Use a non-root user in Node interop docker images (#29062)

* Use a non-root user in Node interop docker images

* Make node interop scripts without being root

* Update cwd in Node interop tests

* Update cwd in other Node interop tests

* Update cwd in Node interop tests relative to hardcoded path

* Fix updated Node interop test cwd

* Make service account file location more generic

* Use service account creds directly from mounted directory

* Fixing source path is recursive local submodule clone.

* Move creds file to /root, make /root accessible

Co-authored-by: Nicolas "Pixel" Noble <pixel@nobis-crew.org>

templates/tools/dockerfile/interoptest/grpc_interop_node/Dockerfile.template

@@ -18,8 +18,8 @@
   
   <%include file="../../apt_get_basic.include"/>
   <%include file="../../run_tests_python_deps.include"/>
-  <%include file="../../node_deps.include"/>
   <%include file="../../run_tests_addons.include"/>
+  <%include file="../../node_deps.include"/>
   # Define the default command.
   CMD ["bash"]
   

templates/tools/dockerfile/interoptest/grpc_interop_nodepurejs/Dockerfile.template

@@ -17,7 +17,7 @@
   FROM debian:jessie
 
   <%include file="../../apt_get_basic.include"/>
-  <%include file="../../node_deps.include"/>
   <%include file="../../run_tests_addons.include"/>
+  <%include file="../../node_deps.include"/>
   # Define the default command.
   CMD ["bash"]

templates/tools/dockerfile/node_deps.include

@@ -2,13 +2,12 @@
 # Node dependencies
 
 # Install nvm
-RUN touch .profile
-RUN curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.25.4/install.sh | bash
+RUN groupadd -g 999 appuser && useradd -r -u 999 -g appuser appuser
+RUN mkdir -p /home/appuser && chown appuser /home/appuser
+RUN chmod 777 /root
+USER appuser
+RUN touch ~/.profile
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
 # Install all versions of node that we want to test
-RUN /bin/bash -l -c "nvm install 4 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 5 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 6 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 8 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 9 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 10 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm alias default 10"
+RUN /bin/bash -l -c "nvm install 16 && npm config set cache /tmp/npm-cache"
+RUN /bin/bash -l -c "nvm alias default 16"

tools/dockerfile/interoptest/grpc_interop_node/Dockerfile

@@ -78,22 +78,21 @@ RUN python3 -m pip install six==1.16.0
 RUN python3 -m pip install --upgrade google-auth==1.23.0 google-api-python-client==1.12.8 oauth2client==4.1.0
 
 
+
+RUN mkdir /var/local/jenkins
+
 #==================
 # Node dependencies
 
 # Install nvm
-RUN touch .profile
-RUN curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.25.4/install.sh | bash
+RUN groupadd -g 999 appuser && useradd -r -u 999 -g appuser appuser
+RUN mkdir -p /home/appuser && chown appuser /home/appuser
+RUN chmod 777 /root
+USER appuser
+RUN touch ~/.profile
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
 # Install all versions of node that we want to test
-RUN /bin/bash -l -c "nvm install 4 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 5 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 6 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 8 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 9 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 10 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm alias default 10"
-
-RUN mkdir /var/local/jenkins
-
+RUN /bin/bash -l -c "nvm install 16 && npm config set cache /tmp/npm-cache"
+RUN /bin/bash -l -c "nvm alias default 16"
 # Define the default command.
 CMD ["bash"]

tools/dockerfile/interoptest/grpc_interop_node/build_interop.sh

@@ -16,17 +16,16 @@
 # Builds Node interop server and client in a base image.
 set -e
 
