Change image to use non-root user

[ramonmedeiros]

I'm using this docker to generate the credentials json and export to other container using volumes--from. The issue is that we are exporting /root, which is not readable from a common user in another container. Let's change this to a common user

[mlin]

It's definitely a bummer that gsutil (and perhaps other commands?) seem to have to run as root...

$ docker run --rm -it --user 1000 google/cloud-sdk:slim gsutil ls -l gs://hca-dcp-sc-pipelines-test-data/
ERROR: (gsutil) Failed to create the default configuration. Ensure your have the correct permissions on: [/.config/gcloud/configurations].
  Could not create directory [/.config/gcloud/configurations]: Permission denied.

Please verify that you have permissions to write to the parent directory.

https://cloud.google.com/solutions/best-practices-for-operating-containers#avoid_running_as_root

[sarkaramrit2]

Has anyone figured out a manner one can run 'gsutil' cmds with a non-user?

[madworx]

A bit kludgy, but you can achieve it by mounting /.config and /.gsutil in the container (after having created the corresponding directories (owned by uid 1000) on your docker engine host:

docker run --rm -it --user 1000 -v $(pwd)/csdkconfig/:/.config -v $(pwd)/csdkgsutil:/.gsutil google/cloud-sdk:slim gsutil ls -l gs://hca-dcp-sc-pipelines-test-data/

[sarkaramrit2]

Thanks @madworx . appreciate it.

[benbuzbee]

I would submit a PR but I notice none of the simple PRs have been looked at since January :(

But the fix is simple, just set HOME to /tmp so gsutil can write to it as any user

-e HOME=/tmp

[number33]

#213 was reverted, should this issue be re-opened for now?

[shadiramadan]

This definitely should be reopened. A root user should never be the default. I have to add security policies to mute alerts because of writes to /root just for gsutil.