refactor(docker): multistage build / support for running as random uid

- refactor env directives
- move startup cmd to `docker-bin` directory to avoid it being included
  in the npm package

.dockerignore

@@ -1,6 +1,6 @@
 # we try to avoid adding files to the docker images that change often
 # or that are not needed for running the docker image
-# tis greatly reduces the amount of times we need to rerun `npm install` when building image locally
+# this greatly reduces the amount of times we need to rerun `npm install` when building image locally
 # https://codefresh.io/blog/not-ignore-dockerignore/
 # https://docs.docker.com/engine/reference/builder/#dockerignore-file
 
@@ -28,6 +28,6 @@ coverage/
 jsconfig.json
 *.iml
 
-# let's not get to recursive ;)
+# let's not get too recursive ;)
 Dockerfile*
 docker-compose*.yaml

Dockerfile

@@ -1,5 +1,8 @@
 FROM node:10.3-alpine as builder
 
+ENV NODE_ENV=production \
+    VERDACCIO_BUILD_REGISTRY=https://registry.npmjs.org/
+
 RUN apk --no-cache add openssl ca-certificates wget && \
     wget -q -O /etc/apk/keys/sgerrand.rsa.pub https://raw.githubusercontent.com/sgerrand/alpine-pkg-glibc/master/sgerrand.rsa.pub && \
     wget -q https://github.com/sgerrand/alpine-pkg-glibc/releases/download/2.25-r0/glibc-2.25-r0.apk && \
@@ -8,9 +11,6 @@ RUN apk --no-cache add openssl ca-certificates wget && \
 WORKDIR /opt/verdaccio-build
 COPY . .
 
-ENV NODE_ENV=production \
-    VERDACCIO_BUILD_REGISTRY=https://registry.npmjs.org/
-
 RUN yarn config set registry $VERDACCIO_BUILD_REGISTRY && \
     yarn install --production=false && \
     yarn lint && \
@@ -24,36 +24,35 @@ RUN yarn config set registry $VERDACCIO_BUILD_REGISTRY && \
 FROM node:10.3-alpine
 LABEL maintainer="https://github.com/verdaccio/verdaccio"
 
+ENV VERDACCIO_APPDIR=/opt/verdaccio \
+    VERDACCIO_USER_NAME=verdaccio \
+    VERDACCIO_USER_UID=10001 \
+    VERDACCIO_PORT=4873 \
+    VERDACCIO_PROTOCOL=http
+ENV PATH=$VERDACCIO_APPDIR/docker-bin:$PATH \
+    HOME=$VERDACCIO_APPDIR
+
+WORKDIR $VERDACCIO_APPDIR
+
 RUN apk --no-cache add openssl dumb-init
 
 RUN mkdir -p /verdaccio/storage /verdaccio/plugins /verdaccio/conf
 
-ENV VERDACCIO_APPDIR=/opt/verdaccio
-WORKDIR $VERDACCIO_APPDIR
-
 COPY --from=builder /opt/verdaccio-build .
 
 ADD conf/docker.yaml /verdaccio/conf/config.yaml
 
-ENV PATH=${VERDACCIO_APPDIR}/bin:${PATH} \
+RUN adduser -u $VERDACCIO_USER_UID -S -D -h $VERDACCIO_APPDIR -g "$VERDACCIO_USER_NAME user" -s /sbin/nologin $VERDACCIO_USER_NAME && \
-    HOME=${VERDACCIO_APPDIR} \
+    chmod -R +x $VERDACCIO_APPDIR/bin $VERDACCIO_APPDIR/docker-bin && \
-    VERDACCIO_USER_NAME=verdaccio \
+    chown -R $VERDACCIO_USER_UID:root /verdaccio/storage && \
-    VERDACCIO_USER_UID=10001
-
-RUN adduser -u ${VERDACCIO_USER_UID} -S -D -h ${VERDACCIO_APPDIR} -g "${VERDACCIO_USER_NAME} user" -s /sbin/nologin ${VERDACCIO_USER_NAME} && \
-    chmod -R +x ${VERDACCIO_APPDIR}/bin && \
-    chown -R ${VERDACCIO_USER_UID}:root /verdaccio/storage && \
     chmod -R g=u /verdaccio/storage /etc/passwd
 
 USER $VERDACCIO_USER_UID
 
-ENV VERDACCIO_PORT 4873
-ENV VERDACCIO_PROTOCOL http
-
 EXPOSE $VERDACCIO_PORT
 
 VOLUME /verdaccio/storage
 
 ENTRYPOINT ["uid_entrypoint"]
 
-CMD $VERDACCIO_APPDIR/bin/verdaccio --config /verdaccio/conf/config.yaml --listen $VERDACCIO_PROTOCOL://0.0.0.0:${VERDACCIO_PORT}
+CMD $VERDACCIO_APPDIR/bin/verdaccio --config /verdaccio/conf/config.yaml --listen $VERDACCIO_PROTOCOL://0.0.0.0:$VERDACCIO_PORT