Use a regular user, mapped to the current user on the host

Author: Molter73

collector/Containerfile

@@ -1,5 +1,8 @@
 FROM quay.io/stackrox-io/collector-builder:master
 
+ARG DEFAULT_GROUP
+ARG DEFAULT_USER
+
 RUN dnf install -y epel-release && \
     dnf install -y \
         ccache \
@@ -8,11 +11,12 @@ RUN dnf install -y epel-release && \
         fzf \
         inotify-tools \
         podman-docker \
+        sudo \
         zsh && \
     dnf clean all && \
-    # Install my dev environment
-    # Clone my configuration
-    git clone https://github.com/molter73/dotfiles "${HOME}/.config" && \
+    groupadd -g $DEFAULT_GROUP molter && \
+    useradd -m -l -u $DEFAULT_USER -g molter molter && \
+    echo 'molter        ALL=(ALL)       NOPASSWD: ALL' >> /etc/sudoers && \
     # Install NeoVim
     curl -LO https://github.com/neovim/neovim/releases/latest/download/nvim-linux-x86_64.tar.gz && \
     tar -C /opt -xzf nvim-linux-x86_64.tar.gz && \
@@ -21,15 +25,22 @@ RUN dnf install -y epel-release && \
     curl -LO https://github.com/tree-sitter/tree-sitter/releases/latest/download/tree-sitter-linux-x64.gz && \
     gunzip -c tree-sitter-linux-x64.gz > /usr/local/bin/tree-sitter && \
     chmod +x /usr/local/bin/tree-sitter && \
-    rm -f tree-sitter-linux-x64.gz && \
+    rm -f tree-sitter-linux-x64.gz
+
+USER molter
+WORKDIR /home/molter
+
+# Install my dev environment
+RUN git clone https://github.com/molter73/dotfiles "${HOME}/.config" && \
     # Install starship.rs
     curl -sS https://starship.rs/install.sh | sh -s -- --yes && \
     # Install my configuration
+    rm -f "${HOME}/.zshrc" && \
     "${HOME}/.config/zsh/install.sh" && \
     "${HOME}/.config/scripts/install.sh" && \
     /opt/nvim-linux-x86_64/bin/nvim --headless "+Lazy! restore" +qa
 
-COPY clangd.yaml /root/.config/clangd/config.yaml
+COPY clangd.yaml /home/molter/.config/clangd/config.yaml
 
 # scan-view default port
 EXPOSE 8181

collector/Makefile

@@ -4,6 +4,8 @@ BUILDER_IMAGE=quay.io/mmoltras/devcontainers:collector
 build:
 	docker build \
 		--tag $(BUILDER_IMAGE) \
+		--build-arg DEFAULT_GROUP=$(shell id -g) \
+		--build-arg DEFAULT_USER=$(shell id -u) \
 		-f Containerfile \
 		$(CURDIR)
 

