diff --git a/Dockerfile b/Dockerfile
index 5fe80dee2eb440f4b16582fc2711de4f9640fcfb..9408762203335175084f273419048f0e9c910119 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -16,6 +16,7 @@ RUN mkdir /usr/share/kibana
 WORKDIR /usr/share/kibana
 COPY --chown=1000:0 kibana-7.10.2-linux-x86_64.tar.gz .
 RUN tar --strip-components=1 -zxf kibana-7.10.2-linux-x86_64.tar.gz
+
 # Ensure that group permissions are the same as user permissions.
 # This will help when relying on GID-0 to run Kibana, rather than UID-1000.
 # OpenShift does this, for example.
@@ -31,15 +32,19 @@ FROM ${BASE_REGISTRY}/${BASE_IMAGE}:${BASE_TAG}
 EXPOSE 5601
 
 RUN yum update --setopt=tsflags=nodocs -y && \
-      yum install -y fontconfig freetype shadow-utils libnss3.so && \
+      yum install -y fontconfig freetype shadow-utils nss && \
       yum clean all
 
 COPY LICENSE /licenses/elastic-kibana
 
 # Add a dumb init process
-WORKDIR /usr/local/bin
-COPY dumb-init /usr/local/bin/dumb-init
-RUN chmod +x /usr/local/bin/dumb-init
+COPY tini /bin/tini
+RUN chmod +x /bin/tini
+
+# Noto Fonts
+RUN mkdir /usr/share/fonts/local
+COPY NotoSansCJK-Regular.ttc /usr/share/fonts/local/NotoSansCJK-Regular.ttc
+RUN fc-cache -v
 
 # Bring in Kibana from the initial stage.
 COPY --from=prep_files --chown=1000:0 /usr/share/kibana /usr/share/kibana
@@ -56,17 +61,16 @@ COPY --chown=1000:0 config/kibana.yml /usr/share/kibana/config/kibana.yml
 # variables and translate them to Kibana CLI options.
 COPY --chown=1000:0 scripts/kibana-docker /usr/local/bin/
 
-# Ensure gid 0 write permissions for OpenShift.
-RUN chmod g+ws /usr/share/kibana && find /usr/share/kibana -gid 0 -and -not -perm /g+w -exec chmod g+w {} \;
-
 # Remove the suid bit everywhere to mitigate "Stack Clash"
 RUN find / -xdev -perm -4000 -exec chmod u-s {} +
 
 # Provide a non-root user to run the process.
-RUN groupadd --gid 1000 kibana && useradd --uid 1000 --gid 1000 --home-dir /usr/share/kibana --no-create-home kibana
-USER kibana
+RUN groupadd --gid 1000 kibana && \
+    useradd --uid 1000 --gid 1000 -G 0 \
+      --home-dir /usr/share/kibana --no-create-home \
+      kibana
 
-ENTRYPOINT ["/usr/local/bin/dumb-init", "--"]
+ENTRYPOINT ["/bin/tini", "--"]
 
 CMD ["/usr/local/bin/kibana-docker"]
 
diff --git a/hardening_manifest.yaml b/hardening_manifest.yaml
index 528eda6fd0897422472fb50237d127cdde391f81..52c0f1056a13bb37e42f624b4becbfaddb0123f9 100644
--- a/hardening_manifest.yaml
+++ b/hardening_manifest.yaml
@@ -35,11 +35,16 @@ resources:
   validation:
     type: sha512
     value: aa68f850cc09cf5dcb7c0b48bb8df788ca58eaad38d96141b8e59917fd38b42c728c0968f7cb2c8132c5aaeb595525cdde0859554346c496f53c569e03abe412
-- filename: dumb-init
-  url: https://github.com/Yelp/dumb-init/releases/download/v1.2.2/dumb-init_1.2.2_amd64
+- filename: tini
+  url: https://github.com/krallin/tini/releases/download/v0.19.0/tini-amd64
   validation:
-    type: sha256
-    value: 37f2c1f0372a45554f1b89924fbb134fc24c3756efaedf11e07f599494e0eff9
+    type: sha512
+    value: 8053cc21a3a9bdd6042a495349d1856ae8d3b3e7664c9654198de0087af031f5d41139ec85a2f5d7d2febd22ec3f280767ff23b9d5f63d490584e2b7ad3c218c
+- filename: NotoSansCJK-Regular.ttc
+  url: https://github.com/googlefonts/noto-cjk/raw/NotoSansV2.001/NotoSansCJK-Regular.ttc
+  validation:
+    type: sha512
+    value: 0ce56bde1853fed3e53282505bac65707385275a27816c29712ab04c187aa249797c82c58759b2b36c210d4e2683eda92359d739a8045cb8385c2c34d37cc9e1
 
 # List of project maintainers
 maintainers:
@@ -51,4 +56,3 @@ maintainers:
   name: "Alexander Klepal"
   username: "alexander.klepal"
   cht_member: true
-