From e505e32920bd303c1bb3f0ccdff66d0365ff8c7d Mon Sep 17 00:00:00 2001
From: Axel Pontetto Wasik <axelpontetto@hotmail.com>
Date: Wed, 11 Sep 2024 11:17:42 -0300
Subject: [PATCH 1/2] Add volume for node_modules

---
 docker-compose.yml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docker-compose.yml b/docker-compose.yml
index 0c5580e8..96e26bd1 100644
--- a/docker-compose.yml
+++ b/docker-compose.yml
@@ -13,6 +13,7 @@ services:
     stdin_open: true
     volumes:
       - .:/src/app
+      - node_modules:/src/app/node_modules
     depends_on:
       - db
     links:
@@ -28,3 +29,4 @@ services:
       - 5432:5432
 volumes:
   db_data:
+  node_modules:

From 254e743cd112ca7f95493cded6d94dfa8356932e Mon Sep 17 00:00:00 2001
From: Axel Pontetto Wasik <axelpontetto@hotmail.com>
Date: Mon, 16 Sep 2024 13:21:31 -0300
Subject: [PATCH 2/2] Update dockerfile to use a rootless user

---
 Dockerfile     | 23 ++++++++++++++++++-----
 Dockerfile.dev | 19 +++++++++++++++----
 2 files changed, 33 insertions(+), 9 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index d186f53b..d6a457e8 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -61,19 +61,32 @@ RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y curl libpq-dev libvips libjemalloc2 && \
     apt-get clean
 
+ENV USERNAME rails_api_base
+ENV USER_UID 1000
+ENV USER_GID 1000
+
+# Create a rootless user.
+RUN groupadd --gid $USER_GID $USERNAME && \
+    useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
 # Create app directory.
-RUN mkdir -p $APP_HOME
+RUN mkdir -p $APP_HOME && chown -R $USERNAME:$USERNAME $APP_HOME && chmod -R 700 $APP_HOME
+
+# Change to the rootless user.
+USER $USERNAME
 
 # Setup work directory.
 WORKDIR $APP_HOME
 
 # Copy everything from the builder image
-COPY --link . .
-COPY --from=builder $APP_HOME/public/ $APP_HOME/public/
-COPY --from=builder $APP_HOME/tmp/ $APP_HOME/tmp/
-COPY --from=builder $APP_HOME/vendor/ $APP_HOME/vendor/
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 . .
+COPY --from=builder --chown=$USERNAME:$USERNAME --chmod=700 $APP_HOME/public/ $APP_HOME/public/
+COPY --from=builder --chown=$USERNAME:$USERNAME --chmod=700 $APP_HOME/tmp/ $APP_HOME/tmp/
+COPY --from=builder --chown=$USERNAME:$USERNAME --chmod=700 $APP_HOME/vendor/ $APP_HOME/vendor/
 
+USER root
 RUN ln -s /usr/lib/*-linux-gnu/libjemalloc.so.2 /usr/lib/libjemalloc.so.2
+USER $USERNAME
 
 # Deployment options
 ENV RAILS_LOG_TO_STDOUT true
diff --git a/Dockerfile.dev b/Dockerfile.dev
index b9015792..514a9a33 100644
--- a/Dockerfile.dev
+++ b/Dockerfile.dev
@@ -21,8 +21,19 @@ ENV WORK_ROOT /src
 ENV APP_HOME $WORK_ROOT/app/
 ENV LANG C.UTF-8
 
+ENV USERNAME rails_api_base
+ENV USER_UID 1000
+ENV USER_GID 1000
+
+# Create a rootless user.
+RUN groupadd --gid $USER_GID $USERNAME && \
+    useradd --uid $USER_UID --gid $USER_GID -m $USERNAME
+
 # Create app directory.
-RUN mkdir -p $APP_HOME
+RUN mkdir -p $APP_HOME && chown -R $USERNAME:$USERNAME $APP_HOME && chmod -R 700 $APP_HOME
+
+# Change to the rootless user.
+USER $USERNAME
 
 # Setup work directory.
 WORKDIR $APP_HOME
@@ -30,13 +41,13 @@ WORKDIR $APP_HOME
 RUN gem install foreman bundler
 
 # Copy dependencies files and install libraries.
-COPY --link package.json yarn.lock ./
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 package.json yarn.lock ./
 RUN yarn install --frozen-lockfile
 
-COPY --link Gemfile Gemfile.lock ./
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 Gemfile Gemfile.lock ./
 RUN bundle install -j 4
 
-COPY --link . .
+COPY --link --chown=$USERNAME:$USERNAME --chmod=700 . .
 
 RUN yarn build