set non-root user at build-time

Dockerfile

@@ -91,12 +91,18 @@ RUN wget -q https://unofficial-builds.nodejs.org/download/release/v$NODE_VERSION
 # Clean
  && npm -g --force cache clean && yarn cache clean \
  && apk del build-dependencies \
- && rm -rf /var/cache/apk/* /tmp/src
+ && rm -rf /var/cache/apk/* /tmp/src \
 
-COPY rootfs /
+# Create mastodon user \
+ && adduser -g ${GID} -u ${UID} --disabled-password --gecos "" mastodon \
+ && chown -R mastodon:mastodon /mastodon
+
+COPY --chown=mastodon:mastodon rootfs /
 
 RUN chmod +x /usr/local/bin/* /etc/s6.d/*/* /etc/s6.d/.s6-svscan/*
 
+USER mastodon
+
 VOLUME /mastodon/public/system /mastodon/log
 
 EXPOSE 3000 4000

rootfs/usr/local/bin/run

@@ -23,22 +23,14 @@ Web       : /mastodon/log/web.log
 ---------------------------------------------
 "
 
-echo "Creating mastodon user..."
-addgroup -g ${GID} mastodon &>/dev/null
-adduser -h /mastodon -s /bin/sh -D -G mastodon -u ${UID} mastodon &>/dev/null
-
-echo "Updating permissions, this can take a while..."
-find /mastodon -path /mastodon/public/system -prune -o -print0 | xargs -0 chown -f mastodon:mastodon
-chown -R mastodon:mastodon /etc/s6.d
-
 if [ "$RUN_DB_MIGRATIONS" == "true" ]; then
   echo "Running database migrations task..."
-  su-exec mastodon:mastodon bundle exec rake db:migrate
+  bundle exec rake db:migrate
 fi
 
 echo "Executing process(es)..."
 if [ '$@' == '' ]; then
-    exec su-exec mastodon:mastodon /bin/s6-svscan /etc/s6.d
+    exec /bin/s6-svscan /etc/s6.d
 else
-    exec su-exec mastodon:mastodon "$@"
+    exec "$@"
 fi