Using Maven plugin build, unable to create a bwce docker container as nonroot user

[nagamed]

Maven Plugin version: bw6-maven-plugin 2.9.5

Maven version: 3.9.5

Product : TIBCO Businessworks Container edition

Product version: BWCE 2.8.3

Component: Either of Maven Eclipse Plugin or Maven build plugin

Steps to reproduce the issue:

1. Build base image by changing the user to bwce to run as nonroot user.

FROM eclipse-temurin:11-jre-alpine
LABEL maintainer="TIBCO Software Inc."
ADD . /
RUN chmod 755 /scripts/*.sh && apk update && apk add unzip openssh net-tools 
RUN apk add --no-cache bash
# Create a non-root group and user
RUN addgroup -S bwcegroup && adduser -S bwce -G bwcegroup
RUN unzip -qq /resources/bwce-runtime/bwce*.zip -d /tmp && rm -rf /resources/bwce-runtime/bwce*.zip 2> /dev/null
# Make the necessary directories writable by the 'bwce' user
RUN chown -R bwce:bwcegroup /tmp /resources
USER bwce
ENTRYPOINT ["/scripts/start.sh"]

2. Use this base image in docker-dev.properties file and do maven build.

mvn -X -f bwcetestproject.parent/pom.xml clean package initialize docker:build

As part of this build, it creates an ear file bwcetestproject-1.0.0-SNAPSHOT.ear and copies at / directory of the image

3. When the application container is created I could see the permission of the ear file as root user.

/ $ ls -lrt
total 116
drwxr-xr-x    1 root     root          4096 Nov 30 09:32 var
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 srv
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 run
drwx------    2 root     root          4096 Nov 30 09:32 root
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 mnt
drwxr-xr-x    5 root     root          4096 Nov 30 09:32 media
drwxr-xr-x    1 root     root          4096 Nov 30 09:32 lib
drwxr-xr-x    1 root     root          4096 Dec  1 07:11 usr
-rwxrwxr-x    1 root     root          1182 Dec  1 07:12 __cacert_entrypoint.sh
drwxr-xr-x    1 root     root          4096 Dec  1 07:12 opt
-rw-r--r--    1 root     root           491 Dec  5 22:49 gl-secret-detection-report.json
-rw-r--r--    1 root     root           408 Dec  5 22:49 heb-checkov-sast-report.json
drwxrwxrwx    2 root     root          4096 Dec  5 22:50 reducedStartupTime
-rwxrwxrwx    1 root     root          1509 Dec  5 22:50 README.txt
-rwxrwxrwx    1 root     root           542 Dec  5 22:50 Dockerfile
drwxrwxrwx    1 bwce     bwcegrou      4096 Dec  5 22:50 resources
drwxrwxrwx    1 root     root          4096 Dec  5 22:50 scripts
-rw-r--r--    1 root     root          5598 Dec  5 22:50 gl-dependency-scanning-report.json
drwxr-xr-x    1 root     root          4096 Dec  5 22:51 sbin
drwxr-xr-x    1 root     root          4096 Dec  5 22:51 bin
drwxr-xr-x    1 root     root          4096 Dec  5 22:51 home
-rw-r--r--    1 root     root         10941 Dec 19 17:53 bwcetestproject-1.0.0-SNAPSHOT.ear
dr-xr-xr-x   12 root     root             0 Dec 19 20:33 sys
dr-xr-xr-x  247 root     root             0 Dec 19 20:33 proc
drwxr-xr-x    1 root     root          4096 Dec 19 20:33 etc
drwxr-xr-x    5 root     root           340 Dec 19 20:33 dev
drwxrwxrwt    1 bwce     bwcegrou      4096 Dec 19 20:33 tmp

4. Because of that ear file is not accessible to create the container in kubernetes platform. I am able to start the container successfully in local docker (may be less security restrictions) but not in Kubernetes environment.

