fix: Run platform images as non-root (#11750)

Co-authored-by: Cole Snodgrass <[email protected]>
Co-authored-by: Davin Chia <[email protected]>

.env

@@ -26,7 +26,7 @@ WORKSPACE_DOCKER_MOUNT=airbyte_workspace
 # be the same as *_ROOT.
 # Issue: https://github.com/airbytehq/airbyte/issues/578
 LOCAL_ROOT=/tmp/airbyte_local
-LOCAL_DOCKER_MOUNT=/tmp/airbyte_local
+LOCAL_DOCKER_MOUNT=oss_local_root
 # todo (cgardens) - hack to handle behavior change in docker compose. *_PARENT directories MUST
 # already exist on the host filesystem and MUST be parents of *_ROOT.
 # Issue: https://github.com/airbytehq/airbyte/issues/577
@@ -65,14 +65,14 @@ CONFIGS_DATABASE_MINIMUM_FLYWAY_MIGRATION_VERSION=0.40.23.002
 TEMPORAL_HOST=airbyte-temporal:7233
 INTERNAL_API_HOST=airbyte-server:8001
 INTERNAL_API_URL=http://airbyte-server:8001
-CONNECTOR_BUILDER_API_HOST=airbyte-connector-builder-server:80
+CONNECTOR_BUILDER_API_HOST=airbyte-connector-builder-server:8080
 WEBAPP_URL=http://localhost:8000/
 WORKLOAD_API_HOST=workload-api-server:8007
 WORKLOAD_API_URL=http://workload-api-server:8007
 # Although not present as an env var, required for webapp configuration.
 CONNECTOR_BUILDER_API_URL=/connector-builder-api
 AIRBYTE_API_HOST=airbyte-api-server:8006
-CONNECTOR_BUILDER_SERVER_API_HOST=http://airbyte-connector-builder-server:80
+CONNECTOR_BUILDER_SERVER_API_HOST=http://airbyte-connector-builder-server:8080
 # Replace with the commented-out line below to use a locally-run connector-builder-server
 # image, e.g. when developing the CDK's builder server command runner.
 # CONNECTOR_BUILDER_SERVER_API_HOST=http://host.docker.internal:80

airbyte-api-server/Dockerfile

@@ -1,12 +1,16 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE} AS server
 EXPOSE 8006 5005
 ENV APPLICATION airbyte-api-server
 ENV VERSION ${VERSION}
+
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/${APPLICATION}"]

airbyte-bootloader/Dockerfile

@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE}
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-bootloader"]

airbyte-commons-worker/src/main/kotlin/io/airbyte/workers/sync/OrchestratorConstants.kt

@@ -80,6 +80,7 @@ object OrchestratorConstants {
           EnvVar.AWS_SECRET_ACCESS_KEY,
           EnvVar.DD_AGENT_HOST,
           EnvVar.DD_DOGSTATSD_PORT,
+          EnvVar.DOCKER_HOST,
           EnvVar.GOOGLE_APPLICATION_CREDENTIALS,
           EnvVar.JOB_DEFAULT_ENV_MAP,
           EnvVar.JOB_ISOLATED_KUBE_NODE_SELECTORS,

airbyte-commons/src/main/kotlin/io/airbyte/commons/envvar/EnvVar.kt

@@ -31,6 +31,7 @@ enum class EnvVar {
   DD_VERSION,
   DEPLOYMENT_ENV,
   DEPLOYMENT_MODE,
+  DOCKER_HOST,
   DOCKER_NETWORK,
 
   FEATURE_FLAG_CLIENT,

airbyte-config/init/Dockerfile

@@ -1,4 +1,4 @@
-ARG ALPINE_IMAGE=alpine:3.13
+ARG ALPINE_IMAGE=alpine:3.18
 FROM ${ALPINE_IMAGE} AS seed
 
 WORKDIR /app

airbyte-connector-builder-server/Dockerfile

@@ -1,5 +1,5 @@
-ARG BASE_IMAGE=airbyte/airbyte-base-java-python-image:1.1.0
-FROM ${BASE_IMAGE} AS connector-builder-server
+ARG JAVA_PYTHON_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-python-image:${JAVA_PYTHON_BASE_IMAGE_VERSION} AS connector-builder-server
 
