Remove NONROOT_USER, add /usr/bin/cc symlink (#16)

Bronek · web-flow · commit e834dd5f65fb · 2025-07-22T14:56:03.000+01:00
diff --git a/.github/workflows/debian.yml b/.github/workflows/debian.yml
@@ -12,7 +12,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CONAN_VERSION: 2.18.0
   GCOVR_VERSION: 8.3
-  NONROOT_USER: ci
   FALLBACK_GCC: 12
   FALLBACK_CLANG: 16
 
@@ -103,7 +102,6 @@ jobs:
             CONAN_VERSION=${{ env.CONAN_VERSION }}
             GCC_VERSION=${{ matrix.os.compiler_name == 'gcc' && matrix.os.compiler_version || env.FALLBACK_GCC }}
             GCOVR_VERSION=${{ env.GCOVR_VERSION }}
-            NONROOT_USER=${{ env.NONROOT_USER }}
             DEBIAN_VERSION=${{ matrix.os.release }}
           context: .
           file: docker/debian/Dockerfile
diff --git a/.github/workflows/rhel.yml b/.github/workflows/rhel.yml
@@ -13,7 +13,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CONAN_VERSION: 2.18.0
   GCOVR_VERSION: 8.3
-  NONROOT_USER: ci
 
 jobs:
   # Build the Docker image for Red Hat Enterprise Linux using different versions
@@ -93,7 +92,6 @@ jobs:
             CONAN_VERSION=${{ env.CONAN_VERSION }}
             GCC_VERSION=${{ matrix.os.compiler_version }}
             GCOVR_VERSION=${{ env.GCOVR_VERSION }}
-            NONROOT_USER=${{ env.NONROOT_USER }}
             RHEL_VERSION=${{ matrix.os.release }}
           context: .
           file: docker/rhel/Dockerfile
diff --git a/.github/workflows/tools-rippled.yml b/.github/workflows/tools-rippled.yml
@@ -11,7 +11,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CLANG_FORMAT_VERSION: 18.1.8
   PRE_COMMIT_VERSION: 4.2.0
-  NONROOT_USER: ci
   UBUNTU_VERSION: noble
 
 jobs:
@@ -72,7 +71,6 @@ jobs:
           build-args: |
             BUILDKIT_DOCKERFILE_CHECK=skip=InvalidDefaultArgInFrom
             BUILDKIT_INLINE_CACHE=1
-            NONROOT_USER=${{ env.NONROOT_USER }}
             UBUNTU_VERSION=${{ env.UBUNTU_VERSION }}
             CLANG_FORMAT_VERSION=${{ env.CLANG_FORMAT_VERSION }}
             PRE_COMMIT_VERSION=${{ env.PRE_COMMIT_VERSION }}
diff --git a/.github/workflows/ubuntu.yml b/.github/workflows/ubuntu.yml
@@ -12,7 +12,6 @@ env:
   BUILDKIT_PROGRESS: plain
   CONAN_VERSION: 2.18.0
   GCOVR_VERSION: 8.3
-  NONROOT_USER: ci
   FALLBACK_GCC: 12
   FALLBACK_CLANG: 16
 
@@ -101,7 +100,6 @@ jobs:
             CONAN_VERSION=${{ env.CONAN_VERSION }}
             GCC_VERSION=${{ matrix.os.compiler_name == 'gcc' && matrix.os.compiler_version || env.FALLBACK_GCC }}
             GCOVR_VERSION=${{ env.GCOVR_VERSION }}
-            NONROOT_USER=${{ env.NONROOT_USER }}
             UBUNTU_VERSION=${{ matrix.os.release }}
           context: .
           file: docker/ubuntu/Dockerfile
diff --git a/docker/debian/Dockerfile b/docker/debian/Dockerfile
@@ -65,10 +65,6 @@ ENV PIPX_HOME=/opt/pipx \
 RUN pipx install --pip-args='--no-cache' conan==${CONAN_VERSION} && \
     pipx install --pip-args='--no-cache' gcovr==${GCOVR_VERSION}
 
-# Create the user to switch to, once all packages have been installed.
-ARG NONROOT_USER
-RUN useradd -ms /bin/bash ${NONROOT_USER}
-
 # ====================== GCC IMAGE ======================
 FROM base AS gcc
 
@@ -120,9 +116,7 @@ if [[ "${CXX_VER}" != "${GCC_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
@@ -176,6 +170,8 @@ rm -rf /var/lib/apt/lists/*
 EOF
 ENV CC=/usr/bin/clang-${CLANG_VERSION}
 ENV CXX=/usr/bin/clang++-${CLANG_VERSION}
+# This is required by some build dependencies
+RUN update-alternatives --install /usr/bin/cc cc $CC 999
 
