From 4c801df4f2ade96eca069aaad774a204179a1dde Mon Sep 17 00:00:00 2001
From: Luke Parker <lukeparker5132@gmail.com>
Date: Sun, 30 Jul 2023 07:23:14 -0400
Subject: [PATCH] Don't run apps in Docker as root

---
 orchestration/README.md                |  2 +-
 orchestration/coins/bitcoin/Dockerfile | 16 ++++++++++------
 orchestration/coins/monero/Dockerfile  | 15 ++++++++++-----
 orchestration/docker-compose.yml       | 12 ++++++------
 orchestration/message-queue/Dockerfile | 16 ++++++++++------
 orchestration/processor/Dockerfile     | 16 ++++++++++------
 orchestration/serai/Dockerfile         | 14 +++++++++-----
 7 files changed, 56 insertions(+), 35 deletions(-)

diff --git a/orchestration/README.md b/orchestration/README.md
index 5420f84c..a9ef1a03 100644
--- a/orchestration/README.md
+++ b/orchestration/README.md
@@ -22,7 +22,7 @@ All commands are assumed to be ran from `/deploy`, not the root folder.
 * `processor`     - Serai processor for one external network.
 
 * `serai`      - Serai node
-* `cluster-sm` - "Alice", "Bob", and "Charlie" Serai nodes, all validators
+* `cluster-sm` - "Alice", "Bob", and "Charlie" Serai nodes, all as validators
 * `cluster-lg` - `cluster-sm` with non-validators "Dave", "Eve", and "Ferdie"
 
 You can supply one or more profiles to the docker compose command to orchestrate
diff --git a/orchestration/coins/bitcoin/Dockerfile b/orchestration/coins/bitcoin/Dockerfile
index a3b215ff..3d5f9a6a 100644
--- a/orchestration/coins/bitcoin/Dockerfile
+++ b/orchestration/coins/bitcoin/Dockerfile
@@ -25,16 +25,20 @@ RUN grep bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz SHA256SUMS | sha256s
 
 # Prepare Image
 RUN tar xzvf bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz
+RUN mv bitcoin-${BITCOIN_VERSION}/bin/bitcoind .
 
 FROM debian:bookworm-slim as image
 
-WORKDIR /home/bitcoin
-COPY --from=builder /home/bitcoin/* .
-RUN mv bin/* /bin && mv lib/* /lib
-COPY ./scripts /scripts
-
 # Upgrade packages
 RUN apt update && apt upgrade -y
 
+# Switch to a non-root user
+RUN useradd --system --create-home --shell /sbin/nologin bitcoin
+USER bitcoin
+WORKDIR /home/bitcoin
+
+COPY --from=builder --chown=bitcoin /home/bitcoin/bitcoind /bin
+COPY ./scripts /scripts
+
 EXPOSE 8332 8333 18332 18333 18443 18444
-VOLUME ["/home/bitcoin/.bitcoin"]
+# VOLUME ["/home/bitcoin/.bitcoin"]
diff --git a/orchestration/coins/monero/Dockerfile b/orchestration/coins/monero/Dockerfile
index a761fab9..930a936e 100644
--- a/orchestration/coins/monero/Dockerfile
+++ b/orchestration/coins/monero/Dockerfile
@@ -29,12 +29,17 @@ RUN tar -xvjf monero-linux-x64-v${MONERO_VERSION}.tar.bz2 --strip-components=1
 # Build the actual image
 FROM alpine:latest as image
 
-WORKDIR /home/monero
-COPY --from=builder /home/monero/monerod /bin
-ADD scripts /scripts
-
 # Upgrade packages
 RUN apk update && apk upgrade && apk add gcompat
 
+# Switch to a non-root user
+# System user (not a human), shell of nologin, no password assigned
+RUN adduser -S -s /sbin/nologin -D monero
+USER monero
+
+WORKDIR /home/monero
+COPY --from=builder --chown=monero /home/monero/monerod /bin
+ADD scripts /scripts
+
 EXPOSE 18080 18081
-VOLUME /home/monero/.bitmonero
+# VOLUME /home/monero/.bitmonero
diff --git a/orchestration/docker-compose.yml b/orchestration/docker-compose.yml
index 6c88f46d..dee84da5 100644
--- a/orchestration/docker-compose.yml
+++ b/orchestration/docker-compose.yml
@@ -23,8 +23,8 @@ services:
     volumes:
       - "./coins/bitcoin/scripts:/scripts"
     entrypoint: /scripts/entry-dev.sh
-    ports:
-      - "18443:18443"
+    expose:
+      - "18443"
 
   ethereum:
     profiles:
@@ -47,8 +47,8 @@ services:
     volumes:
       - "./coins/monero/scripts:/scripts"
     entrypoint: /scripts/entry-dev.sh
-    ports:
-      - "18081:18081"
+    expose:
+      - "18081"
 
