Update base images to allow an arbitrary user to run it

Author: SaschaSchwarze0

.github/workflows/base-images.yaml

@@ -7,16 +7,18 @@ on:
 
 jobs:
   base-image-build:
-    if: ${{ github.repository == 'shipwright-io/build' }}
+    if: ${{ github.event_name == 'workflow_dispatch' || github.repository == 'shipwright-io/build' }}
     runs-on: ubuntu-latest
     strategy:
       fail-fast: false
       matrix:
         image:
+          - base
           - git
           - image-processing
           - waiter
-      max-parallel: 3
+      # We cannot run in parallel because the base image must be built first
+      max-parallel: 1
 
     steps:
       - uses: actions/checkout@v3
@@ -36,4 +38,4 @@ jobs:
         working-directory: images/${{ matrix.image }}
         run: |
           NAMESPACE=$(tr '[:upper:]' '[:lower:]' <<<${{ github.repository_owner }})
-          IMAGE=ghcr.io/${NAMESPACE}/base-${{ matrix.image }} docker buildx bake --push -f ../docker-bake.hcl
+          IMAGE=ghcr.io/${NAMESPACE}/base-${{ matrix.image }} NAMESPACE="${NAMESPACE}" docker buildx bake --push -f ../docker-bake.hcl

.github/workflows/ci.yml

@@ -31,12 +31,13 @@ jobs:
     runs-on: ubuntu-latest
     strategy:
       fail-fast: true
-      max-parallel: 3
+      max-parallel: 4
       matrix:
         image:
-        - git
-        - image-processing
-        - waiter
+          - base
+          - git
+          - image-processing
+          - waiter
     steps:
       - uses: actions/checkout@v3
       - name: Set up QEMU
@@ -48,7 +49,8 @@ jobs:
       - name: Build Image
         working-directory: images/${{ matrix.image }}
         run: |
-          IMAGE=test-build/base-${{ matrix.image }} docker buildx bake --file ../docker-bake.hcl
+          NAMESPACE=$(tr '[:upper:]' '[:lower:]' <<<${{ github.repository_owner }})
+          IMAGE=test-build/base-${{ matrix.image }} NAMESPACE="${NAMESPACE}" docker buildx bake --file ../docker-bake.hcl
 
   integration:
     strategy:

images/base/Dockerfile

@@ -0,0 +1,17 @@
+# Copyright The Shipwright Contributors
+#
+# SPDX-License-Identifier: Apache-2.0
+FROM registry.access.redhat.com/ubi9-minimal:latest
+
+RUN \
+  microdnf --refresh --assumeyes --best --nodocs --noplugins --setopt=install_weak_deps=0 upgrade && \
+  microdnf clean all && \
+  rm -rf /var/cache/yum && \
+  # The following setup is necessary so that this image can run as any user
+  mkdir -p /shared-home/.docker /shared-home/.ssh && chmod -R 0777 /shared-home && \
+  # This is the default user that will be used when strategy steps use different runAs configuration.
+  # This must be in synchronization with our default configuration.
+  echo "shp:x:1000:1000:shp:/shared-home:/sbin/nologin" >/etc/passwd && \
+  echo "shp:x:1000" >/etc/group
+
+ENV HOME /shared-home

images/docker-bake.hcl

@@ -1,11 +1,19 @@
 variable "IMAGE" {
 }
 
+variable "NAMESPACE" {
+}
+
 group "default" {
 	targets = ["all"]
 }
 
 target "all" {
+	args = {
+		BASE = "ghcr.io/${NAMESPACE}/base-base"
+	}
 	tags = ["${IMAGE}:latest"]
 	platforms = ["linux/amd64", "linux/arm64", "linux/ppc64le", "linux/s390x"]
 }
+
+

images/git/Dockerfile

@@ -1,16 +1,14 @@
 # Copyright The Shipwright Contributors
 #
 # SPDX-License-Identifier: Apache-2.0
-FROM registry.access.redhat.com/ubi9-minimal:latest
+
+ARG BASE
+
+FROM ${BASE}
 
 RUN \
-  microdnf --refresh --assumeyes --best --nodocs --noplugins --setopt=install_weak_deps=0 upgrade && \
   microdnf --assumeyes --nodocs install git git-lfs && \
   microdnf clean all && \
-  rm -rf /var/cache/yum && \
-  echo 'nonroot:x:1000:1000:nonroot:/:/sbin/nologin' > /etc/passwd && \
-  echo 'nonroot:x:1000:' > /etc/group && \
-  mkdir /.docker && chown 1000:1000 /.docker && \
-  mkdir /.ssh && chown 1000:1000 /.ssh
+  rm -rf /var/cache/yum
 
 USER 1000:1000

images/image-processing/Dockerfile

@@ -1,20 +1,17 @@
 # Copyright The Shipwright Contributors
 #
 # SPDX-License-Identifier: Apache-2.0
+ARG BASE
+
 FROM registry.access.redhat.com/ubi9-minimal:latest AS bin-loader
 RUN \
   microdnf --assumeyes --nodocs install gzip jq tar && \
   TAG_NAME="$(curl -s https://api.github.com/repos/aquasecurity/trivy/releases/latest | jq -r '.tag_name')" && \
   curl -L -s "https://github.com/aquasecurity/trivy/releases/download/${TAG_NAME}/trivy_${TAG_NAME/v/}_$(uname -s)-$(uname -m | sed -e 's/aarch64/ARM64/' -e 's/ppc64le/PPC64LE/' -e 's/x86_64/64bit/').tar.gz" | tar -xzf - -C /usr/local/bin trivy
 
 
-FROM registry.access.redhat.com/ubi9-minimal:latest
+FROM ${BASE}
+
 COPY --from=bin-loader /usr/local/bin/trivy /usr/local/bin/trivy
-RUN \
-  microdnf --refresh --assumeyes --best --nodocs --noplugins --setopt=install_weak_deps=0 upgrade && \
-  microdnf clean all && \
-  rm -rf /var/cache/yum && \
-  echo 'nonroot:x:1000:1000:nonroot:/:/sbin/nologin' > /etc/passwd && \
-  echo 'nonroot:x:1000:' > /etc/group
 
 USER 1000:1000

images/waiter/Dockerfile

@@ -1,16 +1,14 @@
 # Copyright The Shipwright Contributors
 #
 # SPDX-License-Identifier: Apache-2.0
-FROM registry.access.redhat.com/ubi9-minimal:latest
+
+ARG BASE
+
+FROM ${BASE}
 
 RUN \
-  microdnf --refresh --assumeyes --best --nodocs --noplugins --setopt=install_weak_deps=0 upgrade && \
   microdnf --assumeyes --nodocs install tar && \
   microdnf clean all && \
-  rm -rf /var/cache/yum && \
-  echo 'nonroot:x:1000:1000:nonroot:/:/sbin/nologin' > /etc/passwd && \
-  echo 'nonroot:x:1000:' > /etc/group && \
-  mkdir /.docker && \
-  chown 1000:1000 /.docker
+  rm -rf /var/cache/yum
 
 USER 1000:1000