From 35267fc064861cfa5fe90d9cd44c58f5319e99ed Mon Sep 17 00:00:00 2001
From: ahmethakanbesel <ahmethakan.besel@gmail.com>
Date: Tue, 23 Jan 2024 22:01:21 +0300
Subject: [PATCH 1/8] Use non-root user for production containers

---
 build/docker/production.Dockerfile | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/build/docker/production.Dockerfile b/build/docker/production.Dockerfile
index 7a3475547d06..8d7d58fa3a78 100644
--- a/build/docker/production.Dockerfile
+++ b/build/docker/production.Dockerfile
@@ -45,6 +45,7 @@ ARG LABEL_VERSION
 ARG LABEL_COMMIT
 RUN test -n "$LABEL_VERSION"
 RUN test -n "$LABEL_COMMIT"
+RUN useradd -u 10001 ferretdb
 
 # use the same directories for Go caches as above
 ENV GOPATH /cache/gopath
@@ -102,6 +103,7 @@ FROM scratch AS production
 
 COPY --from=production-build /src/bin/ferretdb /ferretdb
 
+USER ferretdb
 ENTRYPOINT [ "/ferretdb" ]
 
 WORKDIR /

From dbb67a044e7147213e35834a963e9cd5ef66f450 Mon Sep 17 00:00:00 2001
From: ahmethakanbesel <ahmethakan.besel@gmail.com>
Date: Tue, 23 Jan 2024 22:13:43 +0300
Subject: [PATCH 2/8] Copy `/etc/passwd` from `production-build`

---
 build/docker/production.Dockerfile | 1 +
 1 file changed, 1 insertion(+)

diff --git a/build/docker/production.Dockerfile b/build/docker/production.Dockerfile
index 8d7d58fa3a78..cc3bf575c288 100644
--- a/build/docker/production.Dockerfile
+++ b/build/docker/production.Dockerfile
@@ -102,6 +102,7 @@ COPY --from=production-build /src/bin/ferretdb /ferretdb
 FROM scratch AS production
 
 COPY --from=production-build /src/bin/ferretdb /ferretdb
+COPY --from=production-build /etc/passwd /etc/passwd
 
 USER ferretdb
 ENTRYPOINT [ "/ferretdb" ]

From 1798e9bde06189bb66a2c13bc96794c75a651438 Mon Sep 17 00:00:00 2001
From: ahmethakanbesel <ahmethakan.besel@gmail.com>
Date: Wed, 24 Jan 2024 16:08:00 +0300
Subject: [PATCH 3/8] Use a static `passwd` file to create a non-root user

---
 build/docker/passwd                | 1 +
 build/docker/production.Dockerfile | 3 +--
 2 files changed, 2 insertions(+), 2 deletions(-)
 create mode 100644 build/docker/passwd

diff --git a/build/docker/passwd b/build/docker/passwd
new file mode 100644
index 000000000000..a058f7f11cf9
--- /dev/null
+++ b/build/docker/passwd
@@ -0,0 +1 @@
+ferretdb:x:10001:10001::/nonexistent:/nonexistent
\ No newline at end of file
diff --git a/build/docker/production.Dockerfile b/build/docker/production.Dockerfile
index cc3bf575c288..0d7ebbf5fb8a 100644
--- a/build/docker/production.Dockerfile
+++ b/build/docker/production.Dockerfile
@@ -45,7 +45,6 @@ ARG LABEL_VERSION
 ARG LABEL_COMMIT
 RUN test -n "$LABEL_VERSION"
 RUN test -n "$LABEL_COMMIT"
-RUN useradd -u 10001 ferretdb
 
 # use the same directories for Go caches as above
 ENV GOPATH /cache/gopath
@@ -102,7 +101,7 @@ COPY --from=production-build /src/bin/ferretdb /ferretdb
 FROM scratch AS production
 
 COPY --from=production-build /src/bin/ferretdb /ferretdb
-COPY --from=production-build /etc/passwd /etc/passwd
+COPY --from=production-build /src/build/docker/passwd /etc/passwd
 
 USER ferretdb
 ENTRYPOINT [ "/ferretdb" ]

From 1bc653e83acca8ac66f33073b8790a9052f898c5 Mon Sep 17 00:00:00 2001
From: ahmethakanbesel <ahmethakan.besel@gmail.com>
Date: Fri, 2 Feb 2024 18:11:51 +0300
Subject: [PATCH 4/8] add a line break to the end of `passwd`

---
 build/docker/passwd | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/docker/passwd b/build/docker/passwd
index a058f7f11cf9..0c21f8275277 100644
--- a/build/docker/passwd
+++ b/build/docker/passwd
@@ -1 +1 @@
-ferretdb:x:10001:10001::/nonexistent:/nonexistent
\ No newline at end of file
+ferretdb:x:10001:10001::/nonexistent:/nonexistent

