fix: run docker image as non-root (#795)

* do not use apk update explicitely * change user root to node
2019-03-30 01:45:31 +01:00
parent cce466e8f5
commit 16d88a7c7a
1 changed files with 14 additions and 15 deletions
--- a/dev/build/Dockerfile
+++ b/dev/build/Dockerfile
@@ -3,9 +3,7 @@
 # ====================
 FROM node:10.15-alpine AS assets

-RUN apk update && \
-    apk add yarn g++ make python --no-cache && \
-    rm -rf /var/cache/apk/*
+RUN apk add yarn g++ make python --no-cache

 WORKDIR /wiki

@@ -28,22 +26,23 @@ RUN yarn --production --frozen-lockfile --non-interactive
 FROM node:10.15-alpine
 LABEL maintainer="requarks.io"

-RUN apk update && \
-    apk add bash curl git openssh gnupg sqlite --no-cache && \
-    rm -rf /var/cache/apk/* && \
+RUN apk add bash curl git openssh gnupg sqlite --no-cache && \
    mkdir -p /wiki && \
-    mkdir -p /logs
+    mkdir -p /logs && \
+    chown -R node:node /wiki /logs

 WORKDIR /wiki

-COPY --from=assets /wiki/assets ./assets
-COPY --from=assets /wiki/node_modules ./node_modules
-COPY ./server ./server
-COPY --from=assets /wiki/server/views ./server/views
-COPY ./dev/build/config.yml ./config.yml
-COPY ./dev/docker-common/wait.sh ./wait.sh
-COPY ./package.json ./package.json
-COPY ./LICENSE ./LICENSE
+COPY --chown=node:node --from=assets /wiki/assets ./assets
+COPY --chown=node:node --from=assets /wiki/node_modules ./node_modules
+COPY --chown=node:node ./server ./server
+COPY --chown=node:node --from=assets /wiki/server/views ./server/views
+COPY --chown=node:node ./dev/build/config.yml ./config.yml
+COPY --chown=node:node ./dev/docker-common/wait.sh ./wait.sh
+COPY --chown=node:node ./package.json ./package.json
+COPY --chown=node:node ./LICENSE ./LICENSE
+
+USER node

 EXPOSE 3000