Add non-root user for naikan image

Closes gb-198
enofex · Dec 21, 2023 · c2ac41f · c2ac41f
1 parent db4834e
commit c2ac41f
Showing 1 changed file with 13 additions and 5 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,26 +1,34 @@
+# Build stage
 FROM eclipse-temurin:21-alpine AS builder
 ARG JAR_FILE=naikan-server/target/naikan-server.jar
 COPY ${JAR_FILE} application.jar
 RUN java -Djarmode=layertools -jar application.jar extract
 
+# Runtime stage
 FROM eclipse-temurin:21-alpine
+ARG USER=naikan
 
 RUN set -eux; \
 	apk update; \
-	apk add --no-cache fontconfig; \
-	apk add --no-cache ttf-dejavu; \
+	apk add --no-cache fontconfig ttf-dejavu tzdata; \
     rm -rf /var/cache/apk/*; \
-    apk add tzdata; \
     cp /usr/share/zoneinfo/UTC /etc/localtime; \
-    echo "UTC" > /etc/timezone;
+    echo "UTC" > /etc/timezone; \
+    adduser -D -s /bin/sh $USER
 
-VOLUME /tmp
+WORKDIR /home/$USER
 
 COPY --from=builder dependencies/ ./
 COPY --from=builder snapshot-dependencies/ ./
 COPY --from=builder spring-boot-loader/ ./
 COPY --from=builder application/ ./
 
+RUN chown -R $USER:$USER /home/$USER
+
+USER $USER
+
+VOLUME /tmp
+
 EXPOSE 8080
 
 ENTRYPOINT exec java $JAVA_OPTS $JAVA_TOOL_OPTIONS -Djava.security.egd=file:/dev/./urandom org.springframework.boot.loader.launch.JarLauncher