feat: rootless container support

[dotconfig404]

Features and changes

Rootless

The intent of this PR is to enable running openvox-server rootlessly. In this setup it does that by default, but that can be adjusted via " docker run --user 0" for example, then it should run as usual. The puppet server itself always runs as puppet in the current setup, regardless of this PR.

If running rootless by default is not a desired behaviour change, for example due to certain directory paths being different (see below), we could also consider removing the USER directive, as this image can then simply be wrapped like this:

FROM openvox-server
USER puppet

Rootless default directories are different

One thing to keep in mind is that when running as a non-root user we have different default directories.

For example puppet.conf does not live in /etc/puppetlabs/puppet/puppet.conf. As this is officially documented behaviour I don't see a need to try to change this, but it should be pointed out.

Permission management change

Another big change is the move of 30-set-permissions.sh from runtime to build-time.
The functionality of the script is to chown puppet related directories to the puppet user and group recursively:

chown -R puppet:puppet /var/log/puppetlabs/puppetserver/
chown -R puppet:puppet /etc/puppetlabs/puppet/
chown -R puppet:puppet /opt/puppetlabs/server/data/puppetserver/
chown -R puppet:puppet /etc/puppetlabs/puppetserver/

The script could be readded to run-time execution, but for nonroot to work, we need to include it at build-time anyways.

Currently this would remove the functionality of automatically changing ownership of certain directories, in case they are mounted and don't have the container's puppet UID/GID. In my opinion it shouldn't be an issue, but it should be mentioned.

About the need to include it at build-time:

1. If run at run-time and the directories don't already belong to the puppet user/group, the container will fail, because non-root users lack the CAP_CHOWN capability by default.
2. /var/log/puppetlabs/puppetserver is owned by puppet by default in package installations and enables us to log.
3. /opt/puppetlabs/server/data/puppetserver is puppets default home directory, so this is also needed.
4. Owning /etc/puppetlabs/puppetserver might not fully be necessary, but as of now files in ./conf.d /as well as ./services.d/ca.cfg are potentially edited at run-time, which requires us at least write access to those, as well as the minimum read access. The CA directory ./ca/ is fully owned by puppet by default.

Other small changes and future idea

I also refactored some of the scripts in order to make them more robust (avoiding hardcoded paths was a needed for this to work) and moved some version arguments to the global scope, as the LABEL directive was not able access one of them.

Ideally we could run images with arbitrary UIDs in the future, but I'm not sure if this is possible at the moment, due to limitations in puppetserver (not fully respecting manage_internal_permissions = false among other 'quirks').

[lbetz]

Please, could you sign your PR?

[dotconfig404]

ah yes, I will, just gotta check how :)

[dotconfig404]

done

[dotconfig404]

I must've been tired when making this PR, I noticed that I moved the cadir variable to the non-CA branch. That was not my intention, also the explanation I gave with setting the cadir explicitly is a bit unclear, I'll fix this tomorrow and break it down more clearly.
Also perhaps the init nonroot entrypoint script is perhaps best done at build time as well actually, at least the dir initialisation, otherwise when regularly mounting a CA dir it will fail.

I'll report back once it's done with the tests I executed

[dotconfig404]

OK, that should be it - the comments in 10-sync-nonroot-config.sh make it more clear hopefully. Previously I set the cadir like

cadir=$(puppet config print cadir)
puppet config set cadir $cadir

(see the script's comments for a more detailed explanation) but maybe it's better to use the default path of puppetserver ca and fix the cadir to ~/.puppetserver/etc/puppetserver/ca, which is what the script is doing now.

I woud consider the default of the puppet CLI a bug, as the docs already mention setting code and conf dir in puppetserver.conf to be the same as puppet.conf in order to prevent mismatches, but it's not enough

[dotconfig404]

Tested the image for properly importing CA files as nonroot:
docker run --name openvox-test -h puppet --dns-search=. -v ./volumes/ca:/opt/puppetlabs/server/data/puppetserver/.puppetlabs/etc/puppetserver/ca openvox-test
as well as root:
docker run --name openvox-test -h puppet --dns-search=. -v ./volumes/ca:/opt/puppetlabs/server/data/puppetserver/.puppetlabs/etc/puppetserver/ca --user 0 openvox-test
as well as with fresh CA dirs and subsequent exec'ing into the containers and making sure the puppetserver CA cli works as expected.