Don't run apps in Docker as root

orchestration/README.md

@@ -22,7 +22,7 @@ All commands are assumed to be ran from `/deploy`, not the root folder.
 * `processor`     - Serai processor for one external network.
 
 * `serai`      - Serai node
-* `cluster-sm` - "Alice", "Bob", and "Charlie" Serai nodes, all validators
+* `cluster-sm` - "Alice", "Bob", and "Charlie" Serai nodes, all as validators
 * `cluster-lg` - `cluster-sm` with non-validators "Dave", "Eve", and "Ferdie"
 
 You can supply one or more profiles to the docker compose command to orchestrate

orchestration/coins/bitcoin/Dockerfile

@@ -25,16 +25,20 @@ RUN grep bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz SHA256SUMS | sha256s
 
 # Prepare Image
 RUN tar xzvf bitcoin-${BITCOIN_VERSION}-x86_64-linux-gnu.tar.gz
+RUN mv bitcoin-${BITCOIN_VERSION}/bin/bitcoind .
 
 FROM debian:bookworm-slim as image
 
-WORKDIR /home/bitcoin
-COPY --from=builder /home/bitcoin/* .
-RUN mv bin/* /bin && mv lib/* /lib
-COPY ./scripts /scripts
-
 # Upgrade packages
 RUN apt update && apt upgrade -y
 
+# Switch to a non-root user
+RUN useradd --system --create-home --shell /sbin/nologin bitcoin
+USER bitcoin
+WORKDIR /home/bitcoin
+
+COPY --from=builder --chown=bitcoin /home/bitcoin/bitcoind /bin
+COPY ./scripts /scripts
+
 EXPOSE 8332 8333 18332 18333 18443 18444
-VOLUME ["/home/bitcoin/.bitcoin"]
+# VOLUME ["/home/bitcoin/.bitcoin"]

orchestration/coins/monero/Dockerfile

@@ -29,12 +29,17 @@ RUN tar -xvjf monero-linux-x64-v${MONERO_VERSION}.tar.bz2 --strip-components=1
 # Build the actual image
 FROM alpine:latest as image
 
-WORKDIR /home/monero
-COPY --from=builder /home/monero/monerod /bin
-ADD scripts /scripts
-
 # Upgrade packages
 RUN apk update && apk upgrade && apk add gcompat
 
+# Switch to a non-root user
+# System user (not a human), shell of nologin, no password assigned
+RUN adduser -S -s /sbin/nologin -D monero
+USER monero
+
+WORKDIR /home/monero
+COPY --from=builder --chown=monero /home/monero/monerod /bin
+ADD scripts /scripts
+
 EXPOSE 18080 18081
-VOLUME /home/monero/.bitmonero
+# VOLUME /home/monero/.bitmonero

orchestration/docker-compose.yml

@@ -23,8 +23,8 @@ services:
     volumes:
       - "./coins/bitcoin/scripts:/scripts"
     entrypoint: /scripts/entry-dev.sh
-    ports:
+    expose:
-      - "18443:18443"
+      - "18443"
 
   ethereum:
     profiles:
@@ -47,8 +47,8 @@ services:
     volumes:
       - "./coins/monero/scripts:/scripts"
     entrypoint: /scripts/entry-dev.sh
-    ports:
+    expose:
-      - "18081:18081"
+      - "18081"
 
   # Infrastructure
 
@@ -62,8 +62,8 @@ services:
     volumes:
       - "./message-queue/scripts:/scripts"
     entrypoint: /scripts/entry-dev.sh
-    ports:
+    expose:
-      - "2287:2287"
+      - "2287"
 
   processor:
     profiles:

orchestration/message-queue/Dockerfile

@@ -32,15 +32,19 @@ RUN --mount=type=cache,target=/root/.cargo \
 FROM debian:bookworm-slim as image
 LABEL description="STAGE 2: Copy and Run"
 
-WORKDIR /home/serai
-
-# Copy the Message Queue binary and relevant license
-COPY --from=builder /serai/bin/serai-message-queue /bin/
-COPY --from=builder /serai/AGPL-3.0 .
-
 # Upgrade packages
 RUN apt update && apt upgrade -y
 
+# Switch to a non-root user
+RUN useradd --system --home /home/message-queue --create-home --shell /sbin/nologin messagequeue
+USER messagequeue
+
+WORKDIR /home/message-queue
+
+# Copy the Message Queue binary and relevant license
+COPY --from=builder --chown=messagequeue /serai/bin/serai-message-queue /bin
+COPY --from=builder --chown=messagequeue /serai/AGPL-3.0 .
+
 # Run message-queue
 EXPOSE 2287
 CMD ["serai-message-queue"]

orchestration/processor/Dockerfile

@@ -35,14 +35,18 @@ RUN --mount=type=cache,target=/root/.cargo \
 FROM debian:bookworm-slim as image
 LABEL description="STAGE 2: Copy and Run"
 
-WORKDIR /home/serai
-
-# Copy necessary files to run node
-COPY --from=builder /serai/bin/serai-processor /bin/
-COPY --from=builder /serai/AGPL-3.0 .
-
 # Upgrade packages and install openssl
 RUN apt update && apt upgrade -y && apt install -y libssl-dev
 
+# Switch to a non-root user
+RUN useradd --system --create-home --shell /sbin/nologin processor
+USER processor
+
+WORKDIR /home/processor
+
+# Copy necessary files to run node
+COPY --from=builder --chown=processsor /serai/bin/serai-processor /bin/
+COPY --from=builder --chown=processsor /serai/AGPL-3.0 .
+
 # Run processor
 CMD ["serai-processor"]

orchestration/serai/Dockerfile

@@ -35,14 +35,18 @@ RUN --mount=type=cache,target=/root/.cargo \
 FROM debian:bookworm-slim as image
 LABEL description="STAGE 2: Copy and Run"
 
+# Upgrade packages
+RUN apt update && apt upgrade -y
+
+# Switch to a non-root user
+RUN useradd --system --home /home/serai --shell /sbin/nologin serai
+USER serai
+
 WORKDIR /home/serai
 
 # Copy necessary files to run node
-COPY --from=builder /serai/bin/serai-node /bin/
+COPY --from=builder --chown=serai /serai/bin/serai-node /bin/
-COPY --from=builder /serai/AGPL-3.0 .
+COPY --from=builder --chown=serai /serai/AGPL-3.0 .
-
-# Upgrade packages
-RUN apt update && apt upgrade -y
 
 # Run node
 EXPOSE 30333 9615 9933 9944