 # Set up CDK requirements
 ARG CDK_VERSION=0.73.0
@@ -18,7 +18,10 @@ ENV VERSION ${VERSION}
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/${APPLICATION}"]

airbyte-connector-builder-server/src/main/resources/application.yml

@@ -25,7 +25,7 @@ micronaut:
     authentication-provider-strategy: ALL
     enabled: ${API_AUTHORIZATION_ENABLED:false}
   server:
-    port: 80
+    port: 8080
     cors:
       enabled: true
     netty:

airbyte-connector-sidecar/Dockerfile

@@ -1,4 +1,5 @@
-FROM amazoncorretto:21 AS connector-sidecar
+ARG JAVA_WORKER_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-worker-image:${JAVA_WORKER_BASE_IMAGE_VERSION}
 
 ARG DOCKER_BUILD_ARCH=amd64
 
@@ -8,12 +9,13 @@ ARG VERSION=dev
 ENV APPLICATION airbyte-connector-sidecar
 ENV VERSION=${VERSION}
 
-WORKDIR /app
-
+USER root
 COPY WellKnownTypes.json /app
 
 # Move connector-sidecar app
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "/app/airbyte-app/bin/${APPLICATION}"]

airbyte-container-orchestrator/Dockerfile

@@ -1,4 +1,5 @@
-FROM airbyte/airbyte-base-java-worker-image:2.0.1
+ARG JAVA_WORKER_BASE_IMAGE_VERSION=2.1.0
+FROM airbyte/airbyte-base-java-worker-image:${JAVA_WORKER_BASE_IMAGE_VERSION}
 
 # Don't change this manually.  Bump version expects to make moves based on this string
 ARG VERSION=dev
@@ -8,10 +9,13 @@ ENV VERSION=${VERSION}
 
 WORKDIR /app
 
+USER root
 COPY WellKnownTypes.json /app
 
 # Move orchestrator app
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "/app/airbyte-app/bin/${APPLICATION}"]

airbyte-cron/Dockerfile

@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE}
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-cron"]

airbyte-keycloak-setup/Dockerfile

@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE} AS keycloak-setup
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-keycloak-setup"]

airbyte-metrics/reporter/Dockerfile

@@ -1,5 +1,11 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE}
+
 WORKDIR /app
+
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
+
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/airbyte-metrics-reporter"]

airbyte-proxy/Dockerfile

@@ -10,9 +10,9 @@ ENV VERSION ${VERSION}
 RUN apt-get update -y && apt-get install -y apache2-utils && rm -rf /var/lib/apt/lists/*
 
 # This variable can be used to update the destination containers that Nginx proxies to.
-ENV PROXY_PASS_WEB "http://airbyte-webapp:80"
+ENV PROXY_PASS_WEB "http://airbyte-webapp:8080"
 ENV PROXY_PASS_API "http://airbyte-server:8001"
-ENV CONNECTOR_BUILDER_SERVER_API "http://airbyte-connector-builder-server:80"
+ENV CONNECTOR_BUILDER_SERVER_API "http://airbyte-connector-builder-server:8080"
 ENV PROXY_PASS_AIRBYTE_API_SERVER "http://airbyte-api-server:8006"
 
 # Nginx config file

airbyte-server/Dockerfile

@@ -1,4 +1,4 @@
-ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.0.1
+ARG JDK_IMAGE=airbyte/airbyte-base-java-image:3.1.0
 FROM ${JDK_IMAGE} AS server
 
 EXPOSE 8000 5005
@@ -11,7 +11,10 @@ ENV VERSION ${VERSION}
 WORKDIR /app
 
 # This is automatically unzipped by Docker
+USER root
 ADD airbyte-app.tar /app
+RUN chown -R airbyte:airbyte /app
+USER airbyte:airbyte
 
 # wait for upstream dependencies to become available before starting server
 ENTRYPOINT ["/bin/bash", "-c", "airbyte-app/bin/${APPLICATION}"]