Run setuid as jetty with JETTY_BASE=/var/lib/jetty

[md5]

This patch updates the jetty image to take advantage of the JETTY_BASE feature in Jetty 9.1+. Jetty now runs from /var/lib/jetty, which is owned by user jetty.

The /var/lib/jetty directory is created using Jetty's start.jar --add-to-startd functionality based on the list of modules in $JETTY_HOME/start.ini. The Dockerfile then adds Jetty's setuid to direct Jetty to drop privileges after startup.

Fixes #1

[md5]

@tianon @yosifkit thoughts?

[yosifkit]

That seems reasonable.

[md5]

The image as built by this branch can actually be run directly with -u jetty; the setuid module just has no effect in that case.

The reason I didn't use USER jetty is probably the same reason that (for example) ghost uses gosu instead of USER user, i.e. ease of creating derived images without having to switch back to USER root. In this case, Jetty provides the functionality built-in, so I didn't want to add gosu.

I'm planning to document this stuff and submit PRs for both the image changes and the docs at the same time.

[tianon]

Seems good to me too. Apache and the mysql variations do a similar flow. 👍