From 7cc2bee4cfb4fb56b271924f19b0f57f00458953 Mon Sep 17 00:00:00 2001
From: Roger Coll <rogercoll@protonmail.com>
Date: Fri, 8 Nov 2024 11:32:33 +0100
Subject: [PATCH] fix root group container permissions (#36170)

<!--Ex. Fixing a bug - Describe the bug and how this fixes the issue.
Ex. Adding a feature - Explain what this achieves.-->
#### Description

Sets a specific GID for the build container's image.

<!-- Issue number (e.g. #1234) or full URL to issue, if applicable. -->
#### Link to tracking issue
https://github.com/open-telemetry/opentelemetry-collector-contrib/issues/35179

<!--Describe what testing was performed and which tests were added.-->
#### Testing

(Manual)

```
$ make docker-otelcontribcol
// create a sample config.yaml file
$ docker run -v .:/etc/otel/ otelcontribcol
$ ps -o user,group,pid,comm -ax | rg otelcontribcol
10001    10001    1903287 otelcontribcol
```

Without the changes:
```
$ ps -o user,group,pid,comm -ax | rg otelcontribcol
root     root     1940536 otelcontribcol
```

<!--Describe the documentation added.-->
#### Documentation

<!--Please delete paragraphs that you did not use before submitting.-->
---
 .../fix_group_container_permissions.yaml      | 27 +++++++++++++++++++
 cmd/otelcontribcol/Dockerfile                 |  3 ++-
 cmd/telemetrygen/Dockerfile                   |  3 ++-
 3 files changed, 31 insertions(+), 2 deletions(-)
 create mode 100644 .chloggen/fix_group_container_permissions.yaml

diff --git a/.chloggen/fix_group_container_permissions.yaml b/.chloggen/fix_group_container_permissions.yaml
new file mode 100644
index 000000000000..965b8af17649
--- /dev/null
+++ b/.chloggen/fix_group_container_permissions.yaml
@@ -0,0 +1,27 @@
+# Use this changelog template to create an entry for release notes.
+
+# One of 'breaking', 'deprecation', 'new_component', 'enhancement', 'bug_fix'
+change_type: 'enhancement'
+
+# The name of the component, or a single word describing the area of concern, (e.g. filelogreceiver)
+component: container
+
+# A brief description of the change.  Surround your text with quotes ("") if it needs to start with a backtick (`).
+note: Set non root group permissions for container image
+
+# Mandatory: One or more tracking issues related to the change. You can use the PR number here if no issue exists.
+issues: [35179]
+
+# (Optional) One or more lines of additional information to render under the primary note.
+# These lines will be padded with 2 spaces and then inserted directly into the document.
+# Use pipe (|) for multiline entries.
+subtext:
+
+# If your change doesn't affect end users or the exported elements of any package,
+# you should instead start your pull request title with [chore] or use the "Skip Changelog" label.
+# Optional: The change log or logs in which this entry should be included.
+# e.g. '[user]' or '[user, api]'
+# Include 'user' if the change is relevant to end users.
+# Include 'api' if there is a change to a library API.
+# Default: '[user]'
+change_logs: []
diff --git a/cmd/otelcontribcol/Dockerfile b/cmd/otelcontribcol/Dockerfile
index bb8ef9835707..3c2cd1d372a8 100644
--- a/cmd/otelcontribcol/Dockerfile
+++ b/cmd/otelcontribcol/Dockerfile
@@ -4,7 +4,8 @@ RUN apk --update add ca-certificates
 FROM scratch
 
 ARG USER_UID=10001
-USER ${USER_UID}
+ARG USER_GID=10001
+USER ${USER_UID}:${USER_GID}
 
 COPY --from=prep /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ca-certificates.crt
 COPY otelcontribcol /
diff --git a/cmd/telemetrygen/Dockerfile b/cmd/telemetrygen/Dockerfile
index ba1d577e41b4..9704d8f5da63 100644
--- a/cmd/telemetrygen/Dockerfile
+++ b/cmd/telemetrygen/Dockerfile
@@ -4,7 +4,8 @@ RUN apk --update add ca-certificates
 FROM scratch
 
 ARG USER_UID=10001
-USER ${USER_UID}
+ARG USER_GID=10001
+USER ${USER_UID}:${USER_GID}
 
 ARG TARGETOS
 ARG TARGETARCH