chore: use non-root user for alpine images (#34162)

Author: debdutdeb

apps/meteor/.docker/Dockerfile.alpine

@@ -4,9 +4,24 @@ LABEL maintainer="buildmaster@rocket.chat"
 
 ENV LANG=C.UTF-8
 
-RUN apk add --no-cache deno ttf-dejavu
+# `nogroup` group is historically reserved for NFS.
+# We don't use any NFS related tools in this image.
+# For the same reason of NFS using the gid, we can also use it as long as there are no conflicts in terms of running processes with the same egid (which is 1 in our case).
+# While 65533 raw gid could be used, renaming nogroup to rocketchat here for maximum compatibility with older debian image.
+# More info on nobody/nogroup - https://wiki.ubuntu.com/nobody
+# Debian wiki - https://wiki.debian.org/SystemGroups
+# """
+# daemon: Some unprivileged daemons that need to write to files on disk run as daemon.daemon (e.g., portmap, atd, probably others).
+# Daemons that don't need to own any files can run as nobody.nogroup instead,
+# and more complex or security conscious daemons run as dedicated users.
+# The daemon user is also handy for locally installed daemons.
+# """
+RUN apk add --no-cache deno ttf-dejavu \
+    && apk add --no-cache --virtual deps shadow python3 make g++ py3-setuptools libc6-compat \
+    && groupmod -n rocketchat nogroup \
+    && useradd -u 65533 -r -g rocketchat rocketchat
 
-ADD . /app
+COPY --chown=rocketchat:rocketchat . /app
 
 # needs a mongo instance - defaults to container linking with alias 'mongo'
 ENV DEPLOY_METHOD=docker \
@@ -17,30 +32,35 @@ ENV DEPLOY_METHOD=docker \
     ROOT_URL=http://localhost:3000 \
     Accounts_AvatarStorePath=/app/uploads
 
-RUN set -x \
-    && apk add --no-cache --virtual .fetch-deps python3 make g++ py3-setuptools libc6-compat \
+USER rocketchat
+
+RUN cd /app/bundle/programs/server \
+    && npm install --omit=dev \
     && cd /app/bundle/programs/server \
-    && npm install --omit=dev --unsafe-perm \
-    # Start hack for sharp...
     && rm -rf npm/node_modules/sharp \
-    && npm install sharp@0.32.6 \
+    && npm install sharp@0.32.6 --no-save \
     && mv node_modules/sharp npm/node_modules/sharp \
+    # End hack for sharp
     && cd /app/bundle/programs/server/npm/node_modules/@vector-im/matrix-bot-sdk \
     && npm install \
-    # End hack for sharp
     # # Start hack for isolated-vm...
     # && rm -rf npm/node_modules/isolated-vm \
     # && npm install isolated-vm@4.6.0 \
     # && mv node_modules/isolated-vm npm/node_modules/isolated-vm \
     # # End hack for isolated-vm
     && cd /app/bundle/programs/server/npm \
     && npm rebuild bcrypt --build-from-source \
-    && npm cache clear --force \
-    && apk del .fetch-deps
+    && npm cache clear --force
+
+USER root
+
+RUN apk del deps
+
+USER rocketchat
 
 # TODO: remove hack once upstream builds are fixed
-COPY matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
-COPY matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@vector-im/matrix-bot-sdk/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
+COPY --chown=rocketchat:rocketchat matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
+COPY --chown=rocketchat:rocketchat matrix-sdk-crypto.linux-x64-musl.node /app/bundle/programs/server/npm/node_modules/@vector-im/matrix-bot-sdk/node_modules/@matrix-org/matrix-sdk-crypto-nodejs
 
 VOLUME /app/uploads
 

ee/apps/account-service/Dockerfile

@@ -78,10 +78,15 @@ ENV NODE_ENV=production \
 WORKDIR /app/ee/apps/${SERVICE}
 
 RUN apk update && \
-    apk --no-cache --virtual build-dependencies add g++ python3 make py3-setuptools && \
+    apk --no-cache --virtual deps add g++ python3 make py3-setuptools shadow && \
     yarn workspaces focus --production && \
     rm -rf /var/cache/apk/* && \
-    apk del build-dependencies
+    groupmod -n rocketchat nogroup && \
+    useradd -u 65533 -r -g rocketchat rocketchat && \
+    apk del deps && \
+    chown -R rocketchat:rocketchat /app
+
+USER rocketchat
 
