FLINK-37881: Drop gosu in favour of Dockerfile USER

[avi-sanwal]

This is a minor improvement from security standpoint on flink's docker image.

In the dockerfile of flink's docker image, we are adding gosu:

flink-docker/1.20/scala_2.12-java17-ubuntu/Dockerfile

Lines 27 to 44 in 6e22650

	# Grab gosu for easy step-down from root
	ENV GOSU_VERSION 1.11
	RUN set -ex; \
	wget -nv -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture)"; \
	wget -nv -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$(dpkg --print-architecture).asc"; \
	export GNUPGHOME="$(mktemp -d)"; \
	for server in ha.pool.sks-keyservers.net $(shuf -e \
	hkp://p80.pool.sks-keyservers.net:80 \
	keyserver.ubuntu.com \
	hkp://keyserver.ubuntu.com:80 \
	pgp.mit.edu) ; do \
	gpg --batch --keyserver "$server" --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4 && break || : ; \
	done && \
	gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
	gpgconf --kill all; \
	rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
	chmod +x /usr/local/bin/gosu; \
	gosu nobody true

This is later used to switch to the user flink in the entrypoint script:

flink-docker/1.20/scala_2.12-java17-ubuntu/docker-entrypoint.sh

Line 37 in 