RHAIENG-287: fix(Dockerfiles): use USER 1001 to avoid Hadolint DL3002 warning

jiridanek · jiridanek · commit 06e5d7f973f0 · 2025-09-26T00:14:05.000+02:00
```
./jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu:23 DL3002 warning: Last USER should not be root
./runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu:104 DL3002 warning: Last USER should not be root
./runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu:182 DL3002 warning: Last USER should not be root
./runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu:206 DL3002 warning: Last USER should not be root
./runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu:231 DL3002 warning: Last USER should not be root
./codeserver/ubi9-python-3.12/Dockerfile.cpu:12 DL3002 warning: Last USER should not be root
./codeserver/ubi9-python-3.12/Dockerfile.cpu:38 DL3002 warning: Last USER should not be root
```
diff --git a/codeserver/ubi9-python-3.12/Dockerfile.cpu b/codeserver/ubi9-python-3.12/Dockerfile.cpu
@@ -30,6 +30,9 @@ COPY ${CODESERVER_SOURCE_CODE}/get_code_server_rpm.sh .
 # create dummy file to ensure this stage is awaited before installing rpm
 RUN ./get_code_server_rpm.sh && touch /tmp/control
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 #######################
 # wheel caching stage #
 #######################
@@ -61,6 +64,9 @@ RUN --mount=type=cache,target=/root/.cache/uv \
 # dummy file to make image build wait for this stage
 RUN touch /tmp/control
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 ####################
 # cpu-base         #
 ####################
@@ -284,5 +290,5 @@ set -Eeuxo pipefail
 python3 /tmp/test/test_startup.py 2>&1 | tee /tmp/test_log.txt
 EOF
 
-from codeserver
+FROM codeserver
 COPY --from=tests /tmp/test_log.txt /tmp/test_log.txt
diff --git a/jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu b/jupyter/datascience/ubi9-python-3.12/Dockerfile.cpu
@@ -166,6 +166,9 @@ RUN --mount=type=cache,target=/root/.cache/pip \
         mkdir -p /tmp/wheels; \
     fi
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 #######################################################
 # common-builder (for Power-only)
 #######################################################
@@ -182,6 +185,9 @@ else
 fi
 EOF
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 #######################################################
 # onnx-builder (Power-only)
 #######################################################
diff --git a/jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu b/jupyter/trustyai/ubi9-python-3.12/Dockerfile.cpu
@@ -37,6 +37,9 @@ RUN --mount=type=cache,target=/root/.cache/uv \
     #  we often don't know the correct hashes and `--require-hashes` would therefore fail on non amd64, where building is common.
     UV_LINK_MODE=copy uv pip install --strict --no-deps --refresh --no-config --no-progress --verify-hashes --compile-bytecode --index-strategy=unsafe-best-match --requirements=./pylock.toml
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 ####################
 # cpu-base         #
 ####################
diff --git a/runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu b/runtimes/datascience/ubi9-python-3.12/Dockerfile.cpu
@@ -103,6 +103,9 @@ RUN curl -L https://mirror.openshift.com/pub/openshift-v4/$(uname -m)/clients/oc
     rm -f /tmp/openshift-client-linux.tar.gz
 # Install the oc client end
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 ##############################
 # wheel-builder stage        #
 # NOTE: Only used in s390x
@@ -183,6 +186,9 @@ RUN --mount=type=cache,target=/root/.cache/pip \
         mkdir -p /tmp/wheels; \
     fi
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 ###################################
 # openblas builder stage for ppc64le
 ##################################
@@ -207,6 +213,9 @@ RUN if [ "$TARGETARCH" = "ppc64le" ]; then \
         echo "Not ppc64le, skipping OpenBLAS build" && mkdir -p /root/OpenBLAS-dummy; \
     fi
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 ###################################
 # onnx builder stage for ppc64le
 ###################################
@@ -233,6 +242,9 @@ RUN if [ "$TARGETARCH" = "ppc64le" ]; then \
         echo "Not ppc64le, skipping ONNX build" && mkdir -p /onnx_wheels; \
     fi
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 ###################################
 # pyarrow builder stage for ppc64le
 ##################################
@@ -291,6 +303,9 @@ RUN if [ "$TARGETARCH" = "ppc64le" ]; then \
         echo "Not ppc64le, skipping pyarrow build" && mkdir -p /arrowwheels; \
     fi
 
+# Switch back to non-root user to satisfy hadolint DL3002
+USER 1001
+
 #######################
 # runtime-datascience #
 #######################
