Remove NONROOT_USER, better support for rootless environment

Author: Bronek

.github/workflows/debian.yml

@@ -12,7 +12,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CONAN_VERSION: 2.18.0
   GCOVR_VERSION: 8.3
-  NONROOT_USER: ci
   FALLBACK_GCC: 12
   FALLBACK_CLANG: 16
 
@@ -103,7 +102,6 @@ jobs:
             CONAN_VERSION=${{ env.CONAN_VERSION }}
             GCC_VERSION=${{ matrix.os.compiler_name == 'gcc' && matrix.os.compiler_version || env.FALLBACK_GCC }}
             GCOVR_VERSION=${{ env.GCOVR_VERSION }}
-            NONROOT_USER=${{ env.NONROOT_USER }}
             DEBIAN_VERSION=${{ matrix.os.release }}
           context: .
           file: docker/debian/Dockerfile

.github/workflows/rhel.yml

@@ -13,7 +13,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CONAN_VERSION: 2.18.0
   GCOVR_VERSION: 8.3
-  NONROOT_USER: ci
 
 jobs:
   # Build the Docker image for Red Hat Enterprise Linux using different versions
@@ -93,7 +92,6 @@ jobs:
             CONAN_VERSION=${{ env.CONAN_VERSION }}
             GCC_VERSION=${{ matrix.os.compiler_version }}
             GCOVR_VERSION=${{ env.GCOVR_VERSION }}
-            NONROOT_USER=${{ env.NONROOT_USER }}
             RHEL_VERSION=${{ matrix.os.release }}
           context: .
           file: docker/rhel/Dockerfile

.github/workflows/tools-rippled.yml

@@ -11,7 +11,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CLANG_FORMAT_VERSION: 18.1.8
   PRE_COMMIT_VERSION: 4.2.0
-  NONROOT_USER: ci
   UBUNTU_VERSION: noble
 
 jobs:
@@ -72,7 +71,6 @@ jobs:
           build-args: |
             BUILDKIT_DOCKERFILE_CHECK=skip=InvalidDefaultArgInFrom
             BUILDKIT_INLINE_CACHE=1
-            NONROOT_USER=${{ env.NONROOT_USER }}
             UBUNTU_VERSION=${{ env.UBUNTU_VERSION }}
             CLANG_FORMAT_VERSION=${{ env.CLANG_FORMAT_VERSION }}
             PRE_COMMIT_VERSION=${{ env.PRE_COMMIT_VERSION }}

.github/workflows/ubuntu.yml

@@ -12,7 +12,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CONAN_VERSION: 2.18.0
   GCOVR_VERSION: 8.3
-  NONROOT_USER: ci
   FALLBACK_GCC: 12
   FALLBACK_CLANG: 16
 
@@ -101,7 +100,6 @@ jobs:
             CONAN_VERSION=${{ env.CONAN_VERSION }}
             GCC_VERSION=${{ matrix.os.compiler_name == 'gcc' && matrix.os.compiler_version || env.FALLBACK_GCC }}
             GCOVR_VERSION=${{ env.GCOVR_VERSION }}
-            NONROOT_USER=${{ env.NONROOT_USER }}
             UBUNTU_VERSION=${{ matrix.os.release }}
           context: .
           file: docker/ubuntu/Dockerfile

docker/debian/Dockerfile

@@ -65,10 +65,6 @@ ENV PIPX_HOME=/opt/pipx \
 RUN pipx install --pip-args='--no-cache' conan==${CONAN_VERSION} && \
     pipx install --pip-args='--no-cache' gcovr==${GCOVR_VERSION}
 
-# Create the user to switch to, once all packages have been installed.
-ARG NONROOT_USER
-RUN useradd -ms /bin/bash ${NONROOT_USER}
-
 # ====================== GCC IMAGE ======================
 FROM base AS gcc
 
@@ -120,9 +116,7 @@ if [[ "${CXX_VER}" != "${GCC_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
@@ -195,9 +189,7 @@ if [[ "${CXX_VER}" != "${CLANG_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile

