Build docker images for non-root user (#4320)

* build docker images as non-root user
* search and replace mistake
* buildifer
* Change uid to 1001

beacon-chain/BUILD.bazel

@@ -36,7 +36,7 @@ go_image(
         "main.go",
         "usage.go",
     ],
-    base = "@cc_image_base//image",
+    base = "//tools:cc_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain",

beacon-chain/core/blocks/spectest/BUILD.bazel

@@ -36,10 +36,10 @@ go_test(
         "//beacon-chain/core/state:go_default_library",
         "//beacon-chain/core/state/stateutils:go_default_library",
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "//shared/params/spectest:go_default_library",
         "//shared/testutil:go_default_library",
         "@com_github_gogo_protobuf//proto:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//:go_default_library",
         "@in_gopkg_d4l3k_messagediff_v1//:go_default_library",
         "@io_bazel_rules_go//go/tools/bazel:go_default_library",
@@ -69,10 +69,10 @@ go_test(
         "//beacon-chain/core/state:go_default_library",
         "//beacon-chain/core/state/stateutils:go_default_library",
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "//shared/params/spectest:go_default_library",
         "//shared/testutil:go_default_library",
         "@com_github_gogo_protobuf//proto:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//:go_default_library",
         "@in_gopkg_d4l3k_messagediff_v1//:go_default_library",
         "@io_bazel_rules_go//go/tools/bazel:go_default_library",

beacon-chain/core/state/spectest/BUILD.bazel

@@ -26,16 +26,16 @@ go_test(
         "//beacon-chain/core/helpers:go_default_library",
         "//beacon-chain/core/state:go_default_library",
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
+        "//shared/featureconfig:go_default_library",
         "//shared/params:go_default_library",
         "//shared/params/spectest:go_default_library",
         "//shared/testutil:go_default_library",
-        "//shared/featureconfig:go_default_library",
         "@com_github_gogo_protobuf//proto:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//:go_default_library",
+        "@com_github_urfave_cli//:go_default_library",
         "@in_gopkg_d4l3k_messagediff_v1//:go_default_library",
         "@io_bazel_rules_go//go/tools/bazel:go_default_library",
-        "@com_github_urfave_cli//:go_default_library",
     ],
 )
 
@@ -59,15 +59,15 @@ go_test(
         "//beacon-chain/core/helpers:go_default_library",
         "//beacon-chain/core/state:go_default_library",
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
+        "//shared/featureconfig:go_default_library",
         "//shared/params:go_default_library",
         "//shared/params/spectest:go_default_library",
         "//shared/testutil:go_default_library",
-        "//shared/featureconfig:go_default_library",
         "@com_github_gogo_protobuf//proto:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//:go_default_library",
+        "@com_github_urfave_cli//:go_default_library",
         "@in_gopkg_d4l3k_messagediff_v1//:go_default_library",
         "@io_bazel_rules_go//go/tools/bazel:go_default_library",
-        "@com_github_urfave_cli//:go_default_library",
     ],
 )

beacon-chain/gateway/server/BUILD.bazel

@@ -27,6 +27,7 @@ go_image(
     srcs = [
         "main.go",
     ],
+    base = "//tools:go_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/beacon-chain/gateway/server",

contracts/deposit-contract/drainContracts/BUILD.bazel

@@ -1,6 +1,4 @@
 load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-load("@io_bazel_rules_docker//go:image.bzl", "go_image")
-load("@io_bazel_rules_docker//container:container.bzl", "container_push")
 
 go_library(
     name = "go_default_library",

endtoend/BUILD.bazel

@@ -17,10 +17,10 @@ go_test(
     shard_count = 2,
     tags = [
         "block-network",
+        "e2e",
         "exclusive",
         "manual",
         "minimal",
-        "e2e",
     ],
     deps = [
         "//endtoend/evaluators:go_default_library",

proto/beacon/db/BUILD.bazel

@@ -1,3 +1,5 @@
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
 # gazelle:ignore
 load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")