falco-libs/Containerfile

@@ -1,5 +1,8 @@
 FROM fedora:41
 
+ARG DEFAULT_GROUP
+ARG DEFAULT_USER
+
 RUN dnf install -y \
     autoconf \
     automake \
@@ -29,6 +32,7 @@ RUN dnf install -y \
     podman-docker \
     procps \
     python3-pip \
+    sudo \
     wget \
     which \
     zsh \
@@ -53,19 +57,9 @@ RUN dnf install -y \
     xz \
     zlib-devel && \
     dnf clean all && \
-# Set some symlinks to allow building of drivers.
-    kernel_version=$(uname -r) && \
-    ln -s "/host/lib/modules/$kernel_version" "/lib/modules/$kernel_version" && \
-    ln -s "/host/usr/src/kernels/$kernel_version" "/usr/src/kernels/$kernel_version" && \
-# Install emscripten
-    git clone https://github.com/emscripten-core/emsdk.git && \
-    cd emsdk && ./emsdk install latest && \
-    ./emsdk activate latest && \
-    echo 'export EMSDK_QUIET=1' >> /root/.bashrc && \
-    echo 'source /emsdk/emsdk_env.sh' >> /root/.bashrc && \
-    # Install my dev environment
-    # Clone my configuration
-    git clone https://github.com/molter73/dotfiles "${HOME}/.config" && \
+    groupadd -g $DEFAULT_GROUP molter && \
+    useradd -m -l -u $DEFAULT_USER -g molter molter && \
+    echo 'molter        ALL=(ALL)       NOPASSWD: ALL' >> /etc/sudoers && \
     # Install NeoVim
     curl -LO https://github.com/neovim/neovim/releases/latest/download/nvim-linux-x86_64.tar.gz && \
     tar -C /opt -xzf nvim-linux-x86_64.tar.gz && \
@@ -75,14 +69,32 @@ RUN dnf install -y \
     gunzip -c tree-sitter-linux-x64.gz > /usr/local/bin/tree-sitter && \
     chmod +x /usr/local/bin/tree-sitter && \
     rm -f tree-sitter-linux-x64.gz && \
+# Set some symlinks to allow building of drivers.
+    kernel_version=$(uname -r) && \
+    ln -s "/host/lib/modules/$kernel_version" "/lib/modules/$kernel_version" && \
+    ln -s "/host/usr/src/kernels/$kernel_version" "/usr/src/kernels/$kernel_version"
+
+USER molter
+WORKDIR /home/molter
+
+# Install emscripten
+RUN git clone https://github.com/emscripten-core/emsdk.git && \
+    cd emsdk && ./emsdk install latest && \
+    ./emsdk activate latest && \
+    echo 'export EMSDK_QUIET=1' >> /home/molter/.bashrc && \
+    echo 'source /emsdk/emsdk_env.sh' >> /home/molter/.bashrc && \
+    # Install my dev environment
+    # Clone my configuration
+    git clone https://github.com/molter73/dotfiles "${HOME}/.config" && \
     # Install starship.rs
     curl -sS https://starship.rs/install.sh | sh -s -- --yes && \
     # Install my configuration
+    rm -f "${HOME}/.zshrc" && \
     "${HOME}/.config/zsh/install.sh" && \
     "${HOME}/.config/scripts/install.sh" && \
     /opt/nvim-linux-x86_64/bin/nvim --headless "+Lazy! restore" +qa
 
-COPY clangd.yaml /root/.config/clangd/config.yaml
+COPY clangd.yaml /home/molter/.config/clangd/config.yaml
 COPY compile-falco.sh /usr/local/bin/
 COPY compile-libs.sh /usr/local/bin/
 

falco-libs/Makefile

@@ -10,6 +10,8 @@ clean:
 build: clang-config
 	docker build \
 		--tag quay.io/mmoltras/devcontainers:falco-libs \
+		--build-arg DEFAULT_GROUP=$(shell id -g) \
+		--build-arg DEFAULT_USER=$(shell id -u) \
 		-f Containerfile \
 		$(CURDIR)
 

lua/collector.lua

@@ -16,6 +16,8 @@ M.setup = function(opts)
         volumeMounts = opts.volumes or {},
         securityContext = {
             privileged = true,
+            runAsUser = opts.user,
+            runAsGroup = opts.group,
         },
         ports = {
             { containerPort = 8181, hostIP = '0.0.0.0', hostPort = 8181 },

lua/falco.lua

@@ -18,6 +18,8 @@ M.setup = function(opts)
         volumeMounts = opts.volumes or {},
         securityContext = {
             privileged = true,
+            runAsUser = opts.user,
+            runAsGroup = opts.group,
         },
         stdin = true,
         tty = true,

lua/init.lua

@@ -6,6 +6,18 @@ local falco_repo = os.getenv('GOPATH') .. '/src/github.com/falcosecurity/falco'
 local collector = require('collector')
 local falco = require('falco')
 
+local read_id = function(arg)
+    local cmd = 'id ' .. arg
+    local p = io.popen(cmd, 'r')
+    assert(p ~= nil, 'failed to run "' .. cmd .. '"')
+    local out = p:read('*n')
+    p:close()
+    return out
+end
+
+local user = read_id('-u')
+local group = read_id('-g')
+
 local collector_claim = collector.volume_claim()
 local falco_claim = falco.volume_claim()
 local volumes = {
@@ -35,6 +47,8 @@ local collector_opts = {
         { mountPath = '/root/.cache/ccache', name = 'collector-ccache', },
         { mountPath = collector_repo,        name = 'collector-repo', },
     },
+    user = user,
+    group = group,
 }
 
 local falco_opts = {
@@ -52,7 +66,9 @@ local falco_opts = {
         { mountPath = falco_libs_repo,        name = 'falco-libs-repo', },
         { mountPath = falco_testing_repo,     name = 'falco-testing-repo', },
         { mountPath = falco_repo,             name = 'falco-repo', },
-    }
+    },
+    user = user,
+    group = group,
 }
 
 local metadata = {