Run container image as non-root user by default.

[r-xyz]

This PR introduces rootless Docker image as default.

After installing additional pip packages, the container will adjust required permissions and run both django-admin and gunicorn commands as user nemo:nemo.
UID and GID are 963 by default, but can be set using Docker Environment variables PUID and GUID, without need to recompile the image.

Same changes can be ported to splash_pad image, though it will also require to define logging on different file than /var/log/journal.

Running as non-root should have no drawback in functionality, since I had already been running rootless instances, with custom built images. This PR willl simplify non-root usage and make it default for all users, adding an extra security layer.

If really required for backward compatibility or troubleshooting, setting PUID/GUID as 0/0 will run as root:root.

[r-xyz]

if another default uid:gid is preferred, please let me know or feel free to change it.

[r-xyz]

Made some improvements.
Logic is simpler now, and commands are not breaking docker signaling SIGINT/SIGKILL to child processes.
Bonus: I also fixed splash_pad broken signaling to child processes.
Unless I missed anything, I think it should be ready to merge.

[rptmat57]

Hi and thank you for this.

A few questions I have while I am trying to understand this:

1. Is it possible to have an option to keep running as root so the transition is easier?
2. Is the reason why you didn't use the USER docker statement that you needed to be able to install extra packages in start_NEMO_in_docker before starting gunicorn?
3. If I do docker exec -it nemo bash will I be logged in as root or nemo user?
4. Is it just NEMO that is started as the nemo user but everything else in the container still run as root?
5. Will log files and media files etc. be created as root or nemo user?

[r-xyz]

Hi Mathieu,
Thanks and apologies, I could have better documented since it is a feature which requires additional settings/procedure for transitioning. I was planning to update the wiki afterwards.

1. If you define docker environment variables PUID=0 and PGID=0, nemo user and groups will basically become aliases of root inside the container, so the container will still run as root:root in such case.
2. Correct. This way the container is still technically run as root, but privileges are dropped to nemo user (PUID) for all commands not requiring root privileges. See Dockerfiles: all django-admin and gunicorn commands are now running inside a su -u nemo -c. With only USER statement, initial commands would fail due to incorrect privileges, and everything under /nemo would need to be owned by nemo user.
3. This point is important for migrations (I think of systemd timers). docker exec -it nemo bash will run as root; for full rootless setup (and to avoid permission conflicts), you need to also replace the command with the one below:

   -docker exec -it nemo django-admin ...
   +docker -u nemo  exec -it nemo django-admin ...

4. As commented in # 2, only collect static files, run migrations, and start NEMO are run as nemouser. All preceeding lines are run as root.
5. Same as above, all files will be created as PUID:PGID.

Warning

On container startup, anything mounted under /nemo will have their owner changed to nemo:nemo (PUID:PGID) at run time. This is to avoid NEMO failing to start due to permission issues and simplify transition, but it might have side effects on complex/custom system setups.

Alternatively, we can remove runtime ownership change and leave to the admin to change ownership of /nemo files manually.

[rptmat57]

is there a reason why we cannot define the PGID and PUID here as ENV and then use them with adduser and addgroup?