chore: add folder for non-root user, virt-operator sysctl

Signed-off-by: Nikita Korolev <[email protected]>

images/virt-artifact/werf.inc.yaml

@@ -1,27 +1,27 @@
 ---
 # Source https://github.com/kubevirt/kubevirt/blob/v1.3.1/hack/dockerized#L15
-{{- $builderImage := "quay.io/kubevirt/builder:2408151859-735f25dde" }}
+# {{- $builderImage := "quay.io/kubevirt/builder:2408151859-735f25dde" }}
 {{- $version := "1.3.1" }}
-{{- $goVersion := "1.22.7" }}
+# {{- $goVersion := "1.22.7" }}
 
 # Update Go version in builder to prevent CVEs in kubevirt components.
-image: {{ $.ImageName }}-builder
-final: false
-from: {{ $builderImage }}
-shell:
-  install:
-  - export GIMME_GO_VERSION={{ $goVersion }}
-  - |
-    rm -rf /gimme && \
-    mkdir -p /gimme && curl -sL \
-      https://raw.githubusercontent.com/travis-ci/gimme/master/gimme | \
-    HOME=/gimme bash > /etc/profile.d/gimme.sh
-  - export PATH=`echo $PATH | tr ":" "\n" | grep -v "go" | tr "\n" ":"`
-  - source /etc/profile.d/gimme.sh && go version
-docker:
-  ENV:
-    GIMME_GO_VERSION: "{{ $goVersion }}"
----
+# image: {{ $.ImageName }}-builder
+# final: false
+# from: {{ $builderImage }}
+# shell:
+#   install:
+#   - export GIMME_GO_VERSION={{ $goVersion }}
+#   - |
+#     rm -rf /gimme && \
+#     mkdir -p /gimme && curl -sL \
+#       https://raw.githubusercontent.com/travis-ci/gimme/master/gimme | \
+#     HOME=/gimme bash > /etc/profile.d/gimme.sh
+#   - export PATH=`echo $PATH | tr ":" "\n" | grep -v "go" | tr "\n" ":"`
+#   - source /etc/profile.d/gimme.sh && go version
+# docker:
+#   ENV:
+#     GIMME_GO_VERSION: "{{ $goVersion }}"
+# ---
 image: {{ $.ImageName }}
 final: false
 fromImage: base-alt-p11
@@ -119,13 +119,13 @@ shell:
     - echo ============== Build virt-chroot ======================
     - go build -o /kubevirt-binaries/virt-chroot ./cmd/virt-chroot/
 
-    - echo ============== Build virt-exportproxy ================
+    - echo ============== Build virt-exportproxy =================
     - go build -o /kubevirt-binaries/virt-exportproxy ./cmd/virt-exportproxy/
 
     - echo ============== Build virt-exportserver ================
     - go build -o /kubevirt-binaries/virt-exportserver ./cmd/virt-exportserver/
 
-    - echo ============== Build virt-controller ====================
+    - echo ============== Build virt-controller ==================
     - go build -o /kubevirt-binaries/virt-controller ./cmd/virt-controller/
 
     - echo ============== Build virt-operator ====================

images/virt-handler/werf.inc.yaml

@@ -7,6 +7,7 @@ shell:
   - |
     apt-get update && apt-get install --yes \
     acl \
+    systemd-sysctl-common \
     nftables \
     qemu-img==9.0.2-alt2 \
     xorriso==1.5.6-alt1

images/virt-operator/werf.inc.yaml

@@ -2,6 +2,17 @@
 image: {{ $.ImageName }}
 from: {{ .Images.DISTROLESS_ALT_P11 }}
 import:
+- image: base-alt-p11
+  add: /home
+  to: /home
+  includePaths:
+  - nonroot-user
+  excludePaths:
+  - nonroot-user/.c*
+  - nonroot-user/.x*
+  - nonroot-user/.ssh
+  - nonroot-user/.l*
+  before: setup
 - image: virt-artifact
   add: /kubevirt-binaries/
   to: /usr/bin
@@ -22,3 +33,11 @@ import:
 docker:
   ENTRYPOINT: ["/usr/bin/virt-operator"]
   USER: 1001
+---
+image: {{ $.ImageName }}-dir-creator
+final: false
+fromImage: base-alt-p11
+shell:
+  beforeSetup:
+    - |
+      groupadd --gid 1001 nonroot-user && useradd nonroot-user --uid 1001 --gid 1001 --shell /bin/bash --create-home