wip: run docker as unprivileged user #20

dockerfile

@@ -1,21 +1,32 @@
+# Build
+FROM node:16.17-bullseye-slim AS builder
+ENV HOME /k2
+COPY . ${HOME}
+WORKDIR ${HOME}
+RUN yarn
+
+# Copy to slim image
 FROM node:16.17-bullseye-slim
 LABEL maintainer "<[email protected]>"
 
 # In case you use an apt proxy somewhere
-# RUN printf "Acquire::http::Proxy \"http://pwaite:3142\";" > /etc/apt/apt.conf.d/01local-proxy
-
+# RUN printf "Acquire::http::Proxy \"http://pwaite:3142\";" > /etc/apt/apt.conf.d/01local-proxy
 # Install curl for healthechk purpose
-RUN apt-get -y update && apt-get -y install curl gdal-bin
-
-EXPOSE 8080
+# gdal-bin is required for elevation service
+RUN \
+  DEBIAN_FRONTEND=noninteractive && \
+  apt-get update && \
+  apt-get --no-install-recommends --yes install \
+    curl \
+    ca-certificates \
+    gdal-bin && \
+  apt-get clean && \
+  rm -rf /var/lib/apt/lists/*
 
 ENV HOME /k2
-RUN mkdir ${HOME}
-
-COPY . ${HOME}
-
+COPY --from=builder --chown=node:node ${HOME} ${HOME}
 WORKDIR ${HOME}
 
-RUN yarn
-
+EXPOSE 8080
+USER node
 CMD yarn run start