   # Infrastructure
 
@@ -62,8 +62,8 @@ services:
     volumes:
       - "./message-queue/scripts:/scripts"
     entrypoint: /scripts/entry-dev.sh
-    ports:
-      - "2287:2287"
+    expose:
+      - "2287"
 
   processor:
     profiles:
diff --git a/orchestration/message-queue/Dockerfile b/orchestration/message-queue/Dockerfile
index e5e4fafd..738704e5 100644
--- a/orchestration/message-queue/Dockerfile
+++ b/orchestration/message-queue/Dockerfile
@@ -32,15 +32,19 @@ RUN --mount=type=cache,target=/root/.cargo \
 FROM debian:bookworm-slim as image
 LABEL description="STAGE 2: Copy and Run"
 
-WORKDIR /home/serai
-
-# Copy the Message Queue binary and relevant license
-COPY --from=builder /serai/bin/serai-message-queue /bin/
-COPY --from=builder /serai/AGPL-3.0 .
-
 # Upgrade packages
 RUN apt update && apt upgrade -y
 
+# Switch to a non-root user
+RUN useradd --system --home /home/message-queue --create-home --shell /sbin/nologin messagequeue
+USER messagequeue
+
+WORKDIR /home/message-queue
+
+# Copy the Message Queue binary and relevant license
+COPY --from=builder --chown=messagequeue /serai/bin/serai-message-queue /bin
+COPY --from=builder --chown=messagequeue /serai/AGPL-3.0 .
+
 # Run message-queue
 EXPOSE 2287
 CMD ["serai-message-queue"]
diff --git a/orchestration/processor/Dockerfile b/orchestration/processor/Dockerfile
index dd5342dd..7cd4005a 100644
--- a/orchestration/processor/Dockerfile
+++ b/orchestration/processor/Dockerfile
@@ -35,14 +35,18 @@ RUN --mount=type=cache,target=/root/.cargo \
 FROM debian:bookworm-slim as image
 LABEL description="STAGE 2: Copy and Run"
 
-WORKDIR /home/serai
-
-# Copy necessary files to run node
-COPY --from=builder /serai/bin/serai-processor /bin/
-COPY --from=builder /serai/AGPL-3.0 .
-
 # Upgrade packages and install openssl
 RUN apt update && apt upgrade -y && apt install -y libssl-dev
 
+# Switch to a non-root user
+RUN useradd --system --create-home --shell /sbin/nologin processor
+USER processor
+
+WORKDIR /home/processor
+
+# Copy necessary files to run node
+COPY --from=builder --chown=processsor /serai/bin/serai-processor /bin/
+COPY --from=builder --chown=processsor /serai/AGPL-3.0 .
+
 # Run processor
 CMD ["serai-processor"]
diff --git a/orchestration/serai/Dockerfile b/orchestration/serai/Dockerfile
index a29c6a14..510a52b0 100644
--- a/orchestration/serai/Dockerfile
+++ b/orchestration/serai/Dockerfile
@@ -35,14 +35,18 @@ RUN --mount=type=cache,target=/root/.cargo \
 FROM debian:bookworm-slim as image
 LABEL description="STAGE 2: Copy and Run"
 
+# Upgrade packages
+RUN apt update && apt upgrade -y
+
+# Switch to a non-root user
+RUN useradd --system --home /home/serai --shell /sbin/nologin serai
+USER serai
+
 WORKDIR /home/serai
 
 # Copy necessary files to run node
-COPY --from=builder /serai/bin/serai-node /bin/
-COPY --from=builder /serai/AGPL-3.0 .
-
-# Upgrade packages
-RUN apt update && apt upgrade -y
+COPY --from=builder --chown=serai /serai/bin/serai-node /bin/
+COPY --from=builder --chown=serai /serai/AGPL-3.0 .
 
 # Run node
 EXPOSE 30333 9615 9933 9944