security: add non-root appuser to services/ml/Dockerfile
Create system user appuser with useradd, set ownership of /app, and switch to non-root user before CMD to reduce container attack surface. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Marko Djordjevic
parent
34e543ea96
commit
1438e474e8
2 changed files with 8 additions and 1 deletions
|
|
@ -32,5 +32,12 @@ COPY . .
|
|||
# Expose port for FastAPI
|
||||
EXPOSE 8001
|
||||
|
||||
# Create non-root user and set ownership
|
||||
RUN useradd -r -s /bin/false appuser
|
||||
RUN chown -R appuser:appuser /app
|
||||
|
||||
# Switch to non-root user
|
||||
USER appuser
|
||||
|
||||
# Run the inference server by default
|
||||
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8001"]
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue