Support Arbitrary User IDs for OpenShift

[torstenwalter]

To quote from the official OpenShift documentation:

By default, OpenShift Container Platform runs containers using an arbitrarily assigned user ID. This provides additional security against processes escaping the container due to a container engine vulnerability and thereby achieving escalated permissions on the host node.

For an image to support running as an arbitrary user, directories and files that may be written to by processes in the image should be owned by the root group and be read/writable by that group. Files to be executed should also have group execute permissions.

With this change it should be possible to run the Selenium images on OpenShift without further modifications.

• By placing an X in the preceding checkbox, I verify that I have signed the Contributor License Agreement

[ddavison]

related:

• Set execution permission on entry_point.sh #602
• Moving config generation in docker files #502
• Run all processes with seluser instead of root #477
• move the creation of the config.json file into a RUN directive #185

@torstenwalter , were these changes mentioned in the four PR's above not enough for OpenShift? It's been an ongoing battle 😜

[torstenwalter]

Compared to #185 it should allow users to change the config at run time.

[torstenwalter]

Without the permissions change for $HOME () there will be different kinds of errors when a process tries to write/read from that directory within OpenShift. e.g.:

Couldn't read password file: /home/seluser/.vnc/passwd. Chrome tries to write data there and I suspect Firefox as well.

[diemol]

I think this makes sense, we had to do something similar to have things working in OpenShift for some users of it.

[diemol]

Thanks for your contribution @torstenwalter!