Make uid/gid configurable & change group of files - part 3 (#897)

lfrancke · NickLarsenNZ · web-flow · commit 1e5f0856968b · 2024-10-23T09:36:42.000Z
* Make uid/gid configurable & change group of files This is a follow-up for #849 and includes: - The missing bits for Hive - Kafka * More tools now migrated but not tested yet: - Kafka Testing Tools - KCat - NiFi - Omid * - OPA - Spark (WIP) * Adds Spark and a changelog entry * - statsd_exporter - superset * - superset - tools * Adds Trino * Update CHANGELOG * Add Trino CLI * Add Vector * Add note * Update tools/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> * Update superset/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> * Update tools/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> * Update trino-cli/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> * Update trino-cli/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> * Update superset/Dockerfile Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com> * Fix CHANGELOG --------- Co-authored-by: Nick <10092581+NickLarsenNZ@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -32,7 +32,7 @@ All notable changes to this project will be documented in this file.
 - Enable [Docker build checks](https://docs.docker.com/build/checks/) ([#872]).
 - java: migrate to temurin jdk/jre ([#894]).
 - tools: bump kubectl to `1.31.1` and jq to `1.7.1` ([#896]).
-- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890]).
+- Make username, user id, group id configurable, use numeric ids everywhere, change group of all files to 0 ([#849], [#890], [#897]).
 - ci: Bump `stackabletech/actions` to 0.0.7 ([#901], [#903]).
 
 ### Removed
@@ -87,6 +87,7 @@ All notable changes to this project will be documented in this file.
 [#890]: https://github.com/stackabletech/docker-images/pull/890
 [#894]: https://github.com/stackabletech/docker-images/pull/894
 [#896]: https://github.com/stackabletech/docker-images/pull/896
+[#897]: https://github.com/stackabletech/docker-images/pull/897
 [#898]: https://github.com/stackabletech/docker-images/pull/898
 [#901]: https://github.com/stackabletech/docker-images/pull/901
 [#903]: https://github.com/stackabletech/docker-images/pull/903
diff --git a/airflow/Dockerfile b/airflow/Dockerfile
@@ -135,6 +135,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
diff --git a/druid/Dockerfile b/druid/Dockerfile
@@ -126,6 +126,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 ENV PATH="${PATH}":/stackable/druid/bin
 
diff --git a/hadoop/Dockerfile b/hadoop/Dockerfile
@@ -177,6 +177,13 @@ EOF
 
 COPY hadoop/licenses /licenses
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV HOME=/stackable
diff --git a/hbase/Dockerfile b/hbase/Dockerfile
@@ -362,6 +362,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 ENV HBASE_CONF_DIR=/stackable/hbase/conf
 ENV HOME=/stackable
diff --git a/hello-world/Dockerfile b/hello-world/Dockerfile
@@ -28,6 +28,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable
 
diff --git a/hive/Dockerfile b/hive/Dockerfile
@@ -142,6 +142,13 @@ EOF
 COPY --chown=${STACKABLE_USER_UID}:0 --from=hive-builder /stackable/jmx /stackable/jmx
 COPY hive/licenses /licenses
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV HADOOP_HOME=/stackable/hadoop
diff --git a/kafka/Dockerfile b/kafka/Dockerfile
@@ -102,6 +102,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV PATH="${PATH}:/stackable/bin:/stackable/kafka/bin"
diff --git a/nifi/Dockerfile b/nifi/Dockerfile
@@ -129,6 +129,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 ENV HOME=/stackable
diff --git a/omid/Dockerfile b/omid/Dockerfile
@@ -101,6 +101,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/omid-tso-server
 
diff --git a/opa/Dockerfile b/opa/Dockerfile
@@ -133,6 +133,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 WORKDIR /stackable/opa
 
diff --git a/spark-k8s/Dockerfile b/spark-k8s/Dockerfile
@@ -328,6 +328,13 @@ chown -R ${STACKABLE_USER_UID}:0 /stackable
 chmod -R g=u /stackable
 EOF
 
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
 USER ${STACKABLE_USER_UID}
 
 WORKDIR /stackable/spark
diff --git a/stackable-base/Dockerfile b/stackable-base/Dockerfile
@@ -155,7 +155,7 @@ chown ${STACKABLE_USER_UID}:0 /stackable/.bashrc
 chown ${STACKABLE_USER_UID}:0 /stackable/.profile
 
 cp /root/.curlrc /stackable/.curlrc
-chown stackable:0 /stackable/.curlrc
+chown ${STACKABLE_USER_UID}:0 /stackable/.curlrc
 
 # CVE-2023-37920: Remove "e-Tugra" root certificates
 # e-Tugra's root certificates were subject to an investigation prompted by reporting of security issues in their systems
diff --git a/statsd_exporter/Dockerfile b/statsd_exporter/Dockerfile
@@ -3,10 +3,11 @@
 
 FROM stackable/image/stackable-base
 ARG PRODUCT
+ARG STACKABLE_USER_UID
 
 WORKDIR /statsd_exporter
 
-RUN --mount=type=cache,id=go-statsd-exporter,uid=1000,target=/go_cache <<EOF
+RUN --mount=type=cache,id=go-statsd-exporter,uid=${STACKABLE_USER_UID},target=/go_cache <<EOF
 microdnf update
 