proto/beacon/p2p/v1/BUILD.bazel

@@ -1,3 +1,5 @@
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
 # gazelle:ignore
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
@@ -25,9 +27,9 @@ go_library(
 ssz_proto_files(
     name = "ssz_proto_files",
     srcs = [
+        "archive.proto",
         "messages.proto",
         "types.proto",
-        "archive.proto",
     ],
     config = select({
         "//conditions:default": "mainnet",
@@ -41,8 +43,8 @@ proto_library(
     srcs = [":ssz_proto_files"],
     visibility = ["//visibility:public"],
     deps = [
-        "@com_google_protobuf//:timestamp_proto",
         "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:proto",
+        "@com_google_protobuf//:timestamp_proto",
         "@gogo_special_proto//github.com/gogo/protobuf/gogoproto",
     ],
 )

proto/beacon/rpc/v1/BUILD.bazel

@@ -1,7 +1,8 @@
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
 # gazelle:ignore
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
-load("@grpc_ecosystem_grpc_gateway//protoc-gen-swagger:defs.bzl", "protoc_gen_swagger")
 
 go_proto_library(
     name = "v1_go_proto",
@@ -11,8 +12,8 @@ go_proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "//proto/sharding/p2p/v1:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@go_googleapis//google/api:annotations_go_proto",
         "@grpc_ecosystem_grpc_gateway//protoc-gen-swagger/options:options_go_proto",
     ],
@@ -29,8 +30,8 @@ go_proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "//proto/sharding/p2p/v1:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@go_googleapis//google/api:annotations_go_proto",
         "@grpc_ecosystem_grpc_gateway//protoc-gen-swagger/options:options_go_proto",
     ],
@@ -52,8 +53,8 @@ proto_library(
     visibility = ["//visibility:public"],
     deps = [
         "//proto/beacon/p2p/v1:v1_proto",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:proto",
         "//proto/sharding/p2p/v1:v1_proto",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:proto",
         "@com_google_protobuf//:empty_proto",
         "@com_google_protobuf//:timestamp_proto",
         "@go_googleapis//google/api:annotations_proto",

proto/cluster/BUILD.bazel

@@ -1,3 +1,4 @@
+load("@rules_proto//proto:defs.bzl", "proto_library")
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
 

proto/faucet/BUILD.bazel

@@ -3,9 +3,8 @@ load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
 
 go_proto_library(
     name = "faucet_go_proto",
+    compiler = "//:grpc_proto_compiler",
     importpath = "github.com/prysmaticlabs/prysm/proto/faucet",
     proto = "@prysm_testnet_site//:faucet_proto",
-    compiler = "//:grpc_proto_compiler",
     visibility = ["//visibility:public"],
 )
-

proto/sharding/p2p/v1/BUILD.bazel

@@ -1,26 +1,28 @@
+load("@rules_proto//proto:defs.bzl", "proto_library")
+
 # gazelle:ignore
 load("@io_bazel_rules_go//go:def.bzl", "go_library")
 load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
 
 go_proto_library(
     name = "v1_go_proto",
+    compiler = "//:proto_compiler",
     importpath = "github.com/prysmaticlabs/prysm/proto/sharding/p2p/v1",
-    proto = ":v1_proto", 
+    proto = ":v1_proto",
     visibility = ["//visibility:public"],
     deps = ["//proto/beacon/p2p/v1:go_default_library"],
-    compiler = "//:proto_compiler",
 )
 
 go_library(
     name = "go_default_library",
-    embed = [":v1_go_proto"], 
+    embed = [":v1_go_proto"],
     importpath = "github.com/prysmaticlabs/prysm/proto/sharding/p2p/v1",
     visibility = ["//visibility:public"],
 )
 
 proto_library(
-    name = "v1_proto", 
+    name = "v1_proto",
     srcs = ["messages.proto"],
-    deps = ["//proto/beacon/p2p/v1:v1_proto"], 
     visibility = ["//visibility:public"],
+    deps = ["//proto/beacon/p2p/v1:v1_proto"],
 )

proto/testing/BUILD.bazel

@@ -1,9 +1,10 @@
-# gazelle:ignore
-package(default_testonly = True)
-
+load("@rules_proto//proto:defs.bzl", "proto_library")
 load("@io_bazel_rules_go//go:def.bzl", "go_library", "go_test")
 load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
 
