From 60a5c8b575dff58f0dbed386052fe27290bea216 Mon Sep 17 00:00:00 2001
From: Jay Rogers <jay@521dimensions.com>
Date: Sat, 5 Oct 2024 14:02:05 -0500
Subject: [PATCH] Testing dropping privileges

---
 src/Dockerfile           | 32 ++++++++++++++++++++++++--------
 src/rootfs/entrypoint.sh | 31 +++++++++++++++++++++++++++++++
 2 files changed, 55 insertions(+), 8 deletions(-)
 create mode 100644 src/rootfs/entrypoint.sh

diff --git a/src/Dockerfile b/src/Dockerfile
index a5caf3d..36d73cf 100644
--- a/src/Dockerfile
+++ b/src/Dockerfile
@@ -1,24 +1,40 @@
-# First stage to declare global ARGs
 ARG PYTHON_VERSION='3.12'
 ARG BASE_OS_VERSION='bullseye'
 
-# Main build stage
 FROM python:${PYTHON_VERSION}-${BASE_OS_VERSION}
 
-# Redeclare ARGs after FROM for this stage
 ARG ANSIBLE_VARIATION=''
 ARG ANSIBLE_VERSION=''
 ARG PACKAGE_DEPENDENCIES=''
 
+ENV DEBUG=false \
+    ANSIBLE_WORK_DIR=/ansible \
+    ANSIBLE_HOME=/etc/ansible
+
 COPY --chown=root:root --chmod=755 src/rootfs /
 
 # Install dependencies based on OS
 RUN /usr/bin/local/serversideup-dep-install-alpine ${PACKAGE_DEPENDENCIES} && \
-    /usr/bin/local/serversideup-dep-install-debian ${PACKAGE_DEPENDENCIES}
-
-# Install Ansible
-RUN echo "🤓 Installing ${ANSIBLE_VARIATION}==${ANSIBLE_VERSION}" && \
-    pip3 install --no-cache-dir ${ANSIBLE_VARIATION}==${ANSIBLE_VERSION} && \
+    /usr/bin/local/serversideup-dep-install-debian ${PACKAGE_DEPENDENCIES} && \
+    \
+    # Create default Ansible working directory
+    mkdir -p "${ANSIBLE_WORK_DIR}" && \
+    chmod 1777 "${ANSIBLE_WORK_DIR}" && \
+    \
+    # Create default default Ansible config directory and tmp directory
+    mkdir -p "${ANSIBLE_HOME}/tmp" && \
+    chmod 1777 "${ANSIBLE_HOME}" && \
+    chmod 1777 "${ANSIBLE_HOME}/tmp" && \
+    \
+    # Install Ansible
+    echo "🤓 Installing ${ANSIBLE_VARIATION}==${ANSIBLE_VERSION}" && \
+    pip3 install --no-cache-dir "${ANSIBLE_VARIATION}==${ANSIBLE_VERSION}" && \
+    \
+    # Verify Ansible installation
     ansible --version
 
+ENTRYPOINT ["/entrypoint.sh"]
+
+WORKDIR /ansible
+
 CMD ["ansible-playbook", "--version"]
\ No newline at end of file
diff --git a/src/rootfs/entrypoint.sh b/src/rootfs/entrypoint.sh
new file mode 100644
index 0000000..8c0478c
--- /dev/null
+++ b/src/rootfs/entrypoint.sh
@@ -0,0 +1,31 @@
+#!/bin/sh
+set -e
+if [ "$DEBUG" = "true" ]; then
+    set -x
+fi
+
+USER_ID=$(id -u)
+GROUP_ID=$(id -g)
+
+debug_print() {
+    if [ "$DEBUG" = "true" ]; then
+        echo "$1"
+    fi
+}
+
+debug_print "Running as $USER_ID:$GROUP_ID..."
+
+if [ "$USER_ID" -ne 0 ]; then
+    debug_print "Preparing environment for $USER_ID:$GROUP_ID..."
+    HOME=/tmp/$USER_ID
+    mkdir -p "$HOME/.ssh"
+    chmod 700 "$HOME/.ssh"
+
+    export HOME
+    debug_print "HOME directory set to $HOME"
+fi
+
+# Set default inventory file
+echo -e '[local]\nlocalhost ansible_host=127.0.0.1' > "${ANSIBLE_HOME}/hosts"
+
+exec "$@"
\ No newline at end of file