-mkdir -p /var/local/git
-git clone /var/local/jenkins/grpc-node /var/local/git/grpc-node
+git clone /var/local/jenkins/grpc-node ~/grpc-node
 # clone gRPC submodules, use data from locally cloned submodules where possible
-(cd /var/local/jenkins/grpc-node/ && git submodule foreach 'cd /var/local/git/grpc-node \
+(cd /var/local/jenkins/grpc-node/ && git submodule foreach 'cd ~/grpc-node \
 && git submodule update --init --recursive --reference /var/local/jenkins/grpc-node/${name} \
 ${name}')
 
 # copy service account keys if available
-cp -r /var/local/jenkins/service_account $HOME || true
+cp -r /var/local/jenkins/service_account /root/ || true
 
-cd /var/local/git/grpc-node
+cd ~/grpc-node
 
 # build Node interop client & server
 ./setup_interop.sh

tools/dockerfile/interoptest/grpc_interop_nodepurejs/Dockerfile

@@ -53,22 +53,21 @@ RUN apt-get update && apt-get install -y \
   zip \
   && apt-get clean
 
+
+RUN mkdir /var/local/jenkins
+
 #==================
 # Node dependencies
 
 # Install nvm
-RUN touch .profile
-RUN curl -o- https://raw.githubusercontent.com/creationix/nvm/v0.25.4/install.sh | bash
+RUN groupadd -g 999 appuser && useradd -r -u 999 -g appuser appuser
+RUN mkdir -p /home/appuser && chown appuser /home/appuser
+RUN chmod 777 /root
+USER appuser
+RUN touch ~/.profile
+RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.1/install.sh | bash
 # Install all versions of node that we want to test
-RUN /bin/bash -l -c "nvm install 4 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 5 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 6 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 8 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 9 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm install 10 && npm config set cache /tmp/npm-cache"
-RUN /bin/bash -l -c "nvm alias default 10"
-
-RUN mkdir /var/local/jenkins
-
+RUN /bin/bash -l -c "nvm install 16 && npm config set cache /tmp/npm-cache"
+RUN /bin/bash -l -c "nvm alias default 16"
 # Define the default command.
 CMD ["bash"]

tools/dockerfile/interoptest/grpc_interop_nodepurejs/build_interop.sh

@@ -16,17 +16,16 @@
 # Builds Node interop server and client in a base image.
 set -e
 
-mkdir -p /var/local/git
-git clone /var/local/jenkins/grpc-node /var/local/git/grpc-node
+git clone /var/local/jenkins/grpc-node ~/grpc-node
 # clone gRPC submodules, use data from locally cloned submodules where possible
-(cd /var/local/jenkins/grpc-node/ && git submodule foreach 'cd /var/local/git/grpc-node \
+(cd /var/local/jenkins/grpc-node/ && git submodule foreach 'cd ~/grpc-node \
 && git submodule update --init --recursive --reference /var/local/jenkins/grpc-node/${name} \
 ${name}')
 
 # copy service account keys if available
-cp -r /var/local/jenkins/service_account $HOME || true
+cp -r /var/local/jenkins/service_account /root/ || true
 
-cd /var/local/git/grpc-node
+cd ~/grpc-node
 
 # build Node interop client & server
 ./setup_interop_purejs.sh

tools/run_tests/run_interop_tests.py

@@ -415,8 +415,8 @@ class Http2Client:
 class NodeLanguage:
 
     def __init__(self):
-        self.client_cwd = '../grpc-node'
-        self.server_cwd = '../grpc-node'
+        self.client_cwd = '../../../../home/appuser/grpc-node'
+        self.server_cwd = '../../../../home/appuser/grpc-node'
         self.safename = str(self)
 
     def client_cmd(self, args):
@@ -455,8 +455,8 @@ class NodeLanguage:
 class NodePureJSLanguage:
 
     def __init__(self):
-        self.client_cwd = '../grpc-node'
-        self.server_cwd = '../grpc-node'
+        self.client_cwd = '../../../../home/appuser/grpc-node'
+        self.server_cwd = '../../../../home/appuser/grpc-node'
         self.safename = str(self)
 
     def client_cmd(self, args):