 EXPOSE 3000 9458
 

ee/apps/authorization-service/Dockerfile

@@ -75,10 +75,15 @@ ENV NODE_ENV=production \
 WORKDIR /app/ee/apps/${SERVICE}
 
 RUN apk update && \
-    apk --no-cache --virtual build-dependencies add g++ python3 make py3-setuptools && \
+    apk --no-cache --virtual deps add g++ python3 make py3-setuptools shadow && \
     yarn workspaces focus --production && \
     rm -rf /var/cache/apk/* && \
-    apk del build-dependencies
+    groupmod -n rocketchat nogroup && \
+    useradd -u 65533 -r -g rocketchat rocketchat && \
+    apk del deps && \
+    chown -R rocketchat:rocketchat /app
+
+USER rocketchat
 
 EXPOSE 3000 9458
 

ee/apps/ddp-streamer/Dockerfile

@@ -81,10 +81,15 @@ ENV NODE_ENV=production \
 WORKDIR /app/ee/apps/${SERVICE}
 
 RUN apk update && \
-    apk --no-cache --virtual build-dependencies add g++ python3 make py3-setuptools && \
+    apk --no-cache --virtual deps add g++ python3 make py3-setuptools shadow && \
     yarn workspaces focus --production && \
     rm -rf /var/cache/apk/* && \
-    apk del build-dependencies
+    groupmod -n rocketchat nogroup && \
+    useradd -u 65533 -r -g rocketchat rocketchat && \
+    apk del deps && \
+    chown -R rocketchat:rocketchat /app
+
+USER rocketchat
 
 EXPOSE 3000 9458
 

ee/apps/omnichannel-transcript/Dockerfile

@@ -84,10 +84,15 @@ ENV NODE_ENV=production \
 WORKDIR /app/ee/apps/${SERVICE}
 
 RUN apk update && \
-    apk --no-cache --virtual build-dependencies add g++ python3 make py3-setuptools && \
+    apk --no-cache --virtual deps add g++ python3 make py3-setuptools shadow && \
     yarn workspaces focus --production && \
     rm -rf /var/cache/apk/* && \
-    apk del build-dependencies
+    groupmod -n rocketchat nogroup && \
+    useradd -u 65533 -r -g rocketchat rocketchat && \
+    apk del deps && \
+    chown -R rocketchat:rocketchat /app
+
+USER rocketchat
 
 EXPOSE 3000 9458
 

ee/apps/presence-service/Dockerfile

@@ -78,10 +78,15 @@ ENV NODE_ENV=production \
 WORKDIR /app/ee/apps/${SERVICE}
 
 RUN apk update && \
-    apk --no-cache --virtual build-dependencies add g++ python3 make py3-setuptools && \
+    apk --no-cache --virtual deps add g++ python3 make py3-setuptools shadow && \
     yarn workspaces focus --production && \
     rm -rf /var/cache/apk/* && \
-    apk del build-dependencies
+    groupmod -n rocketchat nogroup && \
+    useradd -u 65533 -r -g rocketchat rocketchat && \
+    apk del deps && \
+    chown -R rocketchat:rocketchat /app
+
+USER rocketchat
 
 EXPOSE 3000 9458
 

ee/apps/queue-worker/Dockerfile

@@ -84,10 +84,15 @@ ENV NODE_ENV=production \
 WORKDIR /app/ee/apps/${SERVICE}
 
 RUN apk update && \
-    apk --no-cache --virtual build-dependencies add g++ python3 make py3-setuptools && \
+    apk --no-cache --virtual deps add g++ python3 make py3-setuptools shadow && \
     yarn workspaces focus --production && \
     rm -rf /var/cache/apk/* && \
-    apk del build-dependencies
+    groupmod -n rocketchat nogroup && \
+    useradd -u 65533 -r -g rocketchat rocketchat && \
+    apk del deps && \
+    chown -R rocketchat:rocketchat /app
+
+USER rocketchat
 
 EXPOSE 3000 9458
 

ee/apps/stream-hub-service/Dockerfile

@@ -75,10 +75,15 @@ ENV NODE_ENV=production \
 WORKDIR /app/ee/apps/${SERVICE}
 
 RUN apk update && \
-    apk --no-cache --virtual build-dependencies add g++ python3 make py3-setuptools && \
+    apk --no-cache --virtual deps add g++ python3 make py3-setuptools shadow && \
     yarn workspaces focus --production && \
     rm -rf /var/cache/apk/* && \
-    apk del build-dependencies
+    groupmod -n rocketchat nogroup && \
+    useradd -u 65533 -r -g rocketchat rocketchat && \
+    apk del deps && \
+    chown -R rocketchat:rocketchat /app
+
+USER rocketchat
 
 EXPOSE 3000 9458