Use a numeric User ID for the "agones" user in the SDK sidecar (#1293)

* Use a numeric User ID for the agones user

This fixes failure of the container to start when run on a system with a
PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot".

* Set group-ownership of files to 'agones' group.
Creating a non-system user named 'agones' also creates a group named
'agones'. For consistency, the files should be owned by that group.

* Use a numeric User ID in the Debian-based examples

This fixes failure of the container to start when run on a system with a
PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot".

* Use a numeric User ID in the Alpine-based examples

This fixes failure of the container to start when run on a system with a
PodSecurityPolicy specifying RunAsUser as "MustRunAsNonRoot".

Signed-off-by: Paul "Hampy" Hampson <p_hampson@wargaming.net>

cmd/allocator/Dockerfile

@@ -15,10 +15,10 @@
 FROM alpine:3.11
 
 RUN apk --update add ca-certificates && \
-    adduser -D agones
+    adduser -D -u 1000 agones
 
-COPY --chown=agones:root ./bin/allocator /home/agones/allocator
-COPY --chown=agones:root ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
+COPY --chown=agones:agones ./bin/allocator /home/agones/allocator
+COPY --chown=agones:agones ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
 
-USER agones
+USER 1000
 ENTRYPOINT ["/home/agones/allocator"]

cmd/controller/Dockerfile

@@ -15,10 +15,10 @@
 FROM alpine:3.11
 
 RUN apk --update add ca-certificates && \
-    adduser -D agones
+    adduser -D -u 1000 agones
 
-COPY --chown=agones:root ./bin/controller /home/agones/controller
-COPY --chown=agones:root ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
+COPY --chown=agones:agones ./bin/controller /home/agones/controller
+COPY --chown=agones:agones ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
 
-USER agones
+USER 1000
 ENTRYPOINT ["/home/agones/controller"]

cmd/ping/Dockerfile

@@ -15,10 +15,10 @@
 FROM alpine:3.11
 
 RUN apk --update add ca-certificates && \
-    adduser -D agones
+    adduser -D -u 1000 agones
 
-COPY --chown=agones:root ./bin/ping /home/agones/ping
-COPY --chown=agones:root ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
+COPY --chown=agones:agones ./bin/ping /home/agones/ping
+COPY --chown=agones:agones ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
 
-USER agones
+USER 1000
 ENTRYPOINT ["/home/agones/ping"]

cmd/sdk-server/Dockerfile

@@ -15,10 +15,10 @@
 FROM alpine:3.11
 
 RUN apk --update add ca-certificates && \
-    adduser -D agones
+    adduser -D -u 1000 agones
 
-COPY --chown=agones:root ./bin/sdk-server.linux.amd64 /home/agones/sdk-server
-COPY --chown=agones:root ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
+COPY --chown=agones:agones ./bin/sdk-server.linux.amd64 /home/agones/sdk-server
+COPY --chown=agones:agones ./bin/LICENSES ./bin/dependencies-src.tgz /home/agones/
 
-USER agones
+USER 1000
 ENTRYPOINT ["/home/agones/sdk-server"]

examples/allocator-service/Dockerfile

@@ -27,13 +27,13 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o service .
 # Create the final image that will run the allocator service
 FROM alpine:3.8
 RUN apk add --update ca-certificates
-RUN adduser -D service
+RUN adduser -D -u 1000 service
 
 COPY --from=builder /go/src/agones.dev/agones/examples/allocator-service \
                     /home/service
 
 RUN chown -R service /home/service && \
     chmod o+x /home/service/service
 
-USER service
+USER 1000
 ENTRYPOINT /home/service/service

examples/autoscaler-webhook/Dockerfile

@@ -22,13 +22,13 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o server .
 
 # Create the final image that will run the webhook server for FleetAutoscaler webhook policy
 FROM alpine:3.8
-RUN adduser -D server
+RUN adduser -D -u 1000 server
 
 COPY --from=builder /go/src/autoscaler-webhook \
                     /home/server
 
 RUN chown -R server /home/server && \
     chmod o+x /home/server/server
 
-USER server
+USER 1000
 ENTRYPOINT /home/server/server

examples/autoscaler-webhook/Makefile

@@ -27,7 +27,7 @@ REPOSITORY = gcr.io/agones-images
 
 mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
 project_path := $(dir $(mkfile_path))
-autoscaler_webhook_tag = $(REPOSITORY)/autoscaler-webhook:0.2
+autoscaler_webhook_tag = $(REPOSITORY)/autoscaler-webhook:0.3
 root_path = $(realpath $(project_path)/../..)
 
 #   _____                    _

examples/cpp-simple/Dockerfile

@@ -35,11 +35,11 @@ RUN cd cpp-simple && mkdir -p .build && \
     cmake --build . --target install
 
 FROM debian:stretch
-RUN useradd -m server
+RUN useradd -u 1000 -m server
 
 COPY --from=builder /project/cpp-simple/.build/.bin/cpp-simple /home/server/cpp-simple
 RUN chown -R server /home/server && \
     chmod o+x /home/server/cpp-simple
 
-USER server
+USER 1000
 ENTRYPOINT /home/server/cpp-simple

examples/cpp-simple/Makefile

@@ -28,7 +28,7 @@ REPOSITORY = gcr.io/agones-images
 # Directory that this Makefile is in.
 mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
 project_path := $(dir $(mkfile_path))
-server_tag = $(REPOSITORY)/cpp-simple-server:0.11
+server_tag = $(REPOSITORY)/cpp-simple-server:0.12
 root_path = $(realpath $(project_path)/../..)
 
 #   _____                    _

examples/crd-client/Dockerfile

@@ -22,13 +22,13 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o client .
 
