Reference the numerical UID for the Docker images to run as.

Makefile

@@ -23,6 +23,7 @@ endif
 
 PKG             := github.com/oracle/mysql-operator
 REGISTRY        := iad.ocir.io
+IMAGE_PREFIX    ?= $(REGISTRY)/$(TENANT)
 SRC_DIRS        := cmd pkg test/examples
 CMD_DIRECTORIES := $(sort $(dir $(wildcard ./cmd/*/)))
 COMMANDS        := $(CMD_DIRECTORIES:./cmd/%/=%)
@@ -33,15 +34,13 @@ UNAME_S := $(shell uname -s)
 
 ifeq ($(UNAME_S),Darwin)
 	# Cross-compiling from OSX to linux, go install puts the binaries in $GOPATH/bin/$GOOS_$GOARCH
-    BINARIES := $(addprefix $(GOPATH)/bin/$(OS)_$(ARCH)/,$(COMMANDS))
-else
-ifeq ($(UNAME_S),Linux)
+	BINARIES := $(addprefix $(GOPATH)/bin/$(OS)_$(ARCH)/,$(COMMANDS))
+else ifeq ($(UNAME_S),Linux)
 	# Compiling on linux for linux, go install puts the binaries in $GOPATH/bin
-    BINARIES := $(addprefix $(GOPATH)/bin/,$(COMMANDS))
+	BINARIES := $(addprefix $(GOPATH)/bin/,$(COMMANDS))
 else
 	$(error "Unsupported OS: $(UNAME_S)")
 endif
-endif
 
 .PHONY: all
 all: build
@@ -71,17 +70,27 @@ build: dist build-dirs Makefile
 	cp $(BINARIES) ./bin/$(OS)_$(ARCH)/
 
 .PHONY: build-docker
-build-docker:
+build-docker: build-docker-mysql-operator build-docker-mysql-agent
+
+.PHONY: build-docker-mysql-operator
+build-docker-mysql-operator:
 	@docker build \
 	--build-arg=http_proxy \
 	--build-arg=https_proxy \
-	-t $(REGISTRY)/$(TENANT)/mysql-operator:$(VERSION) \
+	-t $(IMAGE_PREFIX)/mysql-operator:$(VERSION) \
 	-f docker/mysql-operator/Dockerfile .
 
+.PHONY: build-docker-mysql-agent
+build-docker-mysql-agent:
+	# Retrieve the UID for the mysql user, passed in when building the mysql-agent image
+	$(eval MYSQL_AGENT_IMAGE := $(shell sed -n 's/^FROM \(.*\)/\1/p' docker/mysql-agent/Dockerfile))
+	$(eval MYSQL_UID=$(shell docker run --rm --entrypoint id ${MYSQL_AGENT_IMAGE} -u mysql))
+
 	@docker build \
 	--build-arg=http_proxy \
 	--build-arg=https_proxy \
-	-t $(REGISTRY)/$(TENANT)/mysql-agent:$(VERSION) \
+	--build-arg=MYSQL_USER=${MYSQL_UID} \
+	-t $(IMAGE_PREFIX)/mysql-agent:$(VERSION) \
 	-f docker/mysql-agent/Dockerfile .
 
 # Note: Only used for development, i.e. in CI the images are pushed using Wercker.

docker/mysql-agent/Dockerfile

@@ -2,6 +2,8 @@ FROM mysql/mysql-server:8.0.12
 
 COPY bin/linux_amd64/mysql-agent /
 
-USER mysql
+# Set default value for 'MYSQL_USER', which is overridden with the UID at build time
+ARG MYSQL_USER=mysql
+USER ${MYSQL_USER}
 
