fix (project-clone) : update user_setup script to modify /etc/passwd permissions/ownership

[rohanKanojia]

What does this PR do?

We have a script that's used in Dockerfiles to setup users, it sets these permissions for /etc/passwd:

devworkspace-operator/build/bin/user_setup

Line 10 in 6f01ac3

chmod g+rw /etc/passwd

This gets used in both main image and project-clone image:

• devworkspace-operator/build/Dockerfile

  Line 52 in 6f01ac3

  RUN /usr/local/bin/user_setup

• devworkspace-operator/project-clone/Dockerfile

  Line 52 in 6f01ac3

  RUN /usr/local/bin/user_setup

Update user_setup script to not make /etc/passwd group writable

What issues does this PR fix or reference?

https://issues.redhat.com/browse/CRW-9380

Is it tested? How?

• Checkout PR branch
• Create container image for project-clone : docker build . -f project-clone/Dockerfile -t <registry>/<user>/project-clone:next
• Run container based on the created image and check permissions of /etc/passwd (it should NOT be group writable):

devworkspace-operator : $ docker run --rm docker.io/rohankanojia/project-clone:next ls -lt /etc/passwd
-rw-r--r-- 1 root root 533 Feb  7  2024 /etc/passwd

main branch behavior:

docker run --rm -it quay.io/devfile/project-clone:next bash
bash-5.1$ ls -lt /etc/passwd 
-rw-rw-r-- 1 root root 600 Sep  4 11:22 /etc/passwd

Verifying on CRC and minikube

I verified these steps:

• minikube with docker driver (not CRI-O)
• CRC (CRI-o) driver

---

• Deploy operator to cluster and verify DevWorkspace Operator gets cloned correctly:
  • Push Project clone image to some registry
  • export PROJECT_CLONE_IMG=<registry>/<user>/project-clone:next
  • export DWO_IMG=<registry>/<user>/devworkspace-controller:next
  • make docker
  • make install
  • Wait for DevWorkspace Operator pods to become ready
  • Create a sample workspace oc create -f samples/code-latest.yaml
  • DevWorkspace should come in Running state
  • Both init-containers should succeed
  • Verify project-clone init-container logs to see if project cloned successfuly: oc logs -l controller.devfile.io/devworkspace_name=code-latest -cproject-clone

PR Checklist

• E2E tests pass (when PR is ready, comment /test v8-devworkspace-operator-e2e, v8-che-happy-path to trigger)
  • v8-devworkspace-operator-e2e: DevWorkspace e2e test
  • v8-che-happy-path: Happy path for verification integration with Che

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/ok-to-test

[rohanKanojia]

/retest

[dkwon17]

Could we delete this comment?

# runtime user will need to be able to self-insert in /etc/passwd

[openshift-ci]

@rohanKanojia: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/v14-che-happy-path	e424513	link	true	/test v14-che-happy-path

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: akurinnoy, dkwon17, rohanKanojia

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [dkwon17]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[akurinnoy]

/retest