non-root user to build artifacts inside the container

elastic · Jul 7, 2022 · d411230 · d411230
1 parent 576fae9
commit d411230
Show file tree

Hide file tree

Showing 4 changed files with 21 additions and 8 deletions.
diff --git a/.ci/Dockerfile b/.ci/Dockerfile
@@ -1,16 +1,25 @@
 ARG PYTHON_VERSION=3.8
 FROM python:${PYTHON_VERSION}
 
+# Default UID/GID to 1000
+# it can be overridden at build time
+ARG BUILDER_UID=1000
+ARG BUILDER_GID=1000
+ENV BUILDER_USER elastic
+ENV BUILDER_GROUP elastic
+
+# Create user
+RUN groupadd --system -g ${BUILDER_GID} ${BUILDER_GROUP} \
+    && useradd --system --shell /bin/bash -u ${BUILDER_UID} -g ${BUILDER_GROUP} -d /var/lib/elastic -m elastic 1>/dev/null 2>/dev/null \
+    && mkdir -p /code/elasticsearch-py && mkdir /code/elasticsearch-py/build \
+    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /code/elasticsearch-py
+COPY --chown=$BUILDER_USER:$BUILDER_GROUP . .
 WORKDIR /code/elasticsearch-py
+USER ${BUILDER_USER}:${BUILDER_GROUP}
 COPY dev-requirements.txt .
 RUN python -m pip install \
     -U --no-cache-dir \
     --disable-pip-version-check \
-    pip \
-    && python -m pip install \
-    --no-cache-dir \
-    --disable-pip-version-check \
-    -r dev-requirements.txt
-
-COPY . .
-RUN python -m pip install -e .
+    nox -rdev-requirements.txt
+COPY --chown=$BUILDER_USER:$BUILDER_GROUP . .
+RUN python -m pip install -U -e .
diff --git a/.ci/make.sh b/.ci/make.sh
@@ -115,6 +115,7 @@ esac
 echo -e "\033[34;1mINFO: building $product container\033[0m"
 
 docker build \
+  --build-arg BUILDER_UID="$(id -u)" \
   --file $repo/.ci/Dockerfile \
   --tag ${product} \
   .
@@ -129,6 +130,7 @@ if [[ "$CMD" == "assemble" ]]; then
 
   # Build dists into .ci/output
   docker run \
+     -u "$(id -u)" \
     --rm -v $repo/.ci/output:/code/elasticsearch-py/dist \
     $product \
     /bin/bash -c "python /code/elasticsearch-py/utils/build-dists.py $VERSION"

diff --git a/.ci/run-elasticsearch.sh b/.ci/run-elasticsearch.sh
@@ -116,6 +116,7 @@ END
   echo -e "\033[34;1mINFO:\033[0m Starting container $node_name \033[0m"
   set -x
   docker run \
+    -u "$(id -u)" \
     --name "$node_name" \
     --network "$network_name" \
     --env "ES_JAVA_OPTS=-Xms1g -Xmx1g -da:org.elasticsearch.xpack.ccr.index.engine.FollowingEngineAssertions" \

diff --git a/.ci/run-repository.sh b/.ci/run-repository.sh
@@ -37,6 +37,7 @@ fi
 
 mkdir -p junit
 docker run \
+  -u "$(id -u)" \
   --network=${network_name} \
   --env "STACK_VERSION=${STACK_VERSION}" \
   --env "ELASTICSEARCH_URL=${elasticsearch_url}" \