Non-privileged user in Dockerfile #862
Description
I have been using and modifying the Dockerfiles generated by {golem}. The system and R dependencies are a great help and I had to modify very little, thanks for this great tool.
But I noticed that all options (the plain Dockerfile, and the ones for ShinyProxy and Heroku) use thr rocker/r-ver parent images that is based on ubuntu:focal. All these leave the USER as root which is generally discouraged due to security considerations, there is even a Hadolint warning for this.
I am wondering if it would be possible to add a user argument to the golem::add_dockerfile* functions?
This would be straightforward for ShinyProxy:
# ShinyProxy
...
RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
EXPOSE 3838
CMD ["R", "-e", "options('shiny.port'=3838,shiny.host='0.0.0.0');ShinyWBI::run_app()"]and on Heroku:
# Heroku
...
RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
CMD R -e "options('shiny.port'=$PORT,shiny.host='0.0.0.0');ShinyWBI::run_app()"The catch for the plain Dockerfile is that it exposes port 80 that is a low port not available for non-privileged users, so the port would have to be changed to e.g. 8080:
...
RUN addgroup --system shiny && adduser --system --ingroup shiny shiny
USER shiny
EXPOSE 8080
CMD R -e "options('shiny.port'=8080,shiny.host='0.0.0.0');ShinyWBI::run_app()"I am happy to work on a PR if this suggestion makes sense.