From 0ff593052894d039e6ba7fb772bc7e89b0eb4b64 Mon Sep 17 00:00:00 2001
From: Antoni Ivanov <aivanov@vmware.com>
Date: Thu, 17 Feb 2022 19:35:03 +0200
Subject: [PATCH] control-service: run data job as non-root user (#710)

Currently data job docker container is run as root user . This is not
considered best practice
(https://docs.docker.com/develop/develop-images/dockerfile_best-practices/#user)

And in environment where root is forbidden it won't work. For example
the job would fail if data job kubernetes pod is set to run as specific
user e.g using:

```
securityContext:
  fsGroup: 1000
  runAsGroup: 1000
  runAsUser: 1000
```

We are making sure that when building the data job we are  setting up
permissions and users and starting the docker container with new user.

The UID and GID can be passed as argument during docker build but that
is not currently exposed to operators when deploying jobs. So the
UID/GID is currently required to be 1000

Testing Done: deployed locally job with runAsUser securityContext (as
above) and the job succeeded. The integration test would verify end to
end as well.

Signed-off-by: Antoni Ivanov <aivanov@vmware.com>
---
 projects/control-service/CHANGELOG.md                |  4 ++++
 .../pipelines-control-service/values.yaml            |  2 +-
 .../job-builder-rootless/Dockerfile.python.vdk       | 12 ++++++++++--
 .../projects/job-builder-rootless/version.txt        |  2 +-
 .../projects/job-builder/Dockerfile.python.vdk       | 12 ++++++++++--
 .../control-service/projects/job-builder/version.txt |  2 +-
 6 files changed, 27 insertions(+), 7 deletions(-)

diff --git a/projects/control-service/CHANGELOG.md b/projects/control-service/CHANGELOG.md
index c87e1760fa..bae99a6a00 100644
--- a/projects/control-service/CHANGELOG.md
+++ b/projects/control-service/CHANGELOG.md
@@ -11,6 +11,10 @@ MAJOR.MINOR - dd.MM.yyyy
 
 * **Breaking Changes**
 
+1.3 - 18.02.2022
+----
+* **Improvement**
+  * Support rootless data job deployment container images and builder jobs
 
 1.3 - 27.01.2022
 ----
diff --git a/projects/control-service/projects/helm_charts/pipelines-control-service/values.yaml b/projects/control-service/projects/helm_charts/pipelines-control-service/values.yaml
index 6dd4d0829a..ae005eadda 100644
--- a/projects/control-service/projects/helm_charts/pipelines-control-service/values.yaml
+++ b/projects/control-service/projects/helm_charts/pipelines-control-service/values.yaml
@@ -25,7 +25,7 @@ image:
 deploymentBuilderImage:
   registry: registry.hub.docker.com/versatiledatakit
   repository: job-builder
-  tag: "1.2.2"
+  tag: "1.2.3"
 
 
 ## String to partially override pipelines-control-service.fullname template (will maintain the release name)
diff --git a/projects/control-service/projects/job-builder-rootless/Dockerfile.python.vdk b/projects/control-service/projects/job-builder-rootless/Dockerfile.python.vdk
index f4b1ec5771..3c2de23439 100644
--- a/projects/control-service/projects/job-builder-rootless/Dockerfile.python.vdk
+++ b/projects/control-service/projects/job-builder-rootless/Dockerfile.python.vdk
@@ -4,15 +4,21 @@ ARG base_image=python:3.9-slim
 
 FROM $base_image
 
+ARG UID=1000
+ARG GID=1000
+
 # Set the working directory
 WORKDIR /job
 
-# Make sure base image is python based
+# Validate base image is python based
 RUN python -V
+# Create necessary users and set home directory to /job
+RUN groupadd -r -g $GID vdkgroup && useradd -u $UID -g $GID -r vdkuser && chown -R $UID:$GID /job
+ENV HOME=/job
 
 # Copy the actual job that has to be executed
 ARG job_name
-COPY $job_name $job_name/
+COPY --chown=$UID:$GID $job_name $job_name/
 
 # TODO: this would trigger for any change in job even if requirements.txt does not change
 # but there's no COPY_IF_EXISTS command in docker to try copy it.
@@ -22,3 +28,5 @@ RUN if [ -f "$job_name/$requirements_file" ]; then pip3 install --disable-pip-ve
 ARG job_githash
 ENV JOB_NAME $job_name
 ENV VDK_JOB_GITHASH $job_githash
+
+USER $UID
diff --git a/projects/control-service/projects/job-builder-rootless/version.txt b/projects/control-service/projects/job-builder-rootless/version.txt
index 6e89a8a86a..0473de98d2 100644
--- a/projects/control-service/projects/job-builder-rootless/version.txt
+++ b/projects/control-service/projects/job-builder-rootless/version.txt
@@ -1 +1 @@
-1.3.0dev2
+1.3.1dev2
diff --git a/projects/control-service/projects/job-builder/Dockerfile.python.vdk b/projects/control-service/projects/job-builder/Dockerfile.python.vdk
index f4b1ec5771..d56af208d4 100644
--- a/projects/control-service/projects/job-builder/Dockerfile.python.vdk
+++ b/projects/control-service/projects/job-builder/Dockerfile.python.vdk
@@ -4,15 +4,21 @@ ARG base_image=python:3.9-slim
 
 FROM $base_image
 
+ARG UID=1000
+ARG GID=1000
+
 # Set the working directory
 WORKDIR /job
 
-# Make sure base image is python based
+# Validate base image is python based
 RUN python -V
+# Create necessary users and set home directory to /job
+RUN groupadd -r -g $GID group && useradd -u $UID -g $GID -r user && chown -R $UID:$GID /job
+ENV HOME=/job
 
 # Copy the actual job that has to be executed
 ARG job_name
-COPY $job_name $job_name/
+COPY --chown=$UID:$GID $job_name $job_name/
 
 # TODO: this would trigger for any change in job even if requirements.txt does not change
 # but there's no COPY_IF_EXISTS command in docker to try copy it.
@@ -22,3 +28,5 @@ RUN if [ -f "$job_name/$requirements_file" ]; then pip3 install --disable-pip-ve
 ARG job_githash
 ENV JOB_NAME $job_name
 ENV VDK_JOB_GITHASH $job_githash
+
+USER $UID
diff --git a/projects/control-service/projects/job-builder/version.txt b/projects/control-service/projects/job-builder/version.txt
index 23aa839063..0495c4a88c 100644
--- a/projects/control-service/projects/job-builder/version.txt
+++ b/projects/control-service/projects/job-builder/version.txt
@@ -1 +1 @@
-1.2.2
+1.2.3