+# gazelle:ignore
+package(default_testonly = True)
+
 proto_library(
     name = "testing_proto",
     srcs = ["test.proto"],
@@ -46,11 +47,11 @@ go_test(
     tags = ["spectest"],
     deps = [
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "//shared/bytesutil:go_default_library",
         "//shared/params/spectest:go_default_library",
         "//shared/testutil:go_default_library",
         "@com_github_ghodss_yaml//:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//spectests:go_default_library",
         "@io_bazel_rules_go//go/tools/bazel:go_default_library",
@@ -75,11 +76,11 @@ go_test(
     ],
     deps = [
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "//shared/bytesutil:go_default_library",
         "//shared/params/spectest:go_default_library",
         "//shared/testutil:go_default_library",
         "@com_github_ghodss_yaml//:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//spectests:go_default_library",
         "@io_bazel_rules_go//go/tools/bazel:go_default_library",
@@ -99,11 +100,11 @@ go_test(
     tags = ["spectest"],
     deps = [
         "//proto/beacon/p2p/v1:go_default_library",
-        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "//shared/bytesutil:go_default_library",
         "//shared/params/spectest:go_default_library",
         "//shared/testutil:go_default_library",
         "@com_github_ghodss_yaml//:go_default_library",
+        "@com_github_prysmaticlabs_ethereumapis//eth/v1alpha1:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//:go_default_library",
         "@com_github_prysmaticlabs_go_ssz//spectests:go_default_library",
         "@io_bazel_rules_go//go/tools/bazel:go_default_library",

tools/BUILD.bazel

@@ -1,6 +1,61 @@
-package(default_visibility = ["//visibility:public"])
+load("@bazel_tools//tools/build_defs/pkg:pkg.bzl", "pkg_tar")
+load("@io_bazel_rules_docker//contrib:passwd.bzl", "passwd_entry", "passwd_file")
+load("@io_bazel_rules_docker//container:container.bzl", "container_image")
 
 alias(
     name = "kubesec",
     actual = "@com_github_shyiko_kubesec//:kubesec",
+    visibility = ["//visibility:public"],
+)
+
+################################################################################
+##                      Docker images as non-root user                        ##
+################################################################################
+
+# Create a passwd file with a root and nonroot user and uid.
+passwd_entry(
+    name = "root_user",
+    gid = 0,
+    uid = 0,
+    username = "root",
+)
+
+passwd_entry(
+    name = "nonroot_user",
+    info = "nonroot",
+    uid = 1001,
+    username = "nonroot",
+)
+
+passwd_file(
+    name = "passwd",
+    entries = [
+        ":root_user",
+        ":nonroot_user",
+    ],
+)
+
+# Create a tar file containing the created passwd file
+pkg_tar(
+    name = "passwd_tar",
+    srcs = [":passwd"],
+    mode = "0o644",
+    package_dir = "etc",
+)
+
+# Include it in our base image as a tar.
+container_image(
+    name = "cc_image",
+    base = "@cc_image_base//image",
+    tars = [":passwd_tar"],
+    user = "nonroot",
+    visibility = ["//visibility:public"],
+)
+
+container_image(
+    name = "go_image",
+    base = "@go_image_base//image",
+    tars = [":passwd_tar"],
+    user = "nonroot",
+    visibility = ["//visibility:public"],
 )

tools/bootnode/BUILD.bazel

@@ -33,6 +33,7 @@ go_library(
 go_image(
     name = "image",
     srcs = ["bootnode.go"],
+    base = "//tools:go_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/tools/bootnode",

tools/cluster-pk-manager/client/BUILD.bazel

@@ -27,7 +27,7 @@ go_binary(
 go_image(
     name = "image",
     srcs = ["main.go"],
-    base = "@cc_image_base//image",
+    base = "//tools:cc_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/tools/cluster-pk-manager/client",

