docker containers: add non-root user (#7399)

* add non-root user

* using -g more clearly expresses the intent of setting the primary group for the new user

* no cache

* read only

* specific perm

docker/Dockerfile.rocksdb_large_local

@@ -15,7 +15,11 @@ COPY --from=builder /go/bin/weed /usr/bin/
 RUN mkdir -p /etc/seaweedfs
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/filer_rocksdb.toml /etc/seaweedfs/filer.toml
 COPY --from=builder /go/src/github.com/seaweedfs/seaweedfs/docker/entrypoint.sh /entrypoint.sh
-RUN apk add fuse snappy gflags tmux
+
+# Install dependencies and create non-root user
+RUN apk add --no-cache fuse snappy gflags tmux && \
+    addgroup -g 1000 seaweed && \
+    adduser -D -u 1000 -g seaweed seaweed
 
 # volume server gprc port
 EXPOSE 18080
@@ -34,12 +38,16 @@ EXPOSE 8333
 # webdav server http port
 EXPOSE 7333
 
-RUN mkdir -p /data/filer_rocksdb
+# Create data directory and set proper ownership for seaweed user
+RUN mkdir -p /data/filer_rocksdb && \
+    chown -R seaweed:seaweed /data && \
+    chmod 755 /entrypoint.sh
 
 VOLUME /data
 
 WORKDIR /data
 
-RUN chmod +x /entrypoint.sh
+# Switch to non-root user
+USER seaweed
 
 ENTRYPOINT ["/entrypoint.sh"]