 # Tar and gzip are used to unpack the statsd_exporter source
diff --git a/superset/Dockerfile b/superset/Dockerfile
@@ -89,6 +89,7 @@ FROM stackable/image/vector
 ARG PRODUCT
 ARG PYTHON
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Apache Superset" \
       maintainer="info@stackable.tech" \
@@ -105,22 +106,37 @@ ENV FLASK_APP="superset.app:create_app()" \
 ENV PATH="${HOME}/app/bin:${PATH}" \
     PYTHONPATH="${HOME}/app/pythonpath"
 
-RUN microdnf update \
-    && microdnf install \
-        cyrus-sasl \
-        openldap \
-        openldap-clients \
-        openssl-libs \
-        openssl-pkcs11 \
-        python${PYTHON} \
-    && microdnf clean all && \
-    rm -rf /var/cache/yum
+RUN <<EOF
+microdnf update
+microdnf install \
+  cyrus-sasl \
+  openldap \
+  openldap-clients \
+  openssl-libs \
+  openssl-pkcs11 \
+  "python${PYTHON}"
+
+microdnf clean all
+rm -rf /var/cache/yum
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R "${STACKABLE_USER_UID}:0" /stackable
+chmod -R g=u /stackable
+EOF
 
 COPY superset/licenses /licenses
 
-COPY --from=builder --chown=stackable:stackable /stackable/ ${HOME}/
+COPY --from=builder --chown=${STACKABLE_USER_UID}:0 /stackable/ ${HOME}/
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
 
-USER stackable
+USER ${STACKABLE_USER_UID}
 WORKDIR ${HOME}
 
 CMD ["/bin/sh", "-c", \
diff --git a/tools/Dockerfile b/tools/Dockerfile
@@ -8,6 +8,7 @@ ARG KUBECTL_VERSION
 ARG RELEASE
 ARG JQ_VERSION
 ARG TARGETARCH
+ARG STACKABLE_USER_UID
 
 LABEL name="Stackable Tools" \
     maintainer="info@stackable.tech" \
@@ -30,16 +31,30 @@ RUN microdnf update && \
 
 COPY tools/licenses /licenses
 
-USER stackable
 WORKDIR /stackable/bin
 ENV PATH=/stackable/bin:$PATH
 
 # Get latest stable version from curl -L -s https://dl.k8s.io/release/stable.txt
-RUN curl https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl \
-    -o /stackable/bin/kubectl && chmod +x /stackable/bin/kubectl
-
-RUN curl https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64 \
-    -o /stackable/bin/jq && \
-    chmod +x /stackable/bin/jq
-
-USER stackable
+RUN <<EOF
+curl "https://dl.k8s.io/release/v${KUBECTL_VERSION}/bin/linux/${TARGETARCH}/kubectl" \
+    -o /stackable/bin/kubectl
+chmod +x /stackable/bin/kubectl
+
+curl "https://github.com/stedolan/jq/releases/download/jq-${JQ_VERSION}/jq-linux64" \
+    -o /stackable/bin/jq
+chmod +x /stackable/bin/jq
+
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
+USER ${STACKABLE_USER_UID}
diff --git a/trino-cli/Dockerfile b/trino-cli/Dockerfile
@@ -5,6 +5,7 @@ FROM stackable/image/java-base
 
 ARG PRODUCT
 ARG RELEASE
+ARG STACKABLE_USER_UID
 
 LABEL name="Trino CLI" \
       maintainer="info@stackable.tech" \
@@ -22,14 +23,27 @@ RUN microdnf update && \
     microdnf clean all && \
     rm -rf /var/cache/yum
 
-USER stackable
-WORKDIR /stackable
 
-COPY --chown=stackable:stackable trino-cli/licenses /licenses
+COPY --chown=${STACKABLE_USER_UID}:0 trino-cli/licenses /licenses
 
 WORKDIR /stackable/trino-cli
 
-RUN curl -O https://repo.stackable.tech/repository/packages/trino-cli/trino-cli-${PRODUCT}-executable.jar \
-    && ln -s trino-cli-${PRODUCT}-executable.jar trino-cli-executable.jar
+RUN <<EOF
+curl -O "https://repo.stackable.tech/repository/packages/trino-cli/trino-cli-${PRODUCT}-executable.jar"
+ln -s "trino-cli-${PRODUCT}-executable.jar" trino-cli-executable.jar
 
+# All files and folders owned by root group to support running as arbitrary users.
+# This is best practice as all container users will belong to the root group (0).
+chown -R ${STACKABLE_USER_UID}:0 /stackable
+chmod -R g=u /stackable
+EOF
+
+# ----------------------------------------
+# Attention: We are changing the group of all files in /stackable directly above
+# If you do any file based actions (copying / creating etc.) below this comment you
+# absolutely need to make sure that the correct permissions are applied!
+# chown ${STACKABLE_USER_UID}:0
+# ----------------------------------------
+
+USER ${STACKABLE_USER_UID}
 ENTRYPOINT ["java", "-jar", "/stackable/trino-cli/trino-cli-executable.jar"]
diff --git a/trino/Dockerfile b/trino/Dockerfile
diff --git a/vector/Dockerfile b/vector/Dockerfile
diff --git a/zookeeper/Dockerfile b/zookeeper/Dockerfile
