fix: use the non-root atlantis user instead of root (#3886)

* feat: use Atlantis user by default and get rid of gosu

* chore: set `DOCKER_CONTENT_TRUST=1`

* chore: fix chmod and chown

* feat: add a healthcheck to the debian and alpine images

* feat: removing setuid and setgid permissions prevents container privilege escalation and improve comments

* chore: remove setgid/setuid as we chown an entire directory

* chore: keep deps comment generic

* chore: grammar

* chore: remove redundant comment

* chore: rm DOCKER_CONTENT_TRUST

* chore: set uid and gid and remove passwd entry

* chore: revert gid and uid set as it's conflicting

---------

Co-authored-by: PePe Amengual <[email protected]>

Dockerfile

@@ -41,7 +41,7 @@ RUN --mount=type=cache,target=/go/pkg/mod \
 
 FROM debian:${DEBIAN_TAG} as debian-base
 
-# Install packages needed for running Atlantis.
+# Install packages needed to run Atlantis.
 # We place this last as it will bust less docker layer caches when packages update
 # hadolint ignore explanation
 # DL3008 (pin versions using "=") - Ignored to avoid failing the build
@@ -89,30 +89,6 @@ RUN AVAILABLE_CONFTEST_VERSIONS=${DEFAULT_CONFTEST_VERSION} && \
         rm checksums.txt; \
     done
 
-# install gosu
-# We use gosu to step down from root and run as the atlantis user
-# renovate: datasource=github-releases depName=tianon/gosu
-ENV GOSU_VERSION=1.16
-
-RUN case ${TARGETPLATFORM} in \
-        "linux/amd64") GOSU_ARCH=amd64 ;; \
-        "linux/arm64") GOSU_ARCH=arm64 ;; \
-        "linux/arm/v7") GOSU_ARCH=armhf ;; \
-    esac && \
-    curl -L -s --output gosu "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}" && \
-    curl -L -s --output gosu.asc "https://github.com/tianon/gosu/releases/download/${GOSU_VERSION}/gosu-${GOSU_ARCH}.asc" && \
-    for server in $(shuf -e ipv4.pool.sks-keyservers.net \
-                            hkp://p80.pool.sks-keyservers.net:80 \
-                            keyserver.ubuntu.com \
-                            hkp://keyserver.ubuntu.com:80 \
-                            pgp.mit.edu) ; do \
-        gpg --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
-    done && \
-    gpg --batch --verify gosu.asc gosu && \
-    chmod +x gosu && \
-    cp gosu /bin && \
-    gosu --version
-
 # install git-lfs
 # renovate: datasource=github-releases depName=git-lfs/git-lfs
 ENV GIT_LFS_VERSION=3.4.0
@@ -159,26 +135,27 @@ RUN AVAILABLE_TERRAFORM_VERSIONS="1.2.9 1.3.10 1.4.6 ${DEFAULT_TERRAFORM_VERSION
 # Creating the individual distro builds using targets
 FROM alpine:${ALPINE_TAG} AS alpine
 
-# atlantis user for gosu and OpenShift compatibility
+EXPOSE ${ATLANTIS_PORT:-4141}
+
+HEALTHCHECK --interval=5m --timeout=3s \
+  CMD curl -f http://localhost:${ATLANTIS_PORT:-4141}/healthz || exit 1
+
+# Set up the 'atlantis' user and adjust permissions
 RUN addgroup atlantis && \
     adduser -S -G atlantis atlantis && \
-    adduser atlantis root && \
     chown atlantis:root /home/atlantis/ && \
-    chmod g=u /home/atlantis/ && \
-    chmod g=u /etc/passwd
+    chmod u+rwx /home/atlantis/
 
-# copy binary
+# copy atlantis binary
 COPY --from=builder /app/atlantis /usr/local/bin/atlantis
-# copy terraform
+# copy terraform binaries
 COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/
-# copy deps
+# copy dependencies
 COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
-COPY --from=deps /bin/gosu /bin/gosu
 COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
-# copy docker entrypoint
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
-# Install packages needed for running Atlantis.
+# Install packages needed to run Atlantis.
 # We place this last as it will bust less docker layer caches when packages update
 RUN apk add --no-cache \
         ca-certificates~=20230506 \
@@ -191,29 +168,36 @@ RUN apk add --no-cache \
         dumb-init~=1.2 \
         gcompat~=1.1
 
+
+# Set the entry point to the atlantis user and run the atlantis command
+USER atlantis
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server"]
 
 # Stage 2 - Debian
 FROM debian-base AS debian
 
-# Add atlantis user to Debian as well
+EXPOSE ${ATLANTIS_PORT:-4141}
+
+HEALTHCHECK --interval=5m --timeout=3s \
+  CMD curl -f http://localhost:${ATLANTIS_PORT:-4141}/healthz || exit 1
+
+# Set up the 'atlantis' user and adjust permissions
 RUN useradd --create-home --user-group --shell /bin/bash atlantis && \
-    adduser atlantis root && \
     chown atlantis:root /home/atlantis/ && \
-    chmod g=u /home/atlantis/ && \
-    chmod g=u /etc/passwd
+    chmod u+rwx /home/atlantis/
 
-# copy binary
+# copy atlantis binary
 COPY --from=builder /app/atlantis /usr/local/bin/atlantis
-# copy terraform
+# copy terraform binaries
 COPY --from=deps /usr/local/bin/terraform* /usr/local/bin/
-# copy deps
+# copy dependencies
 COPY --from=deps /usr/local/bin/conftest /usr/local/bin/conftest
-COPY --from=deps /bin/gosu /bin/gosu
 COPY --from=deps /usr/bin/git-lfs /usr/bin/git-lfs
-# copy docker entrypoint
+# copy docker-entrypoint.sh
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
 
+# Set the entry point to the atlantis user and run the atlantis command
+USER atlantis
 ENTRYPOINT ["docker-entrypoint.sh"]
 CMD ["server"]

docker-entrypoint.sh

@@ -29,18 +29,4 @@ if ! whoami > /dev/null 2>&1; then
   fi
 fi
 
-# If we're running as root and we're trying to execute atlantis then we use
-# gosu to step down from root and run as the atlantis user.
-# In OpenShift, containers are run as a random users so we don't need to use gosu.
-if [ "$(id -u)" = 0 ] && [ "$1" = 'atlantis' ]; then
-    # If requested, set the capability to bind to privileged ports before
-    # we drop to the non-root user. Note that this doesn't work with all
-    # storage drivers (it won't work with AUFS).
-    if [ -n "${ATLANTIS_ALLOW_PRIVILEGED_PORTS+x}" ]; then
-        setcap "cap_net_bind_service=+ep" /bin/atlantis
-    fi
-
-    set -- gosu atlantis "$@"
-fi
-
 exec "$@"