tools/cluster-pk-manager/server/BUILD.bazel

@@ -73,7 +73,7 @@ go_image(
         "server.go",
         "watchtower.go",
     ],
-    base = "@cc_image_base//image",
+    base = "//tools:cc_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/tools/cluster-pk-manager/server",

tools/contract-addr/BUILD.bazel

@@ -20,6 +20,7 @@ go_binary(
 go_image(
     name = "image",
     srcs = ["main.go"],
+    base = "//tools:go_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/tools/contract-addr",

tools/enr-calculator/BUILD.bazel

@@ -27,6 +27,7 @@ go_binary(
 go_image(
     name = "image",
     srcs = ["main.go"],
+    base = "//tools:go_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/tools/enr-calculator",

tools/eth1exporter/BUILD.bazel

@@ -25,6 +25,7 @@ go_binary(
 go_image(
     name = "image",
     srcs = ["main.go"],
+    base = "//tools:go_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/tools/eth1exporter",

tools/faucet/BUILD.bazel

@@ -1,6 +1,5 @@
 # gazelle:ignore
 load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
-load("@io_bazel_rules_go//proto:def.bzl", "go_proto_library")
 load("@io_bazel_rules_docker//go:image.bzl", "go_image")
 load("@io_bazel_rules_docker//container:container.bzl", "container_bundle")
 load("@io_bazel_rules_docker//contrib:push-all.bzl", "docker_push")
@@ -45,6 +44,7 @@ go_binary(
 go_image(
     name = "image",
     srcs = SRCS,
+    base = "//tools:go_image",
     goarch = "amd64",
     goos = "linux",
     importpath = IMPORT_PATH,

tools/kubesec.bzl

@@ -1,28 +1,26 @@
 """TODO: Add doc here"""
 
-load("@k8s_secret//:defaults.bzl", "k8s_secret")
-
 def _k8s_encrypted_secret_impl(ctx):
-  ctx.actions.run_shell(
-    inputs = [ctx.file.template],
-    outputs = [ctx.outputs.out],
-    progress_message = "Decrypting %s" % ctx.file.template,
-    tools = [ctx.executable._kubesec],
-    command = "%s decrypt %s > %s" % (ctx.executable._kubesec.path, ctx.file.template.path, ctx.outputs.out.path)
-  )
+    ctx.actions.run_shell(
+        inputs = [ctx.file.template],
+        outputs = [ctx.outputs.out],
+        progress_message = "Decrypting %s" % ctx.file.template,
+        tools = [ctx.executable._kubesec],
+        command = "%s decrypt %s > %s" % (ctx.executable._kubesec.path, ctx.file.template.path, ctx.outputs.out.path),
+    )
 
 k8s_encrypted_secret = rule(
     implementation = _k8s_encrypted_secret_impl,
     attrs = {
-      "_kubesec": attr.label(
-        executable = True,
-        cfg = "host",
-        default = "//tools:kubesec",
-      ),
-      "template": attr.label(
-          allow_single_file = True, 
-          mandatory = True
-      ),
-      "out": attr.output(mandatory = True),
+        "_kubesec": attr.label(
+            executable = True,
+            cfg = "host",
+            default = "//tools:kubesec",
+        ),
+        "template": attr.label(
+            allow_single_file = True,
+            mandatory = True,
+        ),
+        "out": attr.output(mandatory = True),
     },
 )

tools/relaynode/BUILD.bazel

@@ -22,6 +22,7 @@ go_library(
 go_image(
     name = "image",
     srcs = ["relaynode.go"],
+    base = "//tools:go_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/tools/relaynode",

validator/BUILD.bazel

@@ -35,7 +35,7 @@ go_image(
         "main.go",
         "usage.go",
     ],
-    base = "@cc_image_base//image",
+    base = "//tools:cc_image",
     goarch = "amd64",
     goos = "linux",
     importpath = "github.com/prysmaticlabs/prysm/validator",