INFO Variables received : null, null, null, /tmp
/opt/java/openjdk
Adding Plug-in Jars
Adding additional libs
libsunec.so File found...
'/resources/addons/lib/libsunec.so' -> '/tmp/tibco.home/tibcojre64/11/lib/amd64'
Importing cacerts into java truststore
./scripts/setup.sh: line 304: /tmp/tibco.home/tibcojre64/11/bin/keytool: cannot execute: required file not found
Importing cacerts into java truststore
./scripts/setup.sh: line 304: /tmp/tibco.home/tibcojre64/11/bin/keytool: cannot execute: required file not found
error:  cannot open zipfile [ /tmp/tibco.home/bwce/2.8/bin/bwapp.ear ]
        Permission denied
unzip:  cannot find or open /tmp/tibco.home/bwce/2.8/bin/bwapp.ear, /tmp/tibco.home/bwce/2.8/bin/bwapp.ear.zip or /tmp/tibco.home/bwce/2.8/bin/bwapp.ear.ZIP.
Using Custom Logback file
The loglevel is set to WARN level
./scripts/setup.sh: line 157: /tmp/META-INF/MANIFEST.MF: No such file or directory
Appended ADDONS_HOME/lib in bwappnode.tra file
Appended ADDONS_HOME/lib in bwappnode file
Appended -Xmx686M -Xms128M -Xss512K -Djdk.tls.allowUnsafeServerCertChange=true -Dsun.security.ssl.allowUnsafeRenegotiation=true --add-opens java.management/sun.management=ALL-UNNAMED --add-opens java.management/sun.management=ALL-UNNAMED to java.extend.properties
BW_PROFILE is set to 'DEPLOY.substvar'
cp: can't stat '/tmp/META-INF/DEPLOY.substvar': No such file or directory
java.io.FileNotFoundException: /tmp/tmp/pcf.substvar (No such file or directory)
	at java.base/java.io.FileInputStream.open0(Native Method)
	at java.base/java.io.FileInputStream.open(Unknown Source)
	at java.base/java.io.FileInputStream.<init>(Unknown Source)
	at java.base/java.io.FileReader.<init>(Unknown Source)
	at com.tibco.bwce.profile.resolver.ProfileResolverHelper.getKeysForConfig(ProfileResolverHelper.java:46)
	at com.tibco.bwce.profile.resolver.DockerProfileTokenResolver.resolveTokens(DockerProfileTokenResolver.java:223)
	at com.tibco.bwce.profile.resolver.DockerProfileTokenResolver.resolve(DockerProfileTokenResolver.java:37)
	at com.tibco.bwce.profile.resolver.Resolver.main(Resolver.java:24)

Additional environment details if any:
Trying to create the container in kuberenetes 1.8 environment.

Describe the results you received:
Container startup logs are provided in step 4 above

Describe the results you expected:
I should be able to run the bwce container as nonroot user using the above base image and maven build process.
If I comment out the instruction "USER bwce" in my base image, this entire process works fine without any issue.

Additional information you deem important (e.g. issue happens only occasionally):

Based on the directory listing at '/tmp/tibco.home/bwce/2.8/bin', it appears that the symbolic link bwapp.ear inside /tmp/tibco.home/bwce/2.8/bin is pointing to /bwcetestproject-1.0.0-SNAPSHOT.ear. However, the ownership of the file /bwcetestproject-1.0.0-SNAPSHOT.ear is owned by root:root with read permissions only for the owner.

[nagamed]

I am able to solve my issue by following the below approach.

1. Updated the tibco base image Dockerfile to run as root user by commenting out # USER bwce instruction
2. Added below commands in application pom.xml under docker-maven-plugin/build section to update the permissions of the .ear file to bwce user

<runCmds>
  <run>chown -R bwce:bwcegroup /${artifactId}-${version}.ear</run>
</runCmds>
<user>bwce</user>

3. Now as part of application image built by maven docker:build, it changed the user to bwce (non-root user)

It solved my purpose, but can the commands in step 2 be automated without developer manually have to insert these extra commands in pom.xml ?
Based on the base image Dockerfile given in the tibco documentation and this maven plugin build, I'm wondering how it is working for anyone to run the container successfully as nonroot user without having to manually modify the permissions on .ear file.

Please suggest if there are any other alternative approaches.