 # Create the final image that will run the webhook server for FleetAutoscaler webhook policy
 FROM alpine:3.8
-RUN adduser -D client
+RUN adduser -D -u 1000 client
 
 COPY --from=builder /go/src/crd-client \
                     /home/client
 
 RUN chown -R client /home/client && \
     chmod o+x /home/client/client
 
-USER client
+USER 1000
 ENTRYPOINT /home/client/client

examples/crd-client/Makefile

@@ -25,7 +25,7 @@
 
 REPOSITORY ?= gcr.io/agones-images
 
-server_tag = $(REPOSITORY)/crd-client:0.1
+server_tag = $(REPOSITORY)/crd-client:0.2
 
 #   _____                    _
 #  |_   _|_ _ _ __ __ _  ___| |_ ___

examples/nodejs-simple/Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 FROM debian:stretch
-RUN useradd -m server
+RUN useradd -u 1000 -m server
 RUN apt-get update && apt-get install -y curl  && apt-get clean
 RUN curl -sL https://deb.nodesource.com/setup_11.x | bash - && \
     apt-get install -y nodejs
@@ -25,5 +25,5 @@ COPY ./examples/nodejs-simple examples/nodejs-simple
 RUN cd examples/nodejs-simple && \
     npm install
 
-USER server
+USER 1000
 ENTRYPOINT cd /home/server/examples/nodejs-simple && npm start

examples/nodejs-simple/Makefile

@@ -28,7 +28,7 @@ REPOSITORY = gcr.io/agones-images
 # Directory that this Makefile is in.
 mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
 project_path := $(dir $(mkfile_path))
-server_tag = $(REPOSITORY)/nodejs-simple-server:0.2
+server_tag = $(REPOSITORY)/nodejs-simple-server:0.3
 root_path = $(realpath $(project_path)/../..)
 
 #   _____                    _

examples/rust-simple/Dockerfile

@@ -52,11 +52,11 @@ WORKDIR /home/builder/agones/examples/rust-simple
 RUN make build
 
 FROM debian:stretch
-RUN useradd -m server
+RUN useradd -u 1000 -m server
 
 COPY --from=builder /home/builder/agones/examples/rust-simple/target/release/rust-simple /home/server/rust-simple
 RUN chown -R server /home/server && \
     chmod o+x /home/server/rust-simple
 
-USER server
+USER 1000
 ENTRYPOINT /home/server/rust-simple

examples/rust-simple/Makefile

@@ -27,7 +27,7 @@ REPOSITORY ?= gcr.io/agones-images
 
 mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
 project_path := $(dir $(mkfile_path))
-server_tag = $(REPOSITORY)/rust-simple-server:0.6
+server_tag = $(REPOSITORY)/rust-simple-server:0.7
 
 #   _____                    _
 #  |_   _|_ _ _ __ __ _  ___| |_ ___

examples/simple-tcp/Dockerfile

@@ -23,10 +23,10 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o server .
 # final image
 FROM alpine:3.10
 
-RUN adduser -D server
+RUN adduser -D -u 1000 server
 COPY --from=builder /go/src/simple-tcp/server /home/server/server
 RUN chown -R server /home/server && \
     chmod o+x /home/server/server
 
-USER server
+USER 1000
 ENTRYPOINT ["/home/server/server"]

examples/simple-tcp/Makefile

@@ -27,7 +27,7 @@ REPOSITORY = gcr.io/agones-images
 
 mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
 project_path := $(dir $(mkfile_path))
-server_tag = $(REPOSITORY)/tcp-server:0.3
+server_tag = $(REPOSITORY)/tcp-server:0.4
 root_path = $(realpath $(project_path)/../..)
 
 #   _____                    _

examples/simple-udp/Dockerfile

@@ -23,10 +23,10 @@ RUN CGO_ENABLED=0 GOOS=linux go build -a -installsuffix cgo -o server .
 # final image
 FROM alpine:3.10
 
-RUN adduser -D server
+RUN adduser -D -u 1000 server
 COPY --from=builder /go/src/simple-udp/server /home/server/server
 RUN chown -R server /home/server && \
     chmod o+x /home/server/server
 
-USER server
+USER 1000
 ENTRYPOINT ["/home/server/server"]

examples/simple-udp/Makefile

@@ -27,7 +27,7 @@ REPOSITORY = gcr.io/agones-images
 
 mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
 project_path := $(dir $(mkfile_path))
-server_tag = $(REPOSITORY)/udp-server:0.17
+server_tag = $(REPOSITORY)/udp-server:0.18
 root_path = $(realpath $(project_path)/../..)
 
 #   _____                    _

examples/xonotic/Dockerfile

@@ -30,7 +30,7 @@ FROM debian:stretch
 
 WORKDIR /home/xonotic
 
-RUN useradd -m xonotic
+RUN useradd -u 1000 -m xonotic
 
 #
 # To learn about setting up a Xonotic dedicated server, read the `readme.txt` in the
@@ -45,5 +45,5 @@ COPY examples/xonotic/server.cfg ./.xonotic/data
 
 RUN chown -R xonotic:xonotic . && chmod +x wrapper
 
-USER xonotic
+USER 1000
 ENTRYPOINT /home/xonotic/wrapper -i /home/xonotic/Xonotic/server_linux.sh

examples/xonotic/Makefile

@@ -28,7 +28,7 @@ REPOSITORY = gcr.io/agones-images
 mkfile_path := $(abspath $(lastword $(MAKEFILE_LIST)))
 project_path := $(dir $(mkfile_path))
 root_path := $(realpath $(project_path)/../..)
-image_tag = $(REPOSITORY)/xonotic-example:0.7
+image_tag = $(REPOSITORY)/xonotic-example:0.8
 
 #   _____                    _
 #  |_   _|_ _ _ __ __ _  ___| |_ ___