo=0/' /etc/php7/php.ini && \
 
 COPY php-fpm.conf /etc/php7/php-fpm.d/zz-docker.conf
 
-COPY grav /app/
+RUN addgroup -g 9999 lilia
+
+COPY --chown=nobody:lilia grav /app/
+
+USER nobody:lilia
 
 WORKDIR /app
 RUN php7 bin/gpm install admin form login email
 RUN php7 bin/grav install
 
+USER root:root
+
 EXPOSE 9000
 
-CMD ["php-fpm7", "--allow-to-run-as-root"]
+CMD ["php-fpm7"]

cms/php-fpm.conf

@@ -3,8 +3,8 @@ daemonize = no
 error_log = /proc/self/fd/2
 
 [www]
-user = root
+user = nobody
-group = root
+group = lilia
 listen = 9000
 clear_env = no
 catch_workers_output = yes

nginx/nginx.conf

@@ -1,4 +1,4 @@
-user  nginx;
+user  nginx lilia;
 worker_processes  1;
 
 error_log  /var/log/nginx/error.log warn;