add nonroot user to docker image (#6627)

* add nonroot docker image

* sign drone

* back to one image

* space

.dockerignore

@@ -6,3 +6,4 @@ web/ui/node_modules/
 web/ui/build/
 packaging/windows/LICENSE
 packaging/windows/agent-windows-amd64.exe
+cmd/grafana-agent/Dockerfile

Makefile

@@ -249,7 +249,7 @@ DOCKER_FLAGS += --platform=$(DOCKER_PLATFORM)
 endif
 
 .PHONY: images agent-image agentctl-image operator-image
-images: agent-image agentctl-image operator-image
+images: agent-image agentctl-image operator-image agent-boringcrypto-image
 
 agent-image:
 	DOCKER_BUILDKIT=1 docker build $(DOCKER_FLAGS) -t $(AGENT_IMAGE) -f cmd/grafana-agent/Dockerfile .

cmd/grafana-agent/Dockerfile

@@ -32,6 +32,10 @@ RUN --mount=type=cache,target=/root/.cache/go-build \
 
 FROM public.ecr.aws/ubuntu/ubuntu:mantic
 
+#Username and uid for grafana-agent user
+ARG UID=473
+ARG USERNAME="grafana-agent"
+
 LABEL org.opencontainers.image.source="https://github.com/grafana/agent"
 
 # Install dependencies needed at runtime.
@@ -44,6 +48,11 @@ EOF
 COPY --from=build /src/agent/build/grafana-agent /bin/grafana-agent
 COPY cmd/grafana-agent/agent-local-config.yaml /etc/agent/agent.yaml
 
+# Create grafana-agent user in container, but do not set it as default
+RUN groupadd --gid $UID $USERNAME
+RUN useradd -m -u $UID -g $UID $USERNAME
+RUN chown -R $USERNAME:$USERNAME /etc/agent
+RUN chown -R $USERNAME:$USERNAME /bin/grafana-agent
 
 ENTRYPOINT ["/bin/grafana-agent"]
 ENV AGENT_DEPLOY_MODE=docker

tools/ci/docker-containers

@@ -49,13 +49,11 @@ else
   BRANCH_TAG=$VERSION
 fi
 
-
 # Build all of our images.
 
 export BUILD_PLATFORMS=linux/amd64,linux/arm64,linux/ppc64le,linux/s390x
 export BUILD_PLATFORMS_BORINGCRYPTO=linux/amd64,linux/arm64
 
-
 case "$TARGET_CONTAINER" in
   agent)
     docker buildx build --push        \
@@ -80,8 +78,6 @@ case "$TARGET_CONTAINER" in
       .
     ;;
 
-
-
   agentctl)
     docker buildx build --push           \
       --platform $BUILD_PLATFORMS        \