From 76383a4be49438520cd7259270613202075f3b48 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Du=CC=88pmeier?= <jan.duepmeier@dm.de>
Date: Wed, 5 Jan 2022 10:19:45 +0100
Subject: [PATCH 1/4] update base image => openjdk:11.0.13-jre-slim

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 7f292e1..96c3aba 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM openjdk:11.0.10-jre-slim
+FROM openjdk:11.0.13-jre-slim
 
 ENV CEREBRO_VERSION 0.9.4
 

From d49e0fae3aada54795d11c5b123f200cd1e9d0ba Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Du=CC=88pmeier?= <jan.duepmeier@dm.de>
Date: Wed, 5 Jan 2022 10:22:31 +0100
Subject: [PATCH 2/4] use multi-stage build

---
 Dockerfile | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 96c3aba..08a3309 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,15 +1,19 @@
-FROM openjdk:11.0.13-jre-slim
+FROM openjdk:11.0.13-jre-slim as builder
 
 ENV CEREBRO_VERSION 0.9.4
 
 RUN  apt-get update \
  && apt-get install -y wget \
- && rm -rf /var/lib/apt/lists/* \
  && mkdir -p /opt/cerebro/logs \
  && wget -qO- https://github.com/lmenezes/cerebro/releases/download/v${CEREBRO_VERSION}/cerebro-${CEREBRO_VERSION}.tgz \
   | tar xzv --strip-components 1 -C /opt/cerebro \
- && sed -i '/<appender-ref ref="FILE"\/>/d' /opt/cerebro/conf/logback.xml \
- && addgroup -gid 1000 cerebro \
+ && sed -i '/<appender-ref ref="FILE"\/>/d' /opt/cerebro/conf/logback.xml
+
+FROM openjdk:11.0.13-jre-slim
+
+COPY --from=builder /opt/cerebro /opt/cerebro
+
+RUN addgroup -gid 1000 cerebro \
  && adduser -gid 1000 -uid 1000 cerebro \
  && chown -R cerebro:cerebro /opt/cerebro
 

From 26b9c2f22e293333c3afa889ac6e88c208aafa16 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Du=CC=88pmeier?= <jan.duepmeier@dm.de>
Date: Wed, 5 Jan 2022 10:24:13 +0100
Subject: [PATCH 3/4] create cerebro user without home

---
 Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 08a3309..7ff9cfa 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,7 +14,7 @@ FROM openjdk:11.0.13-jre-slim
 COPY --from=builder /opt/cerebro /opt/cerebro
 
 RUN addgroup -gid 1000 cerebro \
- && adduser -gid 1000 -uid 1000 cerebro \
+ && adduser -q --system --no-create-home --disabled-login -gid 1000 -uid 1000 cerebro \
  && chown -R cerebro:cerebro /opt/cerebro
 
 WORKDIR /opt/cerebro

From 28657e94b70a707a72f935f3886cc53da95101b8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jan=20Du=CC=88pmeier?= <jan.duepmeier@dm.de>
Date: Wed, 5 Jan 2022 10:37:16 +0100
Subject: [PATCH 4/4] allow cerebro user only to write files it must

---
 Dockerfile | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/Dockerfile b/Dockerfile
index 7ff9cfa..7411ca0 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -15,7 +15,9 @@ COPY --from=builder /opt/cerebro /opt/cerebro
 
 RUN addgroup -gid 1000 cerebro \
  && adduser -q --system --no-create-home --disabled-login -gid 1000 -uid 1000 cerebro \
- && chown -R cerebro:cerebro /opt/cerebro
+ && chown -R root:root /opt/cerebro \
+ && chown -R cerebro:cerebro /opt/cerebro/logs \
+ && chown cerebro:cerebro /opt/cerebro
 
 WORKDIR /opt/cerebro
 USER cerebro