[CI] [GHA] Use non-root user in Dockerfiles#28903
Conversation
github-actions
Bot
added
category: CI
mryzhov
left a comment
mryzhov
left a comment
There was a problem hiding this comment.
LGTM, but please take a look at the comments, looks like we can simplify several things
| runs-on: ubuntu-22.04 | ||
| container: | ||
| image: ${{ fromJSON(needs.docker.outputs.images).ov_test.fedora_33 }} | ||
| image: fedora:33 |
There was a problem hiding this comment.
it is better to lock the version of the image then
There was a problem hiding this comment.
It is not a GHA image, it is a Docker Hub image, I do not think it would be updated silently except for security updates.
| runner: 'aks-linux-4-cores-8gb-arm' | ||
| image: 'openvinogithubactions.azurecr.io/dockerhub/ubuntu:20.04' | ||
| runner: 'ubuntu-22.04' | ||
| image: 'ubuntu:20.04' |
There was a problem hiding this comment.
The gha image could be updated silently we need to lock the particular version
There was a problem hiding this comment.
It is not a GHA image, it is a Docker Hub image, and it should not be updated silently except for security updates.
There was a problem hiding this comment.
Pull Request Overview
This PR updates multiple Dockerfiles to use a dedicated non-root user (runner) instead of root, improving container security. Key changes include adding environment variable definitions for USER_NAME, USER_ID, GROUP_NAME, and GROUP_ID; creating a non-root user and group via groupadd/useradd or usermod where needed; and modifying file ownership and default users accordingly.
Reviewed Changes
Copilot reviewed 35 out of 35 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| .github/dockerfiles/ov_test/* | Add non-root user setup for Ubuntu, Fedora, and Debian test images |
| .github/dockerfiles/ov_build/* | Update multiple build Dockerfiles to switch to a non-root user, with some cases using usermod instead of useradd based on base image requirements |
| .github/dockerfiles/docker_tag | Update tag identifier |
Comments suppressed due to low confidence (1)
.github/dockerfiles/ov_build/ubuntu_24_04_x64/Dockerfile:97
- For consistency with other Dockerfiles that set ownership using '${USER_NAME}:${USER_NAME}', please verify if the group component should use ${USER_NAME} instead of ${GROUP_ID}.
RUN chown -R ${USER_NAME}:${GROUP_ID} /venv
| ENV PATH="$NVM_DIR/versions/node/v${NODE_VERSION}/bin/:${PATH}" | ||
|
|
||
| # Change ownership of the venv directory to the non-root user | ||
| RUN chown -R ${USER_NAME}:${USER_NAME} /venv |
There was a problem hiding this comment.
[nitpick] Since the non-root user creation and directory ownership steps are repeated across many Dockerfiles, consider centralizing this logic or standardizing the approach across files to simplify future maintenance.
Tickets: