use unprivileged nginx images (#2354)

Signed-off-by: Itai Segall <itai.segall@digitalasset.com>

Author: isegall-da

cluster/images/ans-web-ui/Dockerfile

@@ -14,3 +14,8 @@ COPY --from=splice app/splice-node/web-uis/ans /usr/share/nginx/html/
 COPY config.js /tmpl/config.js.tmpl
 COPY --chmod=500 docker-entrypoint.sh /custom-docker-entrypoint.sh
 
+USER root
+RUN chown -R nginx:nginx /tmpl
+RUN chown nginx:nginx /custom-docker-entrypoint.sh
+RUN chown -R nginx:nginx /usr/share/nginx/html
+USER nginx

cluster/images/docs/Dockerfile

@@ -15,3 +15,9 @@ COPY --from=splice app/LICENSE .
 COPY script.js /tmpl/script.js.tmpl
 COPY --chmod=500 docker-entrypoint.sh /custom-docker-entrypoint.sh
 ENTRYPOINT ["/custom-docker-entrypoint.sh"]
+
+USER root
+RUN chown -R nginx:nginx /tmpl
+RUN chown nginx:nginx /custom-docker-entrypoint.sh
+RUN chown -R nginx:nginx /usr/share/nginx/html
+USER nginx

cluster/images/scan-web-ui/Dockerfile

@@ -14,3 +14,8 @@ COPY --from=splice app/splice-node/web-uis/scan /usr/share/nginx/html/
 COPY config.js /tmpl/config.js.tmpl
 COPY --chmod=500 docker-entrypoint.sh /custom-docker-entrypoint.sh
 
+USER root
+RUN chown -R nginx:nginx /tmpl
+RUN chown nginx:nginx /custom-docker-entrypoint.sh
+RUN chown -R nginx:nginx /usr/share/nginx/html
+USER nginx

cluster/images/splice-web-ui/Dockerfile

@@ -1,13 +1,17 @@
 # Copyright (c) 2024 Digital Asset (Switzerland) GmbH and/or its affiliates. All rights reserved.
 # SPDX-License-Identifier: Apache-2.0
 
-FROM nginx:1.28.0@sha256:e2d0edf0e20951a190fe2322e27c6d790c675e9ff0018ba493947972f816f567
+FROM nginxinc/nginx-unprivileged:1.29.0@sha256:3161d975277f6af7e171bdccf48e3469cab8e5788fa63767f6656d4bfb49549c
+
+USER root
 
 RUN apt-get update \
    && apt-get install -y tini \
    && apt-get clean \
    && rm -rf /var/lib/apt/lists/*
 
+USER nginx
+
 COPY default.conf /etc/nginx/conf.d/
 
 ENTRYPOINT ["/usr/bin/tini", "--", "/custom-docker-entrypoint.sh"]

cluster/images/splitwell-web-ui/Dockerfile

@@ -13,3 +13,9 @@ LABEL org.opencontainers.image.base.name="splice-web-ui:${base_version}"
 COPY --from=splice app/splice-node/web-uis/splitwell /usr/share/nginx/html/
 COPY config.js /tmpl/config.js.tmpl
 COPY --chmod=500 docker-entrypoint.sh /custom-docker-entrypoint.sh
+
+USER root
+RUN chown -R nginx:nginx /tmpl
+RUN chown nginx:nginx /custom-docker-entrypoint.sh
+RUN chown -R nginx:nginx /usr/share/nginx/html
+USER nginx

cluster/images/sv-web-ui/Dockerfile

@@ -13,3 +13,9 @@ LABEL org.opencontainers.image.base.name="splice-web-ui:${base_version}"
 COPY --chmod=500 docker-entrypoint.sh /custom-docker-entrypoint.sh
 COPY config.js /tmpl/config.js.tmpl
 COPY --from=splice app/splice-node/web-uis/sv /usr/share/nginx/html/
+
+USER root
+RUN chown -R nginx:nginx /tmpl
+RUN chown nginx:nginx /custom-docker-entrypoint.sh
+RUN chown -R nginx:nginx /usr/share/nginx/html
+USER nginx

cluster/images/wallet-web-ui/Dockerfile

@@ -13,3 +13,9 @@ LABEL org.opencontainers.image.base.name="splice-web-ui:${base_version}"
 COPY --from=splice app/splice-node/web-uis/wallet /usr/share/nginx/html/
 COPY config.js /tmpl/config.js.tmpl
 COPY --chmod=500 docker-entrypoint.sh /custom-docker-entrypoint.sh
+
+USER root
+RUN chown -R nginx:nginx /tmpl
+RUN chown nginx:nginx /custom-docker-entrypoint.sh
+RUN chown -R nginx:nginx /usr/share/nginx/html
+USER nginx

docs/src/release_notes.rst

@@ -11,6 +11,11 @@ Release Notes
 Upcoming
 --------
 
+  - Docker images
+
+    - All UI images now use a non-root user.
+
+
 0.4.18
 ------
 
@@ -43,7 +48,6 @@ Upcoming
 
     - Implement changes from CIP-78 CC Fee Removal.
 
-
 0.4.17
 ------