Add non-root user to Docker image

author Michael Hwang <mhwang@research.att.com>

Mon, 15 Jul 2019 20:47:52 +0000 (16:47 -0400)

committer Michael Hwang <mhwang@research.att.com>

Mon, 15 Jul 2019 20:55:32 +0000 (16:55 -0400)
author Michael Hwang <mhwang@research.att.com>
Mon, 15 Jul 2019 20:47:52 +0000 (16:47 -0400)
committer Michael Hwang <mhwang@research.att.com>
Mon, 15 Jul 2019 20:55:32 +0000 (16:55 -0400)
diff --git a/CHANGELOG.md b/CHANGELOG.md

index 1c27804..52ac665 100644 (file)
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](http://semver.org/).
  
  The version in the brackets represents the version of DCAE inventory and not the ONAP DCAE version.
  
+## [Dev]
+
+* Add non-root user in Docker image so that the inventory service can be run in non-privileged mode for security reasons
+
  ## [3.0.1]
  
  * Explicitly use 5.3.6.Final for hibernate-validator and 9.4.6 for jetty-util to address security issues
diff --git a/pom.xml b/pom.xml

index 08bb09f..282659d 100644 (file)
--- a/pom.xml
+++ b/pom.xml
@@ -343,6 +343,10 @@ ECOMP is a trademark and service mark of AT&T Intellectual Property.
                  <configuration>
                      <imageName>${onap.nexus.dockerregistry.daily}/onap/${project.groupId}.${project.artifactId}</imageName>
                      <baseImage>openjdk:8-jre</baseImage>
+                    <user>inventory</user>
+                    <runs>
+                        <run>adduser --system --group inventory</run>
+                    </runs>
                      <entryPoint>["java", "-jar", "/opt/${project.build.finalName}.jar", "server"]</entryPoint>
                      <resources>
                          <resource>
author	Michael Hwang <mhwang@research.att.com>
	Mon, 15 Jul 2019 20:47:52 +0000 (16:47 -0400)
committer	Michael Hwang <mhwang@research.att.com>
	Mon, 15 Jul 2019 20:55:32 +0000 (16:55 -0400)
CHANGELOG.md		patch \| blob \| history
pom.xml		patch \| blob \| history