diff --git a/app/vmagent/deployment/Dockerfile b/app/vmagent/deployment/Dockerfile
index 6bead7b085..4d8ecb542e 100644
--- a/app/vmagent/deployment/Dockerfile
+++ b/app/vmagent/deployment/Dockerfile
@@ -1,8 +1,8 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+EXPOSE 8429
+
+ENTRYPOINT ["/vmagent-prod"]
ARG src_binary
COPY $src_binary ./vmagent-prod
-EXPOSE 8429
-ENTRYPOINT ["/vmagent-prod"]
diff --git a/app/vmbackup/deployment/Dockerfile b/app/vmbackup/deployment/Dockerfile
index 7e84910049..5d2978db91 100644
--- a/app/vmbackup/deployment/Dockerfile
+++ b/app/vmbackup/deployment/Dockerfile
@@ -1,7 +1,6 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+ENTRYPOINT ["/vmbackup-prod"]
ARG src_binary
COPY $src_binary ./vmbackup-prod
-ENTRYPOINT ["/vmbackup-prod"]
diff --git a/app/vminsert/deployment/Dockerfile b/app/vminsert/deployment/Dockerfile
index abd89a8767..3b2834e12f 100644
--- a/app/vminsert/deployment/Dockerfile
+++ b/app/vminsert/deployment/Dockerfile
@@ -1,8 +1,8 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+EXPOSE 8480
+
+ENTRYPOINT ["/vminsert-prod"]
ARG src_binary
COPY $src_binary ./vminsert-prod
-EXPOSE 8480
-ENTRYPOINT ["/vminsert-prod"]
diff --git a/app/vmrestore/deployment/Dockerfile b/app/vmrestore/deployment/Dockerfile
index 1affee1845..dd4dede8d3 100644
--- a/app/vmrestore/deployment/Dockerfile
+++ b/app/vmrestore/deployment/Dockerfile
@@ -1,7 +1,6 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+ENTRYPOINT ["/vmrestore-prod"]
ARG src_binary
COPY $src_binary ./vmrestore-prod
-ENTRYPOINT ["/vmrestore-prod"]
diff --git a/app/vmselect/deployment/Dockerfile b/app/vmselect/deployment/Dockerfile
index 4c57f455a4..6362db0283 100644
--- a/app/vmselect/deployment/Dockerfile
+++ b/app/vmselect/deployment/Dockerfile
@@ -1,8 +1,8 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
+ARG base_image
+FROM $base_image
+
+EXPOSE 8481
+
+ENTRYPOINT ["/vmselect-prod"]
ARG src_binary
COPY $src_binary ./vmselect-prod
-EXPOSE 8481
-ENTRYPOINT ["/vmselect-prod"]
diff --git a/app/vmstorage/deployment/Dockerfile b/app/vmstorage/deployment/Dockerfile
index e316977a18..af96a0f94a 100644
--- a/app/vmstorage/deployment/Dockerfile
+++ b/app/vmstorage/deployment/Dockerfile
@@ -1,10 +1,10 @@
-ARG certs_image
-FROM $certs_image AS certs
-FROM scratch
-COPY --from=certs /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
-ARG src_binary
-COPY $src_binary ./vmstorage-prod
+ARG base_image
+FROM $base_image
+
EXPOSE 8482
EXPOSE 8400
EXPOSE 8401
+
ENTRYPOINT ["/vmstorage-prod"]
+ARG src_binary
+COPY $src_binary ./vmstorage-prod
diff --git a/deployment/docker/Makefile b/deployment/docker/Makefile
index a955f36631..fc4a3144df 100644
--- a/deployment/docker/Makefile
+++ b/deployment/docker/Makefile
@@ -2,17 +2,17 @@
DOCKER_NAMESPACE := docker.io/victoriametrics
BUILDER_IMAGE := local/builder:go1.14.1
-CERTS_IMAGE := local/certs:1.0.3
+BASE_IMAGE := local/base:1.0.0
-package-certs:
- (docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -q '$(CERTS_IMAGE)$$') \
- || docker build -t $(CERTS_IMAGE) deployment/docker/certs
+package-base:
+ (docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -q '$(BASE_IMAGE)$$') \
+ || docker build -t $(BASE_IMAGE) deployment/docker/base
package-builder:
(docker image ls --format '{{.Repository}}:{{.Tag}}' | grep -q '$(BUILDER_IMAGE)$$') \
|| docker build -t $(BUILDER_IMAGE) deployment/docker/builder
-app-via-docker: package-certs package-builder
+app-via-docker: package-base package-builder
mkdir -p gocache-for-docker
docker run --rm \
--user $(shell id -u):$(shell id -g) \
@@ -31,7 +31,7 @@ package-via-docker:
$(MAKE) app-via-docker && \
docker build \
--build-arg src_binary=$(APP_NAME)$(APP_SUFFIX)-prod \
- --build-arg certs_image=$(CERTS_IMAGE) \
+ --build-arg base_image=$(BASE_IMAGE) \
-t $(DOCKER_NAMESPACE)/$(APP_NAME):$(PKG_TAG)$(APP_SUFFIX)$(RACE) \
-f app/$(APP_NAME)/deployment/Dockerfile bin)
diff --git a/deployment/docker/base/Dockerfile b/deployment/docker/base/Dockerfile
new file mode 100644
index 0000000000..d067ddddc3
--- /dev/null
+++ b/deployment/docker/base/Dockerfile
@@ -0,0 +1,16 @@
+# See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
+FROM alpine:3.10 as base
+
+RUN apk --update --no-cache add ca-certificates
+
+RUN mkdir /future-tmp
+
+FROM scratch
+
+COPY --chown=0:0 ./passwd ./group /etc/
+USER 1000
+
+COPY --from=base --chown=1000:1000 /future-tmp /tmp
+COPY --from=base --chown=1000:1000 /future-tmp /vmstorage-data
+
+COPY --from=base --chown=1000:1000 /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
diff --git a/deployment/docker/base/group b/deployment/docker/base/group
new file mode 100644
index 0000000000..ff21f289c2
--- /dev/null
+++ b/deployment/docker/base/group
@@ -0,0 +1,2 @@
+root:x:0:root
+victoriametrics:x:1000:victoriametrics
diff --git a/deployment/docker/base/passwd b/deployment/docker/base/passwd
new file mode 100644
index 0000000000..884c44dc58
--- /dev/null
+++ b/deployment/docker/base/passwd
@@ -0,0 +1,2 @@
+root:x:0:0:root:/root:/bin/ash
+victoriametrics:x:1000:1000::/:
diff --git a/deployment/docker/certs/Dockerfile b/deployment/docker/certs/Dockerfile
deleted file mode 100644
index cc5e2e0899..0000000000
--- a/deployment/docker/certs/Dockerfile
+++ /dev/null
@@ -1,3 +0,0 @@
-# See https://medium.com/on-docker/use-multi-stage-builds-to-inject-ca-certs-ad1e8f01de1b
-FROM alpine:3.10 as certs
-RUN apk --update add ca-certificates