Change docker user to non-root (#9560)

1 files changed, 19 insertions, 11 deletions

diff --git a/Dockerfile b/Dockerfile
index 2383b5dc27..a86686426f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,6 @@
-FROM node:18.13.0-bullseye AS builder
+ARG NODE_VERSION=18.13.0-bullseye
+
+FROM node:${NODE_VERSION} AS builder
 
 ARG NODE_ENV=production
 
@@ -22,23 +24,29 @@ COPY . ./
 RUN git submodule update --init
 RUN yarn build
 
-FROM node:18.13.0-bullseye-slim AS runner
+FROM node:${NODE_VERSION}-slim AS runner
 
-WORKDIR /misskey
+ARG UID="991"
+ARG GID="991"
 
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	ffmpeg tini \
 	&& apt-get -y clean \
-	&& rm -rf /var/lib/apt/lists/*
+	&& rm -rf /var/lib/apt/lists/* \
+	&& groupadd -g "${GID}" misskey \
+	&& useradd -l -u "${UID}" -g "${GID}" -m -d /misskey misskey
 
-COPY --from=builder /misskey/.yarn/install-state.gz ./.yarn/install-state.gz
-COPY --from=builder /misskey/node_modules ./node_modules
-COPY --from=builder /misskey/built ./built
-COPY --from=builder /misskey/packages/backend/node_modules ./packages/backend/node_modules
-COPY --from=builder /misskey/packages/backend/built ./packages/backend/built
-COPY --from=builder /misskey/packages/frontend/node_modules ./packages/frontend/node_modules
-COPY . ./
+USER misskey
+WORKDIR /misskey
+
+COPY --chown=misskey:misskey --from=builder /misskey/.yarn/install-state.gz ./.yarn/install-state.gz
+COPY --chown=misskey:misskey --from=builder /misskey/node_modules ./node_modules
+COPY --chown=misskey:misskey --from=builder /misskey/built ./built
+COPY --chown=misskey:misskey --from=builder /misskey/packages/backend/node_modules ./packages/backend/node_modules
+COPY --chown=misskey:misskey --from=builder /misskey/packages/backend/built ./packages/backend/built
+COPY --chown=misskey:misskey --from=builder /misskey/packages/frontend/node_modules ./packages/frontend/node_modules
+COPY --chown=misskey:misskey . ./
 
 ENV NODE_ENV=production
 ENTRYPOINT ["/usr/bin/tini", "--"]