From c534d5949bddf4b4378714ec36c8bda4c597eec9 Mon Sep 17 00:00:00 2001
From: Luca Sacchi Ricciardi <luca.sacchi@gmail.com>
Date: Tue, 24 Mar 2026 22:29:41 +0100
Subject: [PATCH] feat(02-03): create docker-compose.yml with user directive

- Defines service with local image build
- Specifies user directive (1000:1000) for non-root execution
- Includes container_name for easy reference
- Follows INF-01 requirement (no root)
- Enables test scripts to verify configuration

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 labs/lab-01-iam/docker-compose.yml | 37 ++++++++++++++++++++++++++++++
 1 file changed, 37 insertions(+)
 create mode 100644 labs/lab-01-iam/docker-compose.yml

diff --git a/labs/lab-01-iam/docker-compose.yml b/labs/lab-01-iam/docker-compose.yml
new file mode 100644
index 0000000..c0836f0
--- /dev/null
+++ b/labs/lab-01-iam/docker-compose.yml
@@ -0,0 +1,37 @@
+# Lab 01 - IAM & Sicurezza
+# Docker Compose configuration per container non-root
+#
+# Questo file definisce i servizi per il lab, assicurandosi che
+# TUTTI i container girino come utente non-root (INF-01).
+
+version: "3.8"
+
+services:
+  # Container di test per verificare l'esecuzione non-root
+  lab01-test:
+    build:
+      context: .
+      dockerfile: Dockerfile
+    image: lab01-non-root:latest
+    container_name: lab01-iam-test
+    # CRITICO: user directive assicura esecuzione non-root (INF-01)
+    # Format: UID:GID
+    # 1000:1000 corrisponde all'utente labuser creato nel Dockerfile
+    user: "1000:1000"
+    # Non esponiamo porte (non necessario per questo lab)
+    # Le porte private non devono essere esposte sull'host (best practice)
+    restart: unless-stopped
+    # Nessun volume mount necessario per questo lab semplice
+    # I volumi saranno introdotti nei lab successivi
+    healthcheck:
+      # Healthcheck per verificare che il container sia sano
+      test: ["CMD", "sh", "-c", "whoami | grep -q labuser"]
+      interval: 30s
+      timeout: 5s
+      retries: 3
+      start_period: 5s
+
+# Nessuna rete definita - useremo la default bridge network
+# Le reti custom isolate saranno introdotte nel Lab 02 (Network & VPC)
+
+# Nessun volume definito - i volumi saranno introdotti nel Lab 04 (Storage & S3)