use su-exec

docker/Dockerfile

@@ -29,6 +29,17 @@ RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
 
 
 
+##
+## deps-resolver-prod
+##
+FROM deps-resolver AS deps-resolver-prod
+
+# shrink dependencies for production
+RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
+  yarn install --production
+
+
+
 ##
 ## prebuilder-default
 ##
@@ -51,27 +62,28 @@ COPY docker/nocdn/env.prod.js ${appDir}/config/
 
 
 
+##
+## prebuilder (alias)
+##
+FROM prebuilder-${flavor} AS prebuilder
+
+
+
 ##
 ## builder
 ##
-FROM prebuilder-${flavor} AS builder
+FROM deps-resolver AS builder
 
 ENV appDir /opt/growi
 
-COPY --from=deps-resolver ${appDir}/node_modules ${appDir}/node_modules
-
-WORKDIR ${appDir}
+COPY --from=prebuilder ${appDir} ${appDir}
 
 # build
 RUN yarn build:prod
 
-# shrink dependencies for production
-RUN --mount=type=cache,target=/usr/local/share/.cache/yarn \
-  yarn install --production
-
-# remove unnecessary files
+# remove except artifacts
 WORKDIR /tmp
-RUN --mount=target=. sh docker/bin/remove-unnecessary-files.sh
+RUN --mount=target=. sh docker/bin/remove-except-artifacts.sh
 WORKDIR ${appDir}
 
 
@@ -86,17 +98,20 @@ ENV appDir /opt/growi
 
 # install tini
 RUN --mount=type=cache,target=/var/cache/apk \
-  apk add tini
+  apk add tini su-exec
 
 COPY docker/docker-entrypoint.sh /
+RUN chmod 700 /docker-entrypoint.sh
+
+COPY --from=deps-resolver-prod --chown=node:node \
+  ${appDir}/node_modules ${appDir}/node_modules
 COPY --from=builder --chown=node:node \
   ${appDir} ${appDir}
 
 WORKDIR ${appDir}
 
-USER node
 VOLUME /data
 EXPOSE 3000
 
-ENTRYPOINT ["/docker-entrypoint.sh"]
+ENTRYPOINT ["/sbin/tini", "-e", "143", "--", "/docker-entrypoint.sh"]
 CMD ["yarn", "server:prod"]

docker/Dockerfile.dockerignore

@@ -0,0 +1,14 @@
+.git
+.github
+.vscode
+node_modules
+src/linter-checker
+src/test
+.editorconfig
+.eslint*
+.gitignore
+.prettier*
+.stylelint*
+app.json
+Procfile
+wercker.yml

docker/bin/remove-except-artifacts.sh

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+set -e
+
+rm -rf \
+  ${appDir}/bin \
+  ${appDir}/docker \
+  ${appDir}/node_modules \
+  ${appDir}/src/client \
+  ${appDir}/babel.config.js \

docker/bin/remove-unnecessary-files.sh

@@ -1,21 +0,0 @@
-#!/bin/sh
-
-set -e
-
-rm -rf \
-  ${appDir}/.github \
-  ${appDir}/.vscode \
-  ${appDir}/bin \
-  ${appDir}/docker \
-  ${appDir}/src/client \
-  ${appDir}/src/linter-checker \
-  ${appDir}/src/test \
-  ${appDir}/.editorconfig \
-  ${appDir}/.eslint* \
-  ${appDir}/.gitignore \
-  ${appDir}/.prettier* \
-  ${appDir}/.stylelint* \
-  ${appDir}/app.json \
-  ${appDir}/babel.config.js \
-  ${appDir}/Procfile \
-  ${appDir}/wercker.yml

docker/docker-entrypoint.sh

@@ -1,14 +1,14 @@
-#!/bin/sh
-
-set -e
-
-# Corresponds to `FILE_UPLOAD=local`
-mkdir -p /data/uploads
-if [ ! -e "$APP_DIR/public/uploads" ]; then
-  ln -s /data/uploads $APP_DIR/public/uploads
-fi
-
-chown node:node /data/uploads
-chown -h node:node $appDir/public/uploads
-
-exec "/sbin/tini -e 143 -- $@"
+#!/bin/sh
+
+set -e
+
+# Support `FILE_UPLOAD=local`
+mkdir -p /data/uploads
+if [ ! -e "$appDir/public/uploads" ]; then
+  ln -s /data/uploads $appDir/public/uploads
+fi
+
+chown node:node /data/uploads
+chown -h node:node $appDir/public/uploads
+
+su-exec node $@