for podman, make sure initial USER is 'root' in docker containers so …

…privilege dropping afterwards works consistently, idaholab#407

Dockerfiles/api.Dockerfile

@@ -39,6 +39,7 @@ ENV DEFAULT_GID $DEFAULT_GID
 ENV PUSER "yeflask"
 ENV PGROUP "yeflask"
 ENV PUSER_PRIV_DROP true
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/arkime.Dockerfile

@@ -27,6 +27,7 @@ ENV PGROUP "arkime"
 # a final check in docker_entrypoint.sh before startup
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/dashboards-helper.Dockerfile

@@ -25,6 +25,7 @@ ENV PGROUP "helper"
 #   other implications. See containers/podman#23347.
 ENV PUSER_CHOWN "/data/init"
 ENV PUSER_PRIV_DROP true
+USER root
 
 ENV TERM xterm
 

Dockerfiles/dashboards.Dockerfile

@@ -18,6 +18,7 @@ ENV DEFAULT_GID $DEFAULT_GID
 ENV PUSER "opensearch-dashboards"
 ENV PGROUP "opensearch-dashboards"
 ENV PUSER_PRIV_DROP true
+USER root
 
 ENV TERM xterm
 

Dockerfiles/dirinit.Dockerfile

@@ -19,6 +19,7 @@ ENV DEFAULT_GID $DEFAULT_GID
 ENV PUSER "dirinit"
 ENV PGROUP "dirinit"
 ENV PUSER_PRIV_DROP true
+USER root
 
 ENV TERM xterm
 

Dockerfiles/file-monitor.Dockerfile

@@ -20,6 +20,7 @@ ENV PUSER "monitor"
 ENV PGROUP "monitor"
 ENV PUSER_PRIV_DROP true
 # see PUSER_CHOWN at the bottom of the file (after the other environment variables it references)
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/file-upload.Dockerfile

@@ -44,6 +44,7 @@ ENV PUSER_CHOWN "/var/www/upload/server/php/chroot/files"
 # be handled by supervisord instead on an as-needed basis, and/or php-fpm/nginx itself
 # will drop privileges to www-data as well.
 ENV PUSER_PRIV_DROP false
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/filebeat.Dockerfile

@@ -28,6 +28,7 @@ ENV PUSER_CHOWN "/usr/share/filebeat-logs/data;/usr/share/filebeat-nginx/data;/u
 # on a case-by-case basis so that one script (filebeat-watch-zeeklogs-uploads-folder.py)
 # can chown uploaded files
 ENV PUSER_PRIV_DROP false
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/freq.Dockerfile

@@ -19,6 +19,7 @@ ENV DEFAULT_GID $DEFAULT_GID
 ENV PUSER "freq"
 ENV PGROUP "freq"
 ENV PUSER_PRIV_DROP true
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/htadmin.Dockerfile

@@ -21,6 +21,7 @@ ENV PGROUP "www-data"
 # not dropping privileges globally so nginx can bind privileged ports internally.
 # nginx and php-fpm will drop privileges to "www-data" user for worker processes
 ENV PUSER_PRIV_DROP false
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/logstash.Dockerfile

@@ -25,6 +25,7 @@ ENV PUSER_RLIMIT_UNLOCK true
 #   This is to override that, although I'm not yet sure if there are
 #   other implications. See containers/podman#23347.
 ENV PUSER_CHOWN "/logstash-persistent-queue"
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/netbox.Dockerfile

@@ -25,6 +25,7 @@ ENV DEFAULT_GID $DEFAULT_GID
 ENV PUSER "ubuntu"
 ENV PGROUP "ubuntu"
 ENV PUSER_PRIV_DROP true
+USER root
 
 ENV SUPERCRONIC_VERSION "0.2.31"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"

Dockerfiles/nginx.Dockerfile

@@ -54,6 +54,7 @@ ENV PGROUP "nginx"
 # not dropping privileges globally so nginx and stunnel can bind privileged ports internally.
 # nginx itself will drop privileges to "nginx" user for worker processes
 ENV PUSER_PRIV_DROP false
+USER root
 
 ENV TERM xterm
 

Dockerfiles/opensearch.Dockerfile

@@ -27,6 +27,7 @@ ENV PUSER_RLIMIT_UNLOCK true
 #   This is to override that, although I'm not yet sure if there are
 #   other implications. See containers/podman#23347.
 ENV PUSER_CHOWN "/var/local/ca-trust"
+USER root
 
 ENV TERM xterm
 

Dockerfiles/pcap-capture.Dockerfile

@@ -26,6 +26,7 @@ ENV PGROUP "pcap"
 # a final check in supervisor.sh before startup
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/pcap-monitor.Dockerfile

@@ -22,6 +22,7 @@ ENV PGROUP "watcher"
 # on a case-by-case basis so that one script (watch-pcap-uploads-folder.sh)
 # can chown uploaded files
 ENV PUSER_PRIV_DROP false
+USER root
 
 ENV DEBIAN_FRONTEND noninteractive
 ENV TERM xterm

Dockerfiles/postgresql.Dockerfile

@@ -20,6 +20,7 @@ ENV PUSER "postgres"
 ENV PGROUP "postgres"
 ENV PUSER_PRIV_DROP true
 ENV PUSER_CHOWN "/run/postgresql;/var/lib/postgresql"
+USER root
 
 ENV TERM xterm
 

Dockerfiles/redis.Dockerfile

@@ -19,6 +19,7 @@ ENV DEFAULT_GID $DEFAULT_GID
 ENV PUSER "redis"
 ENV PGROUP "redis"
 ENV PUSER_PRIV_DROP true
+USER root
 
 ENV TERM xterm
 

Dockerfiles/suricata.Dockerfile

@@ -33,6 +33,7 @@ ENV PGROUP "suricata"
 ENV PUSER_PRIV_DROP false
 ENV PUSER_RLIMIT_UNLOCK true
 # see PUSER_CHOWN at the bottom of the file (after the other environment variables it references)
+USER root
 
 ENV SUPERCRONIC_VERSION "0.2.31"
 ENV SUPERCRONIC_URL "https://github.com/aptible/supercronic/releases/download/v$SUPERCRONIC_VERSION/supercronic-linux-"
@@ -210,7 +211,6 @@ ENTRYPOINT ["/usr/bin/tini", \
 
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"]
 
-
 # to be populated at build-time:
 ARG BUILD_DATE
 ARG MALCOLM_VERSION

Dockerfiles/zeek.Dockerfile

@@ -31,6 +31,7 @@ ENV PGROUP "zeeker"
 # docker-uid-gid-setup.sh will cause them to be lost, so we need
 # a final check in docker_entrypoint.sh before startup
 ENV PUSER_PRIV_DROP false
+USER root
 # see PUSER_CHOWN at the bottom of the file (after the other environment variables it references)
 
 # for download and install
@@ -300,6 +301,7 @@ ENTRYPOINT ["/usr/bin/tini", \
 
 CMD ["/usr/bin/supervisord", "-c", "/etc/supervisord.conf", "-n"]
 
+USER root
 
 # to be populated at build-time:
 ARG BUILD_DATE