add uid/gid selection to run application as in Dockerfile

Dockerfile

@@ -29,6 +29,9 @@ VOLUME ${DATA_PATH}
 EXPOSE 25565/tcp
 
 
+ENV GID=988
+ENV UID=999
+
 ENV MEMORY=4G
 
 ENV PROXY_SECRET=00000000-0000-0000-0000-000000000000
@@ -70,6 +73,13 @@ WORKDIR ${WORKDIR_PATH}/config
 # TODO: Make awk commands sapn multiple lines
 # TODO: Use one call to awk to perform substitutions
 CMD \
+    # Create and switch to user with desired UID and GID.
+    # All processes that create/change files in ${DATA_PATH}
+    # must be run under this user.
+    groupadd -g ${GID} worker && \
+    useradd -M -g ${GID} -u ${UID} worker && \
+    chmod -R o-rwx ${WORKDIR_PATH} && \
+
     # Add proxy secret
     sed -i "s/_PROXY_SECRET_/${PROXY_SECRET}/g" forwarding.secret && \
 
@@ -118,4 +128,7 @@ CMD \
     sed -i "s/_SONAR_DB_USERNAME_/${SONAR_DB_USERNAME}/g" plugins/sonar/config.yml && \
     sed -i "s/_SONAR_DB_PASSWORD_/${SONAR_DB_PASSWORD}/g" plugins/sonar/config.yml && \
 
-    java -Xms${MEMORY} -Xmx${MEMORY} -XX:+UseG1GC -XX:G1HeapRegionSize=4M -XX:+UnlockExperimentalVMOptions -XX:+ParallelRefProcEnabled -XX:+AlwaysPreTouch -XX:MaxInlineLevel=15 -jar *.jar
+    # Change UID and GID of used files to desired values.
+    chown -R worker:worker ${WORKDIR_PATH} && \
+
+    su worker -c "java -Xms${MEMORY} -Xmx${MEMORY} -XX:+UseG1GC -XX:G1HeapRegionSize=4M -XX:+UnlockExperimentalVMOptions -XX:+ParallelRefProcEnabled -XX:+AlwaysPreTouch -XX:MaxInlineLevel=15 -jar *.jar"