 # Check that the installed Clang version matches the expected version.
 RUN <<EOF
@@ -193,9 +189,7 @@ if [[ "${CXX_VER}" != "${CLANG_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
diff --git a/docker/debian/README.md b/docker/debian/README.md
@@ -37,7 +37,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 DEBIAN_VERSION=bookworm
 GCC_VERSION=12
 CONAN_VERSION=2.18.0
@@ -53,7 +52,6 @@ docker buildx build . \
   --build-arg DEBIAN_VERSION=${DEBIAN_VERSION} \
   --build-arg GCC_VERSION=${GCC_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
@@ -63,7 +61,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 DEBIAN_VERSION=bookworm
 CLANG_VERSION=17
 CONAN_VERSION=2.18.0
@@ -79,7 +76,6 @@ docker buildx build . \
   --build-arg CONAN_VERSION=${CONAN_VERSION} \
   --build-arg DEBIAN_VERSION=${DEBIAN_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
@@ -90,9 +86,18 @@ can do so with the following command:
 
 ```shell
 CODEBASE=<path to the rippled repository>
-docker run --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
+docker run --user $(id -u):$(id -g) --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
+Note, the above command will assume the identity of the current user in the newly created Docker container.
+**This might be exploited by other users with access to the same host (docker instance)**.
+
+The recommended practice is to run Docker in [rootless mode](https://docs.docker.com/engine/security/rootless/),
+or use alternative container runtime such as [podman](https://docs.podman.io/en/latest/) which
+support [rootless environment](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md).
+This will have similar effect as `--user $(id -u):$(id -g)` (making this option redundant and invalid),
+while also securing the container from other users on the same host.
+
 Once inside the container you can run the following commands to build `rippled`:
 
 ```shell
@@ -113,7 +118,6 @@ PARALLELISM=2
 cmake --build . -j ${PARALLELISM}
 ./rippled --unittest --unittest-jobs ${PARALLELISM}
 ```
-```
 
 #### Pushing the Docker image to the GitHub registry
 
diff --git a/docker/rhel/Dockerfile b/docker/rhel/Dockerfile
@@ -38,10 +38,6 @@ ARG CONAN_VERSION
 ARG GCOVR_VERSION
 RUN pip install --no-cache conan==${CONAN_VERSION} gcovr==${GCOVR_VERSION}
 
-# Create the user to switch to, once all packages have been installed.
-ARG NONROOT_USER
-RUN useradd -ms /bin/bash ${NONROOT_USER}
-
 # ====================== GCC IMAGE ======================
 FROM base AS gcc
 
@@ -56,6 +52,7 @@ dnf remove -y gcc gcc-c++
 dnf install -y --setopt=tsflags=nodocs gcc-toolset-${GCC_VERSION}-gcc gcc-toolset-${GCC_VERSION}-gcc-c++
 dnf clean -y all
 rm -rf /var/cache/dnf/*
+update-alternatives --install /usr/bin/cc cc /opt/rh/gcc-toolset-${GCC_VERSION}/root/usr/bin/gcc 999
 update-alternatives \
     --install /usr/bin/gcc gcc /opt/rh/gcc-toolset-${GCC_VERSION}/root/usr/bin/gcc ${GCC_VERSION} \
     --slave /usr/bin/g++ g++ /opt/rh/gcc-toolset-${GCC_VERSION}/root/usr/bin/g++ \
@@ -83,9 +80,7 @@ if [[ "${CXX_VER}" != "${GCC_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
@@ -147,6 +142,8 @@ rm -rf /var/cache/dnf/*
 EOF
 ENV CC=/usr/bin/clang
 ENV CXX=/usr/bin/clang++
+# This is required by some build dependencies
+RUN update-alternatives --install /usr/bin/cc cc $CC 999
 
 # Check that the installed Clang version is not older than the minimum required.
 ARG MINIMUM_CLANG_VERSION=16
@@ -165,9 +162,7 @@ if [[ ${CXX_VER} -lt ${MINIMUM_CLANG_VERSION} ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
diff --git a/docker/rhel/README.md b/docker/rhel/README.md
@@ -56,7 +56,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 RHEL_VERSION=9.6
 GCC_VERSION=13
 CONAN_VERSION=2.18.0
@@ -71,7 +70,6 @@ docker buildx build . \
   --build-arg CONAN_VERSION=${CONAN_VERSION} \
   --build-arg GCC_VERSION=${GCC_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --build-arg RHEL_VERSION=${RHEL_VERSION} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
@@ -82,7 +80,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 RHEL_VERSION=9.6
 CONAN_VERSION=2.18.0
 GCOVR_VERSION=8.3
@@ -95,7 +92,6 @@ docker buildx build . \
   --build-arg BUILDKIT_INLINE_CACHE=1 \
   --build-arg CONAN_VERSION=${CONAN_VERSION} \
   --build-arg GCOVR_VERSION=${GCOVR_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --build-arg RHEL_VERSION=${RHEL_VERSION} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
@@ -107,9 +103,18 @@ can do so with the following command:
 
