From 3205129e7375eb1d71b743c52b3128882668288b Mon Sep 17 00:00:00 2001
From: Artem Titoulenko <artem.titoulenko@gmail.com>
Date: Sat, 25 Dec 2021 22:52:40 -0500
Subject: [PATCH] update dockerfile

---
 Dockerfile | 32 ++++++++++++++++++++++++++++----
 1 file changed, 28 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 4d443a4..716b52c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,13 +1,28 @@
 FROM golang:1.17-alpine3.14 AS build
 
+RUN apk update && apk add --no-cache git ca-certificates && update-ca-certificates
+
+# Create appuser
+ENV USER=appuser
+ENV UID=10001
+
+RUN adduser \    
+    --disabled-password \    
+    --gecos "" \    
+    --home "/nonexistent" \    
+    --shell "/sbin/nologin" \    
+    --no-create-home \    
+    --uid "${UID}" \    
+    "${USER}"
+
 WORKDIR /app
 COPY go.mod go.sum /app
 RUN go mod download
 COPY . /app
-RUN go build -ldflags="-s -w" -o /app/aim
-RUN chmod +x /app/aim
+RUN CGO_ENABLED=0 GOOS=linux GOARCH=amd64 go build -ldflags="-s -w" -o /app/aim
+RUN chmod +x /app/aim && chmod +rw /app/aim.db
 
-FROM golang:1.17-alpine3.14 AS prod
+FROM scratch AS prod
 
 WORKDIR /app
 
@@ -17,6 +32,15 @@ ARG OSCAR_PORT
 ARG OSCAR_BOS_HOST
 ARG OSCAR_BOS_PORT
 
+# Import from builder.
+COPY --from=build /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/
+COPY --from=build /etc/passwd /etc/passwd
+COPY --from=build /etc/group /etc/group
 COPY --from=build /app/models /app/models
 COPY --from=build /app/aim /app/aim
-CMD ["/app/aim"]
+COPY --from=build /app/aim.db /app/aim.db
+
+# Use an unprivileged user.
+USER appuser:appuser
+
+ENTRYPOINT ["/app/aim"]