[CI] non-root user to build artifacts inside the container (#1783)

This commit updates the Dockerfile to create a non-root specific user
for building the ES Client artifacts inside the container.

This specific user id can be passed at buildtime to make it work on both
local dev and CI workflows.

Author: Maxime Gréau

.ci/Dockerfile

@@ -1,18 +1,35 @@
 ARG RUBY_TEST_VERSION=2.6
 FROM ruby:${RUBY_TEST_VERSION}
 
+# Default UID/GID to 1000
+# it can be overridden at build time
+ARG BUILDER_UID=1000
+ARG BUILDER_GID=1000
+ENV BUILDER_USER elastic
+ENV BUILDER_GROUP elastic
+
 ENV GEM_HOME="/usr/local/bundle"
-ENV PATH $GEM_HOME/bin:$GEM_HOME/gems/bin:$PATH
+ENV PATH="$GEM_HOME/bin:$GEM_HOME/gems/bin:$PATH"
 ENV QUIET=true
 ENV CI=true
 
+# Install required tools
+RUN apt-get -q update \
+    && apt-get -y install zip \
+    && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Create user
+RUN groupadd --system -g ${BUILDER_GID} ${BUILDER_GROUP} \
+    && useradd --system --shell /bin/bash -u ${BUILDER_UID} -g ${BUILDER_GROUP} -d /var/lib/elastic -m elastic 1>/dev/null 2>/dev/null \
+    && mkdir -p /usr/src/app && touch /Gemfile.lock \
+    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /usr/src/app /Gemfile.lock
+
+COPY --chown=$BUILDER_USER:$BUILDER_GROUP . .
+
 WORKDIR /usr/src/app
 
-COPY . .
+USER ${BUILDER_USER}:${BUILDER_GROUP}
 
-RUN apt-get update
-RUN apt-get install zip
-RUN gem update --system --quiet --silent
-RUN bundle install --quiet
-RUN bundle exec rake bundle:clean
-RUN rake bundle:install
+RUN bundle install \
+    && bundle exec rake bundle:clean \
+    && rake bundle:install

.ci/make.sh

@@ -116,7 +116,7 @@ echo -e "\033[1m>>>>> Build [elastic/elasticsearch-ruby container] >>>>>>>>>>>>>
 # ------------------------------------------------------- #
 
 echo -e "\033[34;1mINFO: building $product container\033[0m"
-docker build --file .ci/Dockerfile --tag ${product} .
+docker build --build-arg BUILDER_UID="$(id -u)" --file .ci/Dockerfile --tag ${product} .
 
 # ------------------------------------------------------- #
 # Run the Container
@@ -131,6 +131,7 @@ args_string="${TASK_ARGS[*]}"
 args_string="${args_string// /,}"
 
 docker run \
+       -u "$(id -u)" \
        --env "RUBY_TEST_VERSION=${RUBY_TEST_VERSION}" \
        --env "WORKFLOW=${WORKFLOW}" \
        --name test-runner \

.ci/run-elasticsearch.sh

@@ -129,6 +129,7 @@ END
   echo -e "\033[34;1mINFO:\033[0m Starting container $node_name \033[0m"
   set -x
   docker run \
+    -u "$(id -u)" \
     --name "$node_name" \
     --network "$network_name" \
     --env "ES_JAVA_OPTS=-Xms1g -Xmx1g -da:org.elasticsearch.xpack.ccr.index.engine.FollowingEngineAssertions" \

.ci/run-repository.sh

@@ -52,7 +52,8 @@ fi
 
 # run the client tests
 if [[ $STACK_VERSION == "8.0.0-SNAPSHOT" ]]; then
-  docker run \
+    docker run \
+         -u "$(id -u)" \
          --network="${network_name}" \
          --env "ELASTIC_CLIENT_APIVERSIONING=true" \
          --env "ELASTIC_PASSWORD=${elastic_password}" \
@@ -69,6 +70,7 @@ if [[ $STACK_VERSION == "8.0.0-SNAPSHOT" ]]; then
          bundle exec rake elasticsearch:download_artifacts test:rest_api
 elif [[ $TEST_SUITE != "platinum" ]]; then
   docker run \
+         -u "$(id -u)" \
          --network="${network_name}" \
          --env "TEST_ES_SERVER=${elasticsearch_url}" \
          --env "TEST_SUITE=${TEST_SUITE}" \
@@ -80,18 +82,19 @@ elif [[ $TEST_SUITE != "platinum" ]]; then
          elastic/elasticsearch-ruby \
          bundle exec rake elasticsearch:download_artifacts test:rest_api
 else
-    docker run \
-           --network="${network_name}" \
-           --env "TEST_ES_SERVER=${elasticsearch_url}" \
-           --env "ELASTIC_PASSWORD=${elastic_password}" \
-           --env "TEST_SUITE=${TEST_SUITE}" \
-           --env "ELASTIC_USER=elastic" \
-           --env "SINGLE_TEST=${SINGLE_TEST}" \
-           --env "STACK_VERSION=${STACK_VERSION}" \
-           --env "ELASTIC_CLIENT_APIVERSIONING=${ELASTIC_API_VERSIONING:-false}" \
-           --volume $repo:/usr/src/app \
-           --name elasticsearch-ruby \
-           --rm \
-           elastic/elasticsearch-ruby \
-           bundle exec rake elasticsearch:download_artifacts test:security
+  docker run \
+         -u "$(id -u)" \
+         --network="${network_name}" \
+         --env "TEST_ES_SERVER=${elasticsearch_url}" \
+         --env "ELASTIC_PASSWORD=${elastic_password}" \
+         --env "TEST_SUITE=${TEST_SUITE}" \
+         --env "ELASTIC_USER=elastic" \
+         --env "SINGLE_TEST=${SINGLE_TEST}" \
+         --env "STACK_VERSION=${STACK_VERSION}" \
+         --env "ELASTIC_CLIENT_APIVERSIONING=${ELASTIC_API_VERSIONING:-false}" \
+         --volume $repo:/usr/src/app \
+         --name elasticsearch-ruby \
+         --rm \
+         elastic/elasticsearch-ruby \
+         bundle exec rake elasticsearch:download_artifacts test:security
 fi