 ```shell
 CODEBASE=<path to the rippled repository>
-docker run --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
+docker run --user $(id -u):$(id -g) --rm -it -v ${CODEBASE}:/rippled ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
 
+Note, the above command will assume the identity of the current user in the newly created Docker container.
+**This might be exploited by other users with access to the same host (docker instance)**.
+
+The recommended practice is to run Docker in [rootless mode](https://docs.docker.com/engine/security/rootless/),
+or use alternative container runtime such as [podman](https://docs.podman.io/en/latest/) which
+support [rootless environment](https://github.com/containers/podman/blob/main/docs/tutorials/rootless_tutorial.md).
+This will have similar effect as `--user $(id -u):$(id -g)` (making this option redundant and invalid),
+while also securing the container from other users on the same host.
+
 Once inside the container you can run the following commands to build `rippled`:
 
 ```shell
diff --git a/docker/tools-rippled/Dockerfile b/docker/tools-rippled/Dockerfile
@@ -42,10 +42,6 @@ ENV PIPX_HOME=/opt/pipx \
     PIPX_BIN_DIR=/usr/bin \
     PIPX_MAN_DIR=/usr/share/man
 
-# Create the user to switch to, once all packages have been installed.
-ARG NONROOT_USER
-RUN useradd -ms /bin/bash ${NONROOT_USER}
-
 # ====================== clang-format IMAGE ======================
 # Note, we do not install a compiler here.
 
@@ -57,7 +53,5 @@ ARG PRE_COMMIT_VERSION
 RUN pipx install --pip-args='--no-cache' clang-format==${CLANG_FORMAT_VERSION} && \
     pipx install --pip-args='--no-cache' pre-commit==${PRE_COMMIT_VERSION}
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
diff --git a/docker/tools-rippled/README.md b/docker/tools-rippled/README.md
@@ -39,7 +39,6 @@ Ensure you've run the login command above to authenticate with the Docker
 registry.
 
 ```shell
-NONROOT_USER=${USER}
 UBUNTU_VERSION=noble
 CLANG_FORMAT_VERSION=18.1.8
 PRE_COMMIT_VERSION=4.2.0
@@ -51,7 +50,6 @@ docker buildx build . \
   --build-arg BUILDKIT_INLINE_CACHE=1 \
   --build-arg CLANG_FORMAT_VERSION=${CLANG_FORMAT_VERSION} \
   --build-arg PRE_COMMIT_VERSION=${PRE_COMMIT_VERSION} \
-  --build-arg NONROOT_USER=${NONROOT_USER} \
   --build-arg UBUNTU_VERSION=${UBUNTU_VERSION} \
   --tag ${CONTAINER_REGISTRY}/${CONTAINER_IMAGE}
 ```
diff --git a/docker/ubuntu/Dockerfile b/docker/ubuntu/Dockerfile
@@ -54,10 +54,6 @@ ENV PIPX_HOME=/opt/pipx \
 RUN pipx install --pip-args='--no-cache' conan==${CONAN_VERSION} && \
     pipx install --pip-args='--no-cache' gcovr==${GCOVR_VERSION}
 
-# Create the user to switch to, once all packages have been installed.
-ARG NONROOT_USER
-RUN useradd -ms /bin/bash ${NONROOT_USER}
-
 # ====================== GCC IMAGE ======================
 FROM base AS gcc
 
@@ -73,6 +69,7 @@ apt-get install -y --no-install-recommends \
     g++-${GCC_VERSION}
 apt-get clean
 rm -rf /var/lib/apt/lists/*
+update-alternatives --install /usr/bin/cc cc /usr/bin/gcc-${GCC_VERSION} 999
 update-alternatives \
     --install /usr/bin/gcc gcc /usr/bin/gcc-${GCC_VERSION} ${GCC_VERSION} \
     --slave /usr/bin/g++ g++ /usr/bin/g++-${GCC_VERSION} \
@@ -100,9 +97,7 @@ if [[ "${CXX_VER}" != "${GCC_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
@@ -169,6 +164,8 @@ rm -rf /var/lib/apt/lists/*
 EOF
 ENV CC=/usr/bin/clang-${CLANG_VERSION}
 ENV CXX=/usr/bin/clang++-${CLANG_VERSION}
+# This is required by some build dependencies
+RUN update-alternatives --install /usr/bin/cc cc $CC 999
 
 # Check that the installed Clang version matches the expected version.
 RUN <<EOF
@@ -186,9 +183,7 @@ if [[ "${CXX_VER}" != "${CLANG_VERSION}" ]]; then
 fi
 EOF
 
-# Switch to the non-root user.
-USER ${NONROOT_USER}
-ENV HOME=/home/${NONROOT_USER}
+ENV HOME=/root
 WORKDIR ${HOME}
 
 # Set Conan home directory, so the users of this image can find default profile
diff --git a/docker/ubuntu/README.md b/docker/ubuntu/README.md
