make image not using root user

ocis/docker/Dockerfile.linux.amd64

@@ -1,4 +1,4 @@
-FROM amd64/alpine:3.13
+FROM amd64/alpine:3.14
 
 ARG VERSION=""
 ARG REVISION=""
@@ -21,11 +21,30 @@ LABEL maintainer="ownCloud GmbH <devops@owncloud.com>" \
   org.opencontainers.image.version="${VERSION}" \
   org.opencontainers.image.revision="${REVISION}"
 
+RUN addgroup -g 700 -S ocis-group && \
+  adduser -S --ingroup ocis-group --uid 700 ocis-user
+
+RUN mkdir -p /var/tmp/ocis && \
+ chown -R ocis-user:ocis-group /var/tmp/ocis && \
+ chmod -R 777 /var/tmp/ocis
+
+# default artifact location for autogenerated certifaces
+# needs to be a static location because of the docker uid switch mechanism
+ENV GLAUTH_LDAPS_CERT=/var/tmp/ocis/.config/ldap/ldaps.crt \
+  GLAUTH_LDAPS_KEY=/var/tmp/ocis/.config/ldap/ldaps.key \
+  IDP_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/idp/server.crt \
+  IDP_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/idp/server.key \
+  PROXY_TRANSPORT_TLS_CERT=/var/tmp/ocis/.config/proxy/server.crt \
+  PROXY_TRANSPORT_TLS_KEY=/var/tmp/ocis/.config/proxy/server.key
+
+VOLUME [ "/var/tmp/ocis" ]
+WORKDIR /var/tmp/ocis
+
+USER ocis-user
+
 EXPOSE 9200/tcp
 
 ENTRYPOINT ["/usr/bin/ocis"]
 CMD ["server"]
 
 COPY dist/binaries/ocis-linux-amd64 /usr/bin/ocis
-
-VOLUME [ "/var/tmp/ocis" ]