create non-root users for containers

rcmadhankumar · rcmadhankumar · commit d60cfe5c2a4f · 2025-10-13T14:16:23.000+05:30
diff --git a/src/bci_build/package/__init__.py b/src/bci_build/package/__init__.py
@@ -73,6 +73,14 @@ def __str__(self) -> str:
         return self.name
 
 
+@enum.unique
+class ParseVersion(enum.StrEnum):
+    MAJOR = enum.auto()
+    MINOR = enum.auto()
+    PATCH = enum.auto()
+    PATCH_UPDATE = enum.auto()
+    OFFSET = enum.auto()
+
 @dataclass
 class StableUser:
     """Data class that stores information about stable user and group
@@ -87,7 +95,8 @@ class StableUser:
     group_name: str
     # id of the group
     group_id: int
-
+    # boolean flag that checks if user needs to be created
+    user_create: bool = False
 
 def _build_tag_prefix(os_version: OsVersion) -> str:
     if os_version == OsVersion.TUMBLEWEED:
diff --git a/src/bci_build/package/git.py b/src/bci_build/package/git.py
@@ -4,6 +4,9 @@
 from bci_build.os_version import ALL_NONBASE_OS_VERSIONS
 from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
 from bci_build.package import ApplicationStackContainer
+from bci_build.package import ParseVersion
+from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import format_version
@@ -42,10 +45,18 @@
         package_list=[
             "git-core",
             "openssh-clients",
+            "shadow"
         ],
         build_stage_custom_end=generate_package_version_check(
             "git-core", git_version, ParseVersion.MINOR, use_target=True
         ),
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="git",
+            group_id=1000,
+            group_name="git",
+            user_create=True
+        ),
     )
     for os_version in ALL_NONBASE_OS_VERSIONS
 ]
diff --git a/src/bci_build/package/helm.py b/src/bci_build/package/helm.py
@@ -5,6 +5,9 @@
 from bci_build.os_version import ALL_NONBASE_OS_VERSIONS
 from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
 from bci_build.package import ApplicationStackContainer
+from bci_build.package import ParseVersion
+from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import format_version
@@ -36,7 +39,15 @@
         package_list=[
             "ca-certificates-mozilla",
             "helm",
+            "shadow",
         ],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="helm",
+            group_id=1000,
+            group_name="helm",
+            user_create=True
+        ),
         replacements_via_service=[
             Replacement(
                 regex_in_build_description="%%helm_version%%",
diff --git a/src/bci_build/package/kubectl.py b/src/bci_build/package/kubectl.py
@@ -5,6 +5,9 @@
 from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
 from bci_build.os_version import OsVersion
 from bci_build.package import ApplicationStackContainer
+from bci_build.package import ParseVersion
+from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.replacement import Replacement
 from bci_build.util import ParseVersion
@@ -61,7 +64,14 @@ def _get_kubectl_stability_tag(version: str, os_version: OsVersion) -> str | Non
                 parse_version=ParseVersion.PATCH,
             )
         ],
-        package_list=[f"kubernetes{ver}-client"],
+        package_list=[f"kubernetes{ver}-client", "shadow"],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="kubectl",
+            group_id=1000,
+            group_name="kubectl",
+            user_create=True
+        ),
         entrypoint=["kubectl"],
         license="Apache-2.0",
         support_level=SupportLevel.L3,
diff --git a/src/bci_build/package/samba.py b/src/bci_build/package/samba.py
@@ -9,6 +9,9 @@
 from bci_build.package import DOCKERFILE_RUN
 from bci_build.package import ApplicationStackContainer
 from bci_build.package import OsVersion
+from bci_build.package import ParseVersion
+from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import get_pkg_version
@@ -121,7 +124,15 @@
         license="GPL-3.0-or-later",
         package_list=[
             "samba-client",
+            "shadow"
         ],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="smbc",
+            group_id=1000,
+            group_name="smbc",
+            user_create=True
+        ),
     )
 
     toolbox = ApplicationStackContainer(
@@ -149,9 +160,17 @@
         package_list=[
             "samba-client",
             "tdb-tools",
+            "shadow",
         ]
         # FIXME: unavailable on SLES
         + (["samba-test"] if os_version.is_tumbleweed else []),
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="smbc",
+            group_id=1000,
+            group_name="smbc",
+            user_create=True
+        ),
     )
 
     SAMBA_SERVER_CONTAINERS.append(srv)
diff --git a/src/bci_build/templates.py b/src/bci_build/templates.py
@@ -55,13 +55,19 @@
     {% endif -%} zypper -n {%- if image.from_target_image %} --installroot /target --gpg-auto-import-keys {%- endif %} install {% if image.no_recommends %}--no-recommends {% endif %}{{ image.packages }}{%- if image.packages_to_delete %}; \\
     zypper -n {%- if image.from_target_image %} --installroot /target {%- endif %} remove {{ image.packages_to_delete }}{%- endif %}
 {%- endif %}
-{%- if image.user_chown %}
+{%- if image.user_chown and not image.user_chown.user_create%}
 # changing user id and group id created by package installation to stable values
 {{ DOCKERFILE_RUN }} \\
     {% if image.from_target_image %}chroot /target {% endif %}chown -R --from={{ image.user_chown.user_name }}:{{ image.user_chown.group_name }} {{ image.user_chown.user_id }}:{{ image.user_chown.group_id }} /; \\
     groupmod {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} {{ image.user_chown.group_name }}; \\
     usermod {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} {{ image.user_chown.user_name }}
 {%- endif %}
+{%- if image.user_chown and image.user_chown.user_create%}
+# create the user and group with the given ids
+{{ DOCKERFILE_RUN }} \\
+    groupadd {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} -r {{ image.user_chown.group_name }}; \\
+    useradd {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} -g {{ image.user_chown.group_id }} -m -r -s /bin/bash {{ image.user_chown.user_name }}
+{%- endif %}
 {%- if image.build_stage_custom_end %}
 {{ image.build_stage_custom_end }}
 {%- endif %}
