Skip to content

Improve Dockerfile security by adding non-privileged user #10

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
mhandl wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Improve Dockerfile security by adding non-privileged user #10

mhandl wants to merge 1 commit into from

Conversation

@mhandl
Copy link

@mhandl mhandl commented Apr 6, 2025

  • Standardize AS stage naming with uppercase
  • Create midpoint system user and group based on base image
  • Set proper ownership of midpoint directory
  • Switch to non-privileged user for container execution

This change improves security by running the container as a non-privileged user instead of root.

@mhandl
Improve Dockerfile security by adding non-privileged user
4a4fa4d 
  - Standardize AS stage naming with uppercase
  - Create midpoint system user and group based on base image
  - Set proper ownership of midpoint directory
  - Switch to non-privileged user for container execution

  This change improves security by running the container as a non-privileged user instead of root.
@mhandl
Copy link
Author

mhandl commented Apr 6, 2025

Tested with the latest Docker images for Alpine, Ubuntu, and Rocky Linux.

Note: Be aware that any MP_HOME persistent volumes created with previous MidPoint Docker images were created with privileged account permissions. Containers updated with new Docker images (using a non-privileged account) will not have write access to these persistent volumes. To fix the permissions, these volumes must be manually corrected, such as changing MP_HOME ownership to the account midpoint.

@cccfer
Copy link

cccfer commented Jun 3, 2025

Nice job ! Very interrested by this security improvement.

@virgo47
Copy link
Member

virgo47 commented Sep 18, 2025

please merge this

FYI: this one is coming directly in the MP repo in the not-so-distant future: https://github.com/Evolveum/midpoint/tree/feature/docker/tools/docker

@martin-lizner
Copy link
Collaborator

martin-lizner commented Sep 18, 2025

@virgo47 nice that you are including the tool right into mp project, but i guess for older mp versions we will have to work with this one, so please consider merging this PR :-)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mhandl @cccfer @virgo47 @martin-lizner