From 4a2b8f1503354e9c3ad640a58ff01bfddd69f94c Mon Sep 17 00:00:00 2001
From: Fang Yi Liu <fangyiliu@gmail.com>
Date: Mon, 23 Feb 2026 18:15:50 -0800
Subject: [PATCH] set unpriviledged user for Dockerfile

---
 app/Dockerfile                   | 10 +++++++---
 docker-compose.yml               |  1 +
 docs/architecture/docker.md      | 21 +++++++++++++++++++++
 docs/contributing/tools/index.md |  2 +-
 mkdocs.yml                       |  1 +
 5 files changed, 31 insertions(+), 4 deletions(-)
 create mode 100644 docs/architecture/docker.md

diff --git a/app/Dockerfile b/app/Dockerfile
index bedbf821..c1712e8f 100644
--- a/app/Dockerfile
+++ b/app/Dockerfile
@@ -1,6 +1,10 @@
 # pull official base image
 FROM python:3.10-alpine
 
+# create non-root user and group
+RUN addgroup -g 1000 app && \
+  adduser -D -u 1000 -G app -h /home/app -s /bin/sh app
+
 # set work directory
 WORKDIR /usr/src/app
 
@@ -21,7 +25,7 @@ COPY Roboto-Regular.ttf /root/.fonts/
 RUN fc-cache -f
 
 # install dependencies
-COPY ./requirements.txt .
+COPY --chown=app:app ./requirements.txt .
 # hadolint ignore=DL3042
 RUN \
   --mount=type=cache,target=/root/.cache \
@@ -29,12 +33,12 @@ RUN \
   && uv pip install --system -r requirements.txt
 
 # copy entrypoint.sh
-COPY ./entrypoint.sh .
+COPY --chown=app:app ./entrypoint.sh .
 RUN sed -i 's/\r$//g' /usr/src/app/entrypoint.sh \
   && chmod +x /usr/src/app/entrypoint.sh
 
 # copy project
-COPY . .
+COPY --chown=app:app . .
 
 # run entrypoint.sh
 ENTRYPOINT ["/usr/src/app/entrypoint.sh"]
diff --git a/docker-compose.yml b/docker-compose.yml
index 22fa069d..db72e56b 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -1,5 +1,6 @@
 services:
   web:
+    user: "1000:1000"
     build: ./app
     platform: linux/amd64
     command: python manage.py runserver 0.0.0.0:8000
diff --git a/docs/architecture/docker.md b/docs/architecture/docker.md
new file mode 100644
index 00000000..60b8b1cf
--- /dev/null
+++ b/docs/architecture/docker.md
@@ -0,0 +1,21 @@
+---
+tags:
+  - Docker
+---
+
+# Docker configuration
+
+## Docker Compose
+
+The project uses docker compose to run a local development environment.
+
+The compose file is stored in the root of the project.
+
+## Dockerfile
+
+The Dockerfile is stored in the `app/` directory.
+
+## Design
+
+- We run Docker containers as a non-root user.
+    - This is necessary for creating migration files not owned by root and usable by the normal user.
diff --git a/docs/contributing/tools/index.md b/docs/contributing/tools/index.md
index be7f9d1a..6e17a518 100644
--- a/docs/contributing/tools/index.md
+++ b/docs/contributing/tools/index.md
@@ -3,7 +3,7 @@
 These are the tools we use in the PeopleDepot project with notes on how we use them.
 
 - [Convenience scripts](scripts.md)
-- [Docker](docker.md) for containerization
+- [Docker](./docker.md) for containerization
 - [MkDocs](mkdocs.md) for documentation
 - [Pre-commit](pre-commit.md) for linting
 - [Uv](uv.md) for fast dependency resolution
diff --git a/mkdocs.yml b/mkdocs.yml
index b515d003..448e4dbb 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -32,6 +32,7 @@ plugins:
         - postgres
         - Django
         - migrations
+        - Docker
 
 markdown_extensions:
   - abbr