create non-root users for containers

rcmadhankumar · rcmadhankumar · commit c03e89ac97cb · 2025-10-13T14:11:38.000+05:30
diff --git a/src/bci_build/package/__init__.py b/src/bci_build/package/__init__.py
@@ -82,7 +82,6 @@ class ParseVersion(enum.StrEnum):
     PATCH_UPDATE = enum.auto()
     OFFSET = enum.auto()
 
-
 @dataclass
 class StableUser:
     """Data class that stores information about stable user and group
@@ -97,7 +96,8 @@ class StableUser:
     group_name: str
     # id of the group
     group_id: int
-
+    # boolean flag that checks if user needs to be created
+    user_create: bool = False
 
 @dataclass
 class Replacement:
diff --git a/src/bci_build/package/git.py b/src/bci_build/package/git.py
@@ -6,6 +6,7 @@
 from bci_build.package import ApplicationStackContainer
 from bci_build.package import ParseVersion
 from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import format_version
@@ -42,10 +43,18 @@
         package_list=[
             "git-core",
             "openssh-clients",
+            "shadow"
         ],
         build_stage_custom_end=generate_package_version_check(
             "git-core", git_version, ParseVersion.MINOR, use_target=True
         ),
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="git",
+            group_id=1000,
+            group_name="git",
+            user_create=True
+        ),
     )
     for os_version in ALL_NONBASE_OS_VERSIONS
 ]
diff --git a/src/bci_build/package/helm.py b/src/bci_build/package/helm.py
@@ -7,6 +7,7 @@
 from bci_build.package import ApplicationStackContainer
 from bci_build.package import ParseVersion
 from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import format_version
@@ -36,7 +37,15 @@
         package_list=[
             "ca-certificates-mozilla",
             "helm",
+            "shadow",
         ],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="helm",
+            group_id=1000,
+            group_name="helm",
+            user_create=True
+        ),
         replacements_via_service=[
             Replacement(
                 regex_in_build_description="%%helm_version%%",
diff --git a/src/bci_build/package/kubectl.py b/src/bci_build/package/kubectl.py
@@ -7,6 +7,7 @@
 from bci_build.package import ApplicationStackContainer
 from bci_build.package import ParseVersion
 from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 
 _KUBECTL_VERSIONS = {
@@ -61,7 +62,14 @@ def _get_kubectl_stability_tag(version: str, os_version: OsVersion) -> str | Non
                 parse_version=ParseVersion.PATCH,
             )
         ],
-        package_list=[f"kubernetes{ver}-client"],
+        package_list=[f"kubernetes{ver}-client", "shadow"],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="kubectl",
+            group_id=1000,
+            group_name="kubectl",
+            user_create=True
+        ),
         entrypoint=["kubectl"],
         license="Apache-2.0",
         support_level=SupportLevel.L3,
diff --git a/src/bci_build/package/samba.py b/src/bci_build/package/samba.py
@@ -11,6 +11,7 @@
 from bci_build.package import OsVersion
 from bci_build.package import ParseVersion
 from bci_build.package import Replacement
+from bci_build.package import StableUser
 from bci_build.package.helpers import generate_from_image_tag
 from bci_build.package.helpers import generate_package_version_check
 from bci_build.package.versions import get_pkg_version
@@ -121,7 +122,15 @@
         license="GPL-3.0-or-later",
         package_list=[
             "samba-client",
+            "shadow"
         ],
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="smbc",
+            group_id=1000,
+            group_name="smbc",
+            user_create=True
+        ),
     )
 
     toolbox = ApplicationStackContainer(
@@ -149,9 +158,17 @@
         package_list=[
             "samba-client",
             "tdb-tools",
+            "shadow",
         ]
         # FIXME: unavailable on SLES
         + (["samba-test"] if os_version.is_tumbleweed else []),
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="smbc",
+            group_id=1000,
+            group_name="smbc",
+            user_create=True
+        ),
     )
 
     SAMBA_SERVER_CONTAINERS.append(srv)
diff --git a/src/bci_build/templates.py b/src/bci_build/templates.py
@@ -55,13 +55,19 @@
     {% endif -%} zypper -n {%- if image.from_target_image %} --installroot /target --gpg-auto-import-keys {%- endif %} install {% if image.no_recommends %}--no-recommends {% endif %}{{ image.packages }}{%- if image.packages_to_delete %}; \\
     zypper -n {%- if image.from_target_image %} --installroot /target {%- endif %} remove {{ image.packages_to_delete }}{%- endif %}
 {%- endif %}
-{%- if image.user_chown %}
+{%- if image.user_chown and not image.user_chown.user_create%}
 # changing user id and group id created by package installation to stable values
 {{ DOCKERFILE_RUN }} \\
     {% if image.from_target_image %}chroot /target {% endif %}chown -R --from={{ image.user_chown.user_name }}:{{ image.user_chown.group_name }} {{ image.user_chown.user_id }}:{{ image.user_chown.group_id }} /; \\
     groupmod {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} {{ image.user_chown.group_name }}; \\
     usermod {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} {{ image.user_chown.user_name }}
 {%- endif %}
+{%- if image.user_chown and image.user_chown.user_create%}
+# create the user and group with the given ids
+{{ DOCKERFILE_RUN }} \\
+    groupadd {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} -r {{ image.user_chown.group_name }}; \\
+    useradd {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} -g {{ image.user_chown.group_id }} -m -r -s /bin/bash {{ image.user_chown.user_name }}
+{%- endif %}
 {%- if image.build_stage_custom_end %}
 {{ image.build_stage_custom_end }}
 {%- endif %}
