fix(docker): add `gosu` and remove unsupported flag in `adduser` (#8808)

* fix(docker): typo and uknown option in debian

* fix(docker): use `gosu` for rootless execution

Some of our entrypoint commands requires creating directories and files in places a non-privileged user can't access.

So we use `gosu` to step down from `root` to a non-privileged user during container startup, right at our application execution.

docker/Dockerfile

@@ -187,24 +187,29 @@ RUN apt-get update && \
     apt-get install -y --no-install-recommends \
     ca-certificates \
     curl \
-    rocksdb-tools
+    rocksdb-tools \
+    gosu \
+    && \
+    rm -rf /var/lib/apt/lists/* /tmp/*
 
 # Create a non-privileged user that the app will run under.
 # Running as root inside the container is running as root in the Docker host
 # If an attacker manages to break out of the container, they will have root access to the host
 # See https://docs.docker.com/go/dockerfile-user-best-practices/
 ARG USER=zebra
+ENV USER=${USER}
 ARG UID=10001
+ENV UID=${UID}
 ARG GID=10001
+ENV GID=${GID}
 
 RUN addgroup --system --gid ${GID} ${USER} \
     && adduser \
-    --no-log-init \
     --system \
     --disabled-login \
     --shell /bin/bash \
     --uid "${UID}" \
-    --gid "{GID}" \
+    --gid "${GID}" \
     ${USER}
 
 # Config settings for zebrad
@@ -218,8 +223,6 @@ ENV ZEBRA_CONF_FILE=${ZEBRA_CONF_FILE:-zebrad.toml}
 COPY --from=release /opt/zebrad/target/release/zebrad /usr/local/bin
 COPY --from=release /entrypoint.sh /
 
-USER ${USER}
-
 # Expose configured ports
 EXPOSE 8233 18233
 

docker/entrypoint.sh

@@ -357,11 +357,11 @@ case "$1" in
         exec cargo test --locked --release --features "zebra-test" --package zebra-scan -- --nocapture --include-ignored scan_task_commands
 
       else
-          exec "$@"
+          exec gosu "$USER" "$@"
       fi
     fi
     ;;
   *)
-    exec "$@"
+    exec gosu "$USER" "$@"
     ;;
 esac