docker/debian/README.md

@@ -37,7 +37,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 DEBIAN_VERSION=bookworm
 GCC_VERSION=12
 CONAN_VERSION=2.18.0
@@ -53,7 +52,6 @@ docker buildx build . \
   --build-arg DEBIAN_VERSION=${DEBIAN_VERSION} \
   --build-arg GCC_VERSION=${GCC_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
@@ -63,7 +61,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 DEBIAN_VERSION=bookworm
 CLANG_VERSION=17
 CONAN_VERSION=2.18.0
@@ -79,7 +76,6 @@ docker buildx build . \
   --build-arg CONAN_VERSION=${CONAN_VERSION} \
   --build-arg DEBIAN_VERSION=${DEBIAN_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
@@ -90,30 +86,17 @@ can do so with the following command:
 
 ```shell
 CODEBASE=<path to the rippled repository>
-docker run --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
+docker run --user $(id -u):$(id -g) --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
-Once inside the container you can run the following commands to build `rippled`:
+Note, the above command will assume the identity of the current user in the newly created Docker container.
+**This might be exploited by other users with access to the same host (docker instance)**.
 
-```shell
-BUILD_TYPE=Debug
-cd /rippled
-# Remove any existing data from previous builds on the host machine.
-rm -rf CMakeCache.txt CMakeFiles build || true
-# Install dependencies via Conan.
-conan install . --build missing --settings build_type=${BUILD_TYPE} \
-  -o xrpld=True -o tests=True -o unity=True
-# Configure the build with CMake.
-cd build
-cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
-      -DCMAKE_BUILD_TYPE=${BUILD_TYPE} ..
-# Build and test rippled. Setting the parallelism too high, e.g. to $(nproc),
-# can result in an error like "gmake[2]: ...... Killed".
-PARALLELISM=2
-cmake --build . -j ${PARALLELISM}
-./rippled --unittest --unittest-jobs ${PARALLELISM}
-```
-```
+The recommended practice is to run Docker in [rootless mode](https://docs.docker.com/engine/security/rootless/),
+or use alternative container runtime such as [podman](https://docs.podman.io/en/latest/) which
+support [rootless environment](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md).
+This will have similar effect as `--user $(id -u):$(id -g)` (making this option redundant and invalid),
+while also securiting the container from other users on the same host.
 
 #### Pushing the Docker image to the GitHub registry
 

docker/rhel/Dockerfile

@@ -38,10 +38,6 @@ ARG CONAN_VERSION
 ARG GCOVR_VERSION
 RUN pip install --no-cache conan==${CONAN_VERSION} gcovr==${GCOVR_VERSION}
 
-# Create the user to switch to, once all packages have been installed.
-ARG NONROOT_USER
-RUN useradd -ms /bin/bash ${NONROOT_USER}
-
 # ====================== GCC IMAGE ======================
 FROM base AS gcc
 
@@ -83,9 +79,7 @@ if [[ "${CXX_VER}" != "${GCC_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
@@ -166,9 +160,7 @@ if [[ ${CXX_VER} -lt ${MINIMUM_CLANG_VERSION} ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile

docker/rhel/README.md

@@ -56,7 +56,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 RHEL_VERSION=9.6
 GCC_VERSION=13
 CONAN_VERSION=2.18.0
@@ -71,7 +70,6 @@ docker buildx build . \
   --build-arg CONAN_VERSION=${CONAN_VERSION} \
   --build-arg GCC_VERSION=${GCC_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --build-arg RHEL_VERSION=${RHEL_VERSION} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
@@ -82,7 +80,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 RHEL_VERSION=9.6
 CONAN_VERSION=2.18.0
 GCOVR_VERSION=8.3
@@ -95,7 +92,6 @@ docker buildx build . \
   --build-arg BUILDKIT_INLINE_CACHE=1 \
   --build-arg CONAN_VERSION=${CONAN_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --build-arg RHEL_VERSION=${RHEL_VERSION} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
@@ -107,29 +103,17 @@ can do so with the following command:
 
 ```shell
 CODEBASE=<path to the rippled repository>
-docker run --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
+docker run --user $(id -u):$(id -g) --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
-Once inside the container you can run the following commands to build `rippled`:
+Note, the above command will assume the identity of the current user in the newly created Docker container.
+**This might be exploited by other users with access to the same host (docker instance)**.
 
-```shell
-BUILD_TYPE=Debug
-cd /rippled
-# Remove any existing data from previous builds on the host machine.
-rm -rf CMakeCache.txt CMakeFiles build || true
-# Install dependencies via Conan.
-conan install . --build missing --settings build_type=${BUILD_TYPE} \
-  -o xrpld=True -o tests=True -o unity=True
-# Configure the build with CMake.
-cd build
-cmake -DCMAKE_TOOLCHAIN_FILE:FILEPATH=build/generators/conan_toolchain.cmake \
-      -DCMAKE_BUILD_TYPE=${BUILD_TYPE} ..
-# Build and test rippled. Setting the parallelism too high, e.g. to $(nproc),
-# can result in an error like "gmake[2]: ...... Killed".
-PARALLELISM=2
-cmake --build . -j ${PARALLELISM}
-./rippled --unittest --unittest-jobs ${PARALLELISM}
-```
+The recommended practice is to run Docker in [rootless mode](https://docs.docker.com/engine/security/rootless/),
+or use alternative container runtime such as [podman](https://docs.podman.io/en/latest/) which
+support [rootless environment](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md).
+This will have similar effect as `--user $(id -u):$(id -g)` (making this option redundant and invalid),
+while also securiting the container from other users on the same host.
 
 #### Pushing the Docker image to the GitHub registry
 

docker/tools-rippled/Dockerfile

@@ -42,10 +42,6 @@ ENV PIPX_HOME=/opt/pipx \
     PIPX_BIN_DIR=/usr/bin \
     PIPX_MAN_DIR=/usr/share/man
 
-# Create the user to switch to, once all packages have been installed.
-ARG NONROOT_USER
-RUN useradd -ms /bin/bash ${NONROOT_USER}
-
 # ====================== clang-format IMAGE ======================
 # Note, we do not install a compiler here.
 
@@ -57,7 +53,5 @@ ARG PRE_COMMIT_VERSION
 RUN pipx install --pip-args='--no-cache' clang-format==${CLANG_FORMAT_VERSION} && \
     pipx install --pip-args='--no-cache' pre-commit==${PRE_COMMIT_VERSION}
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}

docker/tools-rippled/README.md

@@ -39,7 +39,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 UBUNTU_VERSION=noble
 CLANG_FORMAT_VERSION=18.1.8
 PRE_COMMIT_VERSION=4.2.0
@@ -51,7 +50,6 @@ docker buildx build . \
   --build-arg BUILDKIT_INLINE_CACHE=1 \
   --build-arg CLANG_FORMAT_VERSION=${CLANG_FORMAT_VERSION} \
   --build-arg PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```