Fix non-root user definition to improve security

**What**
- Fix a bug where the non-root user that is defined does not have the
required permissions to use the `root` dir or conda.  This should
improve function security by not running as root by default

Signed-off-by: Lucas Roesler <roesler.lucas@gmail.com>

Author: LucasRoesler

template/pydatatscience-web/Dockerfile

@@ -1,32 +1,36 @@
-
 FROM python:3-slim
 
 # Allows you to add additional packages via build-arg
 ARG ADDITIONAL_PACKAGE
 ARG CHANNEL=pytorch
 
+RUN addgroup app && adduser app --system --ingroup app \
+    && mkdir -p /opt/conda && chown -R app /opt/conda \
+    && chown -R app /root && chmod -R go+rX /root
+
+ENV HOME /home/app
+ENV PATH=$HOME/conda/bin:$PATH
+
 RUN apt-get update \
     && apt-get -y install curl bzip2 ${ADDITIONAL_PACKAGE} \
-    && curl -sSL https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh -o /tmp/miniconda.sh \
     && curl -sSL https://github.com/openfaas-incubator/of-watchdog/releases/download/0.5.1/of-watchdog > /usr/bin/fwatchdog \
-    && bash /tmp/miniconda.sh -bfp /usr/local \
-    && rm -rf /tmp/miniconda.sh \
-    && conda install -y python=3 \
-    && conda update conda \
-    && apt-get -qq -y remove curl bzip2 \
+    && curl -sSL https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh -o /tmp/miniconda.sh \
+    && chown app /tmp/miniconda.sh \
+    && apt-get -qq -y remove curl \
     && apt-get -qq -y autoremove \
     && apt-get autoclean \
     && rm -rf /var/lib/apt/lists/* /var/log/dpkg.log \
-    && conda clean --all --yes \
     && chmod +x /usr/bin/fwatchdog
 
-ENV PATH /opt/conda/bin:$PATH
-
 # Add non root user
-RUN addgroup app && adduser app --system --ingroup app
-
-USER app
 WORKDIR /root/
+USER app
+
+RUN bash /tmp/miniconda.sh -bfp $HOME/conda \
+    && conda install -y python=3 \
+    && conda update conda \
+    && conda clean --all --yes \
+    && rm -rf /tmp/miniconda.sh
 
 COPY requirements.txt   .
 RUN conda install --file requirements.txt -c ${CHANNEL}

template/pydatatscience/Dockerfile

@@ -1,32 +1,36 @@
-
 FROM python:3-slim
 
 # Allows you to add additional packages via build-arg
 ARG ADDITIONAL_PACKAGE
 ARG CHANNEL=pytorch
 
+RUN addgroup app && adduser app --system --ingroup app \
+    && mkdir -p /opt/conda && chown -R app /opt/conda \
+    && chown -R app /root && chmod -R go+rX /root
+
+ENV HOME /home/app
+ENV PATH=$HOME/conda/bin:$PATH
+
 RUN apt-get update \
     && apt-get -y install curl bzip2 ${ADDITIONAL_PACKAGE} \
-    && curl -sSL https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh -o /tmp/miniconda.sh \
     && curl -sSL https://github.com/openfaas-incubator/of-watchdog/releases/download/0.5.1/of-watchdog > /usr/bin/fwatchdog \
-    && bash /tmp/miniconda.sh -bfp /usr/local \
-    && rm -rf /tmp/miniconda.sh \
-    && conda install -y python=3 \
-    && conda update conda \
-    && apt-get -qq -y remove curl bzip2 \
+    && curl -sSL https://repo.continuum.io/miniconda/Miniconda3-latest-Linux-x86_64.sh -o /tmp/miniconda.sh \
+    && chown app /tmp/miniconda.sh \
+    && apt-get -qq -y remove curl \
     && apt-get -qq -y autoremove \
     && apt-get autoclean \
     && rm -rf /var/lib/apt/lists/* /var/log/dpkg.log \
-    && conda clean --all --yes \
     && chmod +x /usr/bin/fwatchdog
 
-ENV PATH /opt/conda/bin:$PATH
-
 # Add non root user
-RUN addgroup app && adduser app --system --ingroup app
-
-USER app
 WORKDIR /root/
+USER app
+
+RUN bash /tmp/miniconda.sh -bfp $HOME/conda \
+    && conda install -y python=3 \
+    && conda update conda \
+    && conda clean --all --yes \
+    && rm -rf /tmp/miniconda.sh
 
 COPY requirements.txt   .
 RUN conda install --file requirements.txt -c ${CHANNEL}