create non-root users for cli containers

Author: rcmadhankumar

src/bci_build/package/git.py

@@ -4,6 +4,7 @@
 from bci_build.os_version import ALL_NONBASE_OS_VERSIONS
 from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
 from bci_build.package import ApplicationStackContainer
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import format_version
@@ -42,10 +43,18 @@
         package_list=[
             "git-core",
             "openssh-clients",
+            "shadow"
         ],
         build_stage_custom_end=generate_package_version_check(
             "git-core", git_version, ParseVersion.MINOR, use_target=True
         ),
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="git",
+            group_id=1000,
+            group_name="git",
+            user_create=True
+        ),
     )
     for os_version in ALL_NONBASE_OS_VERSIONS
 ]

src/bci_build/package/helm.py

@@ -5,6 +5,7 @@
 from bci_build.os_version import ALL_NONBASE_OS_VERSIONS
 from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
 from bci_build.package import ApplicationStackContainer
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import format_version
@@ -36,7 +37,15 @@
         package_list=[
             "ca-certificates-mozilla",
             "helm",
+            "shadow",
         ],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="helm",
+            group_id=1000,
+            group_name="helm",
+            user_create=True
+        ),
         replacements_via_service=[
             Replacement(
                 regex_in_build_description="%%helm_version%%",

src/bci_build/package/kubectl.py

@@ -5,6 +5,7 @@
 from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
 from bci_build.os_version import OsVersion
 from bci_build.package import ApplicationStackContainer
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.replacement import Replacement
 from bci_build.util import ParseVersion
@@ -61,7 +62,14 @@ def _get_kubectl_stability_tag(version: str, os_version: OsVersion) -> str | Non
                 parse_version=ParseVersion.PATCH,
             )
         ],
-        package_list=[f"kubernetes{ver}-client"],
+        package_list=[f"kubernetes{ver}-client", "shadow"],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="kubectl",
+            group_id=1000,
+            group_name="kubectl",
+            user_create=True
+        ),
         entrypoint=["kubectl"],
         license="Apache-2.0",
         support_level=SupportLevel.L3,

src/bci_build/package/samba.py

@@ -9,6 +9,7 @@
 from bci_build.package import DOCKERFILE_RUN
 from bci_build.package import ApplicationStackContainer
 from bci_build.package import OsVersion
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import get_pkg_version
@@ -121,7 +122,15 @@
         license="GPL-3.0-or-later",
         package_list=[
             "samba-client",
+            "shadow"
         ],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="smbc",
+            group_id=1000,
+            group_name="smbc",
+            user_create=True
+        ),
     )
 
     toolbox = ApplicationStackContainer(
@@ -149,9 +158,17 @@
         package_list=[
             "samba-client",
             "tdb-tools",
+            "shadow",
         ]
         # FIXME: unavailable on SLES
         + (["samba-test"] if os_version.is_tumbleweed else []),
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="smbc",
+            group_id=1000,
+            group_name="smbc",
+            user_create=True
+        ),
     )
 
     SAMBA_SERVER_CONTAINERS.append(srv)