danhuawang opened a new issue, #10633:
URL: https://github.com/apache/gravitino/issues/10633
### What would you like to be improved?
Currently, the following Docker images run as the root user by default:
- `gravitino` (`dev/docker/gravitino/Dockerfile`)
- `iceberg-rest-server` (`dev/docker/iceberg-rest-server/Dockerfile`)
- `lance-rest-server` (`dev/docker/lance-rest-server/Dockerfile`)
All three Dockerfiles use `/root` as the working directory and do not
specify a non-root `USER` instruction. This creates security concerns in
production environments and prevents deployment in hardened Kubernetes clusters
or platforms like OpenShift that enforce non-root container policies.
### How should we improve?
Modify the Dockerfiles to:
1. Create a dedicated non-root user (e.g., `gravitino`)
2. Change the working directory from `/root/*` to `/opt/*` or another
appropriate location
3. Set proper file ownership and permissions
4. Add a `USER` instruction to run the container as the non-root user
Example changes for `gravitino/Dockerfile`:
```dockerfile
RUN groupadd -r gravitino && useradd -r -g gravitino gravitino
WORKDIR /opt/gravitino
COPY packages/gravitino /opt/gravitino
RUN chown -R gravitino:gravitino /opt/gravitino \
&& chmod +x /opt/gravitino/bin/start-gravitino.sh
USER gravitino
```
Similar changes should be applied to `iceberg-rest-server` and
`lance-rest-server` Dockerfiles
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
