From be3d999c21850425cd5fb573726941e780950370 Mon Sep 17 00:00:00 2001
From: tobi <31960611+tsmethurst@users.noreply.github.com>
Date: Sat, 19 Nov 2022 10:18:01 +0100
Subject: [PATCH] [chore] Little Dockerfile updates (#1071)

* [chore] Little Dockerfile updates

* update comment on USER directive (thanks chris)
---
 Dockerfile | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 5e72d4be2..abb8c1947 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,6 @@
 # syntax=docker/dockerfile:1.3
+# Dockerfile reference: https://docs.docker.com/engine/reference/builder/
+
 # stage 1: generate up-to-date swagger.yaml to put in the final container
 FROM --platform=${BUILDPLATFORM} quay.io/goswagger/swagger:v0.30.0 AS swagger
 
@@ -20,6 +22,20 @@ RUN yarn install --cwd web/source && \
 # stage 3: build the executor container
 FROM --platform=${TARGETPLATFORM} alpine:3.15.4 as executor
 
+# switch to non-root user:group for GtS
+USER 1000:1000
+
+# Because we're doing multi-arch builds we can't easily do `RUN mkdir [...]`
+# but we can hack around that by having docker's WORKDIR make the dirs for
+# us, as the user created above.
+#
+# See https://docs.docker.com/engine/reference/builder/#workdir
+#
+# First make sure storage exists + is owned by 1000:1000, then go back
+# to just /gotosocial, where we'll run from
+WORKDIR "/gotosocial/storage"
+WORKDIR "/gotosocial"
+
 # copy the dist binary created by goreleaser or build.sh
 COPY --chown=1000:1000 gotosocial /gotosocial/gotosocial
 
@@ -27,5 +43,5 @@ COPY --chown=1000:1000 gotosocial /gotosocial/gotosocial
 COPY --chown=1000:1000 --from=bundler web /gotosocial/web
 COPY --chown=1000:1000 --from=swagger /go/src/github.com/superseriousbusiness/gotosocial/swagger.yaml web/assets/swagger.yaml
 
-WORKDIR "/gotosocial"
+VOLUME [ "/gotosocial/storage" ]
 ENTRYPOINT [ "/gotosocial/gotosocial", "server", "start" ]