Change docker user to non-root (#9560)

2023-01-14 21:09:11 +09:00 · 2023-01-14 21:09:11 +09:00 · e1bd61c70e
commit e1bd61c70e
parent 0296f841c3
1 changed files with 19 additions and 11 deletions
--- a/30
+++ b/30
@ -1,4 +1,6 @@
-FROM node:18.13.0-bullseye AS builder
+ARG NODE_VERSION=18.13.0-bullseye
 FROM node:${NODE_VERSION} AS builder
 ARG NODE_ENV=production
@ -22,23 +24,29 @@ COPY . ./
 RUN git submodule update --init
 RUN yarn build
-FROM node:18.13.0-bullseye-slim AS runner
+FROM node:${NODE_VERSION}-slim AS runner
-WORKDIR /misskey
+ARG UID="991"
 ARG GID="991"
 RUN apt-get update \
 	&& apt-get install -y --no-install-recommends \
 	ffmpeg tini \
 	&& apt-get -y clean \
-	&& rm -rf /var/lib/apt/lists/*
+	&& rm -rf /var/lib/apt/lists/* \
 	&& groupadd -g "${GID}" misskey \
 	&& useradd -l -u "${UID}" -g "${GID}" -m -d /misskey misskey
-COPY --from=builder /misskey/.yarn/install-state.gz ./.yarn/install-state.gz
+USER misskey
-COPY --from=builder /misskey/node_modules ./node_modules
+WORKDIR /misskey
-COPY --from=builder /misskey/built ./built
+
-COPY --from=builder /misskey/packages/backend/node_modules ./packages/backend/node_modules
+COPY --chown=misskey:misskey --from=builder /misskey/.yarn/install-state.gz ./.yarn/install-state.gz
-COPY --from=builder /misskey/packages/backend/built ./packages/backend/built
+COPY --chown=misskey:misskey --from=builder /misskey/node_modules ./node_modules
-COPY --from=builder /misskey/packages/frontend/node_modules ./packages/frontend/node_modules
+COPY --chown=misskey:misskey --from=builder /misskey/built ./built
-COPY . ./
+COPY --chown=misskey:misskey --from=builder /misskey/packages/backend/node_modules ./packages/backend/node_modules
 COPY --chown=misskey:misskey --from=builder /misskey/packages/backend/built ./packages/backend/built
 COPY --chown=misskey:misskey --from=builder /misskey/packages/frontend/node_modules ./packages/frontend/node_modules
 COPY --chown=misskey:misskey . ./
 ENV NODE_ENV=production
 ENTRYPOINT ["/usr/bin/tini", "--"]