[CI] non-root user to build artifacts inside the container (#1783)

[CI] non-root user to build artifacts inside the container

This commit updates the Dockerfile to create a non-root specific user
for building the ES Client artifacts inside the container.

This specific user id can be passed at buildtime to make it work on both
local dev and CI workflows.

Author: Maxime Gréau

.ci/Dockerfile

@@ -1,17 +1,35 @@
 ARG RUBY_TEST_VERSION=2.7
 FROM ruby:${RUBY_TEST_VERSION}
 
+# Default UID/GID to 1000
+# it can be overridden at build time
+ARG BUILDER_UID=1000
+ARG BUILDER_GID=1000
+ENV BUILDER_USER elastic
+ENV BUILDER_GROUP elastic
+
 ENV GEM_HOME="/usr/local/bundle"
-ENV PATH $GEM_HOME/bin:$GEM_HOME/gems/bin:$PATH
+ENV PATH="$GEM_HOME/bin:$GEM_HOME/gems/bin:$PATH"
 ENV QUIET=true
 ENV CI=true
 
+# Install required tools
+RUN apt-get -q update \
+    && apt-get -y install zip \
+    && apt-get clean && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+# Create user
+RUN groupadd --system -g ${BUILDER_GID} ${BUILDER_GROUP} \
+    && useradd --system --shell /bin/bash -u ${BUILDER_UID} -g ${BUILDER_GROUP} -d /var/lib/elastic -m elastic 1>/dev/null 2>/dev/null \
+    && mkdir -p /usr/src/app && touch /Gemfile.lock \
+    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /usr/src/app /Gemfile.lock
+
+COPY --chown=$BUILDER_USER:$BUILDER_GROUP . .
+
 WORKDIR /usr/src/app
 
-COPY . .
+USER ${BUILDER_USER}:${BUILDER_GROUP}
 
-RUN apt-get update
-RUN apt-get install zip
-RUN bundle install --quiet
-RUN bundle exec rake bundle:clean
-RUN rake bundle:install
+RUN bundle install \
+    && bundle exec rake bundle:clean \
+    && rake bundle:install

.ci/make.sh

@@ -116,7 +116,7 @@ echo -e "\033[1m>>>>> Build [elastic/elasticsearch-ruby container] >>>>>>>>>>>>>
 # ------------------------------------------------------- #
 
 echo -e "\033[34;1mINFO: building $product container\033[0m"
-docker build --file .ci/Dockerfile --tag ${product} .
+docker build --build-arg BUILDER_UID="$(id -u)" --file .ci/Dockerfile --tag ${product} .
 
 # ------------------------------------------------------- #
 # Run the Container
@@ -131,6 +131,7 @@ args_string="${TASK_ARGS[*]}"
 args_string="${args_string// /,}"
 
 docker run \
+       -u "$(id -u)" \
        --env "RUBY_TEST_VERSION=${RUBY_TEST_VERSION}" \
        --env "WORKFLOW=${WORKFLOW}" \
        --name test-runner \

.ci/run-elasticsearch.sh

@@ -115,6 +115,7 @@ END
   echo -e "\033[34;1mINFO:\033[0m Starting container $node_name \033[0m"
   set -x
   docker run \
+    -u "$(id -u)" \
     --name "$node_name" \
     --network "$network_name" \
     --env "ES_JAVA_OPTS=-Xms1g -Xmx1g -da:org.elasticsearch.xpack.ccr.index.engine.FollowingEngineAssertions" \

.ci/run-repository.sh

@@ -43,6 +43,7 @@ repo=`pwd`
 # run the client tests
 if [[ $TEST_SUITE != "platinum" ]]; then
     docker run \
+           -u "$(id -u)" \
            --network="${network_name}" \
            --env "TEST_ES_SERVER=${elasticsearch_url}" \
            --env "TEST_SUITE=${TEST_SUITE}" \
@@ -53,6 +54,7 @@ if [[ $TEST_SUITE != "platinum" ]]; then
            bundle exec rake elasticsearch:download_artifacts test:rest_api
 else
     docker run \
+           -u "$(id -u)" \
            --network="${network_name}" \
            --env "TEST_ES_SERVER=${elasticsearch_url}" \
            --env "ELASTIC_PASSWORD=${elastic_password}" \

rake_tasks/unified_release_tasks.rake

@@ -33,8 +33,6 @@ namespace :unified_release do
 
     build_gems(args[:output_dir])
     create_zip_file(args[:output_dir])
-    sh "chmod 666 #{CURRENT_PATH.join(args[:output_dir])}/* && " \
-       "chmod 666 #{CURRENT_PATH.join(args[:output_dir])}"
   end
 
   def build_gems(output_dir)