create non-root users for containers

rcmadhankumar · rcmadhankumar · commit fab916b42aad · 2025-10-07T14:05:30.000+05:30
diff --git a/src/bci_build/package/__init__.py b/src/bci_build/package/__init__.py
@@ -82,7 +82,6 @@ class ParseVersion(enum.StrEnum):
     PATCH_UPDATE = enum.auto()
     OFFSET = enum.auto()
 
-
 @dataclass
 class StableUser:
     """Data class that stores information about stable user and group
@@ -97,7 +96,8 @@ class StableUser:
     group_name: str
     # id of the group
     group_id: int
-
+    # boolean flag that checks if user needs to be created
+    user_create: bool = False
 
 @dataclass
 class Replacement:
diff --git a/src/bci_build/package/git.py b/src/bci_build/package/git.py
@@ -4,6 +4,7 @@
 from bci_build.os_version import ALL_NONBASE_OS_VERSIONS
 from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
 from bci_build.package import ApplicationStackContainer
+from bci_build.package import StableUser
 from bci_build.package import ParseVersion
 from bci_build.package import Replacement
 from bci_build.package.helpers import generate_from_image_tag
@@ -39,13 +40,22 @@
             ),
         ],
         license="GPL-2.0-only",
+        
         package_list=[
             "git-core",
             "openssh-clients",
+            "shadow"
         ],
         build_stage_custom_end=generate_package_version_check(
             "git-core", git_version, ParseVersion.MINOR, use_target=True
         ),
+        user_chown=StableUser(
+            user_id=1000,
+            user_name="git",
+            group_id=1000,
+            group_name="git",
+            user_create=True
+        ),
     )
     for os_version in ALL_NONBASE_OS_VERSIONS
 ]
diff --git a/src/bci_build/templates.py b/src/bci_build/templates.py
@@ -55,13 +55,19 @@
     {% endif -%} zypper -n {%- if image.from_target_image %} --installroot /target --gpg-auto-import-keys {%- endif %} install {% if image.no_recommends %}--no-recommends {% endif %}{{ image.packages }}{%- if image.packages_to_delete %}; \\
     zypper -n {%- if image.from_target_image %} --installroot /target {%- endif %} remove {{ image.packages_to_delete }}{%- endif %}
 {%- endif %}
-{%- if image.user_chown %}
+{%- if image.user_chown and not image.user_chown.user_create%}
 # changing user id and group id created by package installation to stable values
 {{ DOCKERFILE_RUN }} \\
     {% if image.from_target_image %}chroot /target {% endif %}chown -R --from={{ image.user_chown.user_name }}:{{ image.user_chown.group_name }} {{ image.user_chown.user_id }}:{{ image.user_chown.group_id }} /; \\
     groupmod {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} {{ image.user_chown.group_name }}; \\
     usermod {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} {{ image.user_chown.user_name }}
 {%- endif %}
+{%- if image.user_chown and image.user_chown.user_create%}
+# create the user and group with the given ids
+{{ DOCKERFILE_RUN }} \\
+    groupadd {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} -r {{ image.user_chown.group_name }}; \\
+    useradd {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} -g {{ image.user_chown.group_id }} -m -r -s /bin/bash {{ image.user_chown.user_name }}
+{%- endif %}
 {%- if image.build_stage_custom_end %}
 {{ image.build_stage_custom_end }}
 {%- endif %}
