Update Dockerfile to run with non-root user

Author: miriameid

.ci/Dockerfile

@@ -1,6 +1,22 @@
 ARG PYTHON_VERSION=3.8
 FROM python:${PYTHON_VERSION}
 
+# Default UID/GID to 1000
+# it can be overridden at build time
+ARG BUILDER_UID=1000
+ARG BUILDER_GID=1000
+ENV BUILDER_USER elastic
+ENV BUILDER_GROUP elastic
+
+# Create user
+RUN groupadd --system -g ${BUILDER_GID} ${BUILDER_GROUP} \
+    && useradd --system --shell /bin/bash -u ${BUILDER_UID} -g ${BUILDER_GROUP} -d /var/lib/elastic -m elastic 1>/dev/null 2>/dev/null \
+    && mkdir -p /code/elasticsearch-py && mkdir /code/elasticsearch-py/build \
+    && chown -R ${BUILDER_USER}:${BUILDER_GROUP} /code/elasticsearch-py
+
+COPY --chown=$BUILDER_USER:$BUILDER_GROUP . .
+
+USER ${BUILDER_USER}:${BUILDER_GROUP}
 WORKDIR /code/elasticsearch-py
 COPY dev-requirements.txt .
 RUN python -m pip install \

.ci/make.sh

@@ -115,6 +115,7 @@ esac
 echo -e "\033[34;1mINFO: building $product container\033[0m"
 
 docker build \
+  --build-arg BUILDER_UID="$(id -u)" \
   --file $repo/.ci/Dockerfile \
   --tag ${product} \
   .
@@ -129,6 +130,7 @@ if [[ "$CMD" == "assemble" ]]; then
 
   # Build dists into .ci/output
   docker run \
+     -u "$(id -u)" \
     --rm -v $repo/.ci/output:/code/elasticsearch-py/dist \
     $product \
     /bin/bash -c "python /code/elasticsearch-py/utils/build-dists.py $VERSION"