Instead of violating the priciple of least privilage, anteater should
be ran by a non-root user.
Anteater doesn't need access to anything owned by root to perform
security scanning, and running as a non-root user should prevent it from
creating file owned by root in the future.
JIRA: RELENG-238
Change-Id: I7b75255ff460444763acbcc5d7752e1223860a2b
Signed-off-by: Trevor Bramwell <tbramwell@linuxfoundation.org>
# environment variables
ARG BRANCH=master
# environment variables
ARG BRANCH=master
-ENV HOME /home/opnfv
-ENV ANT_HOME ${HOME}/anteater
-RUN mkdir -p ${ANT_HOME}
+# Anteater is run as user 'opnfv'
+RUN useradd -U -m -s /bin/bash ${ANTEATER_USER}
+
+ENV HOME /home/${ANTEATER_USER}
+ENV ANTEATER_HOME ${HOME}/anteater
# Packaged dependencies
RUN yum -y install epel-release
# Packaged dependencies
RUN yum -y install epel-release
RUN yum -y install git python-devel python-pip
RUN yum clean all
RUN yum -y install git python-devel python-pip
RUN yum clean all
+# Run all following commands and container as non-root user
+USER ${ANTEATER_USER}
+
# Commands to clone and install
# Commands to clone and install
-RUN git clone https://gerrit.opnfv.org/gerrit/releng-anteater ${ANT_HOME}
-WORKDIR ${ANT_HOME}
-RUN /usr/bin/pip install -r ${ANT_HOME}/requirements.txt
-RUN python ${ANT_HOME}/setup.py install
+RUN mkdir -p ${ANTEATER_HOME}
+RUN git clone https://gerrit.opnfv.org/gerrit/releng-anteater ${ANTEATER_HOME}
+WORKDIR ${ANTEATER_HOME}
+RUN /usr/bin/pip install -r ${ANTEATER_HOME}/requirements.txt
+RUN python ${ANTEATER_HOME}/setup.py install