support non-root containers

[styblope]

Ensure/enable containers to run as non-root

Many of the demo containers currently run as root by default. We should support running the containers under non-root UIDs to align with security best-practices and support running the demo app in restrictive environments (e.g. OpenShift).

There are two steps to reach the goal:

1. Enable containers to run as non-root user.
   Make sure the containers can execute as non-root. Some of the containers that now launch under root are happy to run also as non-root. There are, however, a couple of containers (emailservice, adservice, frontend-proxy, postgres) which fail to run under a non-root user and need to be fixed.

2. Ensure the containers run as non-root by default.
   This step actually applies non-root UID to all container deployments. This can either be done at launch-time by setting the user/UID in Compose/Helm, or it can be left up to the orchestrator (e.g. OpenShift UIDs). Some containers require to be run under a specific UID defined in /etc/passwd (e.g. envoy, postgres, apache).

The PR implements the first step by fixing the services that fail to run under non-root.

• adservice - add read permission to opentelemetry-javaagent.jar. Can run as any non-root UID.
• emailservice - read/write permission to Gemfile.lock + Dockerfile cleanup. Can run as any non-root UID.
• frontendproxy - build image with built-in envoy user.
• quoteservice - configure and run apache under built-in www-data user + Dockerfile Apache envvar substitution and cleanup.
• ffspostgres - set postgres user in Compose, no image modification.
• redis - set redis user in Compose, no image modification.

Services with with their default users (after the PR changes) and working non-root alternatives:

container_name	default UID	non-root UID
ad-service	root	anyuid
cart-service	root	anyuid
checkout-service	root	anyuid
currency-service	root	anyuid
email-service	root	anyuid
feature-flag-service	nobody (65534)	anyuid
frauddetection-service	root	anyuid
frontend	nextjs (1001)	anyuid
frontend-proxy	root envoy (101)	envoy
kafka	appuser (1000)	appuser
load-generator	root	anyuid
payment-service	node (1000)	anyuid
product-catalog-service	root	anyuid
quote-service	root www-data (33)	www-data
recommendation-service	root	anyuid
shipping-service	root	anyuid
postgres	root postgres (999)	postgres
jaeger	root	anyuid
grafana	grafana (472)	anyuid
otel-col	N/A (scratch)	N/A
prometheus	nobody (65534)	nobody
redis-cart	root redis (999)	redis

anyuid means any non-root UID.
anyuid containers were tested with user nobody uid/guid 65534.

Test commands:

Print container UIDs:

docker ps --format '{{.Names}}' | xargs -I{} -- bash -c 'echo -n "{}: " ; docker exec -t {} id' | sort

Assign nobody user to the root-by-default containers in docker-compose.yml and test-run:

cp docker-compose.yml docker-compose.yml-nobody
for i in ad-service \
         cart-service \
         checkout-service \
         currency-service \
         email-service \
         frauddetection-service \
         load-generator \
         product-catalog-service \
         recommendation-service \
         shipping-service \
         jaeger
do
  sed -i -e "s|\(container_name: $i$\)|\1\n    user: nobody|" docker-compose.yml-nobody
done
docker compose -f docker-compose.yml-nobody up -d

TODO: Helm charts mods including default non-root uid option

Merge Requirements

For new features contributions please make sure you have completed the following
essential items:

• CHANGELOG.md updated to document new feature additions
• Appropriate documentation updates in the docs folder

Maintainers will not merge until the above have been completed. If you're unsure
which docs need to be changed ping the
@open-telemetry/demo-approvers.

[puckpuck]

Please add a changelog entry for this.

Would you also be able to start a PR to get the Helm chart updated?

[puckpuck]

I merged in from main, adding the new fraud detection service. Duplicated the same pattern from the ad service to set proper permissions on the Java agent file.

[puckpuck]

Please set a changelog entry. This works great! 👍