 ENTRYPOINT ["/mysql-agent"]

docker/mysql-operator/Dockerfile

@@ -2,4 +2,8 @@ FROM oraclelinux:7.3
 
 COPY bin/linux_amd64/mysql-operator /
 
+# Add a non-root user and reference the UID
+RUN adduser -rU -u 1000 mysql-operator
+USER 1000
+
 ENTRYPOINT ["/mysql-operator"]

wercker.yml

@@ -19,9 +19,7 @@ build:
     - script:
       name: copy build artifacts
       code: |
-        mkdir -p ${WERCKER_OUTPUT_DIR}/bin
-        cp -R /go/bin/mysql-agent ${WERCKER_OUTPUT_DIR}/bin/
-        cp -R /go/bin/mysql-operator ${WERCKER_OUTPUT_DIR}/bin/
+        cp -R bin ${WERCKER_OUTPUT_DIR}/
         cp -R dist ${WERCKER_OUTPUT_DIR}/
 
     - script:
@@ -35,106 +33,96 @@ build:
         cp -R hack ${WERCKER_OUTPUT_DIR}/
         cp -R mysql-operator ${WERCKER_OUTPUT_DIR}/
         cp -R .git ${WERCKER_OUTPUT_DIR}/
+        cp -R docker ${WERCKER_OUTPUT_DIR}/
 
 push-operator-image:
-  box:
-    id: oraclelinux:7.3
   steps:
-    - script:
-      name: set environment variables
-      code: |
-        export VERSION=$(cat dist/version.txt)
-        echo "Pushing operator version ${VERSION}"
+    - internal/docker-build:
+      dockerfile: docker/mysql-operator/Dockerfile
+      image-name: wercker-build-mysql-operator
 
     - script:
-      name: prepare
+      name: Set environment variables
       code: |
-        mv bin/mysql-operator /mysql-operator
-        chmod +x /mysql-operator
+        export VERSION=$(cat dist/version.txt)
+        echo "Pushing mysql-operator version ${VERSION}"
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-operator
       registry: https://iad.ocir.io/v2
       repository: iad.ocir.io/oracle/mysql-operator
       tag: $VERSION
-      entrypoint: /mysql-operator
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-operator
       registry: https://lhr.ocir.io/v2
       repository: lhr.ocir.io/oracle/mysql-operator
       tag: $VERSION
-      entrypoint: /mysql-operator
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-operator
       registry: https://phx.ocir.io/v2
       repository: phx.ocir.io/oracle/mysql-operator
       tag: $VERSION
-      entrypoint: /mysql-operator
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-operator
       registry: https://fra.ocir.io/v2
       repository: fra.ocir.io/oracle/mysql-operator
       tag: $VERSION
-      entrypoint: /mysql-operator
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
 
 push-agent-image:
-  box:
-    id: mysql/mysql-server:8.0.11
   steps:
-    - script:
-      name: set environment variables
-      code: |
-        export VERSION=$(cat dist/version.txt)
-        echo "Pushing agent version ${VERSION}"
+    - internal/docker-build:
+      dockerfile: docker/mysql-agent/Dockerfile
+      image-name: wercker-build-mysql-agent
+      build-args: "MYSQL_USER=27"
 
     - script:
-      name: prepare
+      name: Set environment variables
       code: |
-        mv bin/mysql-agent /mysql-agent
-        chmod +x /mysql-agent
+        export VERSION=$(cat dist/version.txt)
+        echo "Pushing mysql-agent version ${VERSION}"
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-agent
       registry: https://iad.ocir.io/v2
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
       repository: iad.ocir.io/oracle/mysql-agent
       tag: $VERSION
-      entrypoint: /mysql-agent
-      user: mysql
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-agent
       registry: https://lhr.ocir.io/v2
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
       repository: lhr.ocir.io/oracle/mysql-agent
       tag: $VERSION
-      entrypoint: /mysql-agent
-      user: mysql
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-agent
       registry: https://phx.ocir.io/v2
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
       repository: phx.ocir.io/oracle/mysql-agent
       tag: $VERSION
-      entrypoint: /mysql-agent
-      user: mysql
 
     - internal/docker-push:
+      image-name: wercker-build-mysql-agent
       registry: https://fra.ocir.io/v2
       username: $OCIRUSERNAME
       password: $OCIRPASSWORD
       repository: fra.ocir.io/oracle/mysql-agent
       tag: $VERSION
-      entrypoint: /mysql-agent
-      user: mysql
 
 e2e-test:
   base-path: "/go/src/github.com/oracle/mysql-operator"