From c88b2722140ab8e301126b7096be41b126fe657e Mon Sep 17 00:00:00 2001
From: ahmethakanbesel <ahmethakan.besel@gmail.com>
Date: Wed, 7 Feb 2024 16:16:55 +0300
Subject: [PATCH 5/8] Create and copy `/etc/group` file in final stage

---
 build/docker/group                 | 1 +
 build/docker/passwd                | 2 +-
 build/docker/production.Dockerfile | 1 +
 3 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 build/docker/group

diff --git a/build/docker/group b/build/docker/group
new file mode 100644
index 000000000000..ad4469cdbbb2
--- /dev/null
+++ b/build/docker/group
@@ -0,0 +1 @@
+ferretdb:x:1000:
diff --git a/build/docker/passwd b/build/docker/passwd
index 0c21f8275277..99c35347bb50 100644
--- a/build/docker/passwd
+++ b/build/docker/passwd
@@ -1 +1 @@
-ferretdb:x:10001:10001::/nonexistent:/nonexistent
+ferretdb:x:1000:1000::/nonexistent:/nonexistent
diff --git a/build/docker/production.Dockerfile b/build/docker/production.Dockerfile
index 0d7ebbf5fb8a..c07210378d3e 100644
--- a/build/docker/production.Dockerfile
+++ b/build/docker/production.Dockerfile
@@ -102,6 +102,7 @@ FROM scratch AS production
 
 COPY --from=production-build /src/bin/ferretdb /ferretdb
 COPY --from=production-build /src/build/docker/passwd /etc/passwd
+COPY --from=production-build /src/build/docker/group /etc/group
 
 USER ferretdb
 ENTRYPOINT [ "/ferretdb" ]

From 903e495d949006f18805ab560ead406596c1f2f4 Mon Sep 17 00:00:00 2001
From: Alexey Palazhchenko <alexey.palazhchenko@ferretdb.io>
Date: Mon, 12 Feb 2024 19:43:14 +0400
Subject: [PATCH 6/8] Add group

---
 build/docker/production.Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/build/docker/production.Dockerfile b/build/docker/production.Dockerfile
index 97a95afadb41..6c852d4e751e 100644
--- a/build/docker/production.Dockerfile
+++ b/build/docker/production.Dockerfile
@@ -104,7 +104,7 @@ COPY --from=production-build /src/bin/ferretdb /ferretdb
 COPY --from=production-build /src/build/docker/passwd /etc/passwd
 COPY --from=production-build /src/build/docker/group /etc/group
 
-USER ferretdb
+USER ferretdb:ferretdb
 ENTRYPOINT [ "/ferretdb" ]
 
 WORKDIR /

From 9867001ce709c5b6e08d5df681dd3521f0dc5bf4 Mon Sep 17 00:00:00 2001
From: Alexey Palazhchenko <alexey.palazhchenko@ferretdb.io>
Date: Mon, 12 Feb 2024 19:48:27 +0400
Subject: [PATCH 7/8] Copy from host

---
 build/docker/production.Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/build/docker/production.Dockerfile b/build/docker/production.Dockerfile
index 6c852d4e751e..faa4bf778e89 100644
--- a/build/docker/production.Dockerfile
+++ b/build/docker/production.Dockerfile
@@ -101,8 +101,8 @@ COPY --from=production-build /src/bin/ferretdb /ferretdb
 FROM scratch AS production
 
 COPY --from=production-build /src/bin/ferretdb /ferretdb
-COPY --from=production-build /src/build/docker/passwd /etc/passwd
-COPY --from=production-build /src/build/docker/group /etc/group
+COPY build/docker/passwd /etc/passwd
+COPY build/docker/group  /etc/group
 
 USER ferretdb:ferretdb
 ENTRYPOINT [ "/ferretdb" ]

From 6a8e1e1b39914c5aec9d5aef517ed1029242d52e Mon Sep 17 00:00:00 2001
From: Alexey Palazhchenko <alexey.palazhchenko@ferretdb.io>
Date: Mon, 12 Feb 2024 19:51:44 +0400
Subject: [PATCH 8/8] Update changelog

---
 CHANGELOG.md | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 24d757081e6a..b9d9c7d317eb 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,14 @@
 
 <!-- markdownlint-disable MD024 MD034 -->
 
+## v1.20.0 (not released yet)
+
+### What's Changed
+
+#### Docker images changes
+
+Production Docker images now use a non-root user with UID 1000 and GID 1000.
+
 ## [v1.19.0](https://github.com/FerretDB/FerretDB/releases/tag/v1.19.0) (2024-01-29)
 
 ### New Features 🎉