Add non-root user

Docker containers run as the `root` user by default. However, it is
considered a best practice to run as a non-root user when possible.

This commit will add a non-root user `apps` (UID `568`) and group `apps`
(GID `568`) for this purpose. This commit will also add the `shadow` apk
package to use the Docker-recommended `groupadd` and `useradd` commands.

For the `docker run`, add the `-u`, `--user` option (`-u apps`).

For Docker Compose, add the `user` key to the appropriate service
(`user: apps`).

- https://docs.docker.com/build/building/best-practices/#user
- https://docs.docker.com/reference/cli/docker/container/run/
- https://docs.docker.com/reference/compose-file/services/#user
- https://pkgs.alpinelinux.org/package/edge/community/x86_64/shadow

Author: br3ndonland

README.md

@@ -38,6 +38,38 @@ Supported [environment variables](https://docs.docker.com/reference/cli/docker/c
 
 [Multi-platform builds](https://docs.docker.com/build/building/multi-platform/) are provided for the `linux/amd64` and `linux/arm64` platforms. If running on a different platform, use the [`--platform` option](https://docs.docker.com/reference/cli/docker/container/run/) to emulate a supported platform.
 
+### Users
+
+Docker containers run as the `root` user by default. However, it is [considered a best practice](https://docs.docker.com/build/building/best-practices/#user) to run as a non-root user when possible. The `dovi_tool` container image provides a non-root user `apps` (UID `568`) and group `apps` (GID `568`) for this purpose.
+
+For the `docker run` CLI, add the [`-u`, `--user` option](https://docs.docker.com/reference/cli/docker/container/run/) (`-u apps`) to run as the non-root user.
+
+```sh
+docker run --rm -it -u apps -v /path/to/media:/opt/media --entrypoint ash ghcr.io/br3ndonland/dovi_tool
+```
+
+For Docker Compose, add the [`user` key](https://docs.docker.com/reference/compose-file/services/#user) to the appropriate service (`user: apps`) to run as the non-root user.
+
+```yaml
+# compose.yaml
+name: dovi_tool
+services:
+  dovi_tool:
+    image: ghcr.io/br3ndonland/dovi_tool
+    container_name: ${COMPOSE_PROJECT_NAME}
+    pull_policy: always
+    restart: "no"
+    user: apps
+    stdin_open: true
+    tty: true
+    entrypoint: ash
+    environment:
+      - STOP_IF_FEL=1
+      - TZ=
+    volumes:
+      - /path/to/media:/opt/media
+```
+
 ## Notes
 
 ### Dolby Vision Enhancement Layers

dovi_tool/Dockerfile

@@ -8,7 +8,7 @@ LABEL org.opencontainers.image.source="https://github.com/br3ndonland/dovi_tool"
 LABEL org.opencontainers.image.title="dovi_tool"
 LABEL org.opencontainers.image.url="https://github.com/br3ndonland/dovi_tool/pkgs/container/dovi_tool"
 
-RUN apk add --no-cache --upgrade jq mediainfo mkvtoolnix
+RUN apk add --no-cache --upgrade jq mediainfo mkvtoolnix shadow
 RUN <<HEREDOC
 set -e -o pipefail
 case $TARGETARCH in
@@ -24,6 +24,7 @@ tar -xvf /tmp/${DOVI_TOOL_ARCHIVE} -C /usr/local/bin
 tar -xvf /tmp/${HDR10PLUS_TOOL_ARCHIVE} -C /usr/local/bin
 rm -rf /tmp/*
 HEREDOC
+RUN groupadd -g 568 apps && useradd --no-log-init -r -u 568 -g apps apps
 
 COPY --link ./dovi_tool_editor_config.json ./dovi_tool_generator_config.json /config/
 COPY --link --chmod=755 ./entrypoint.sh /usr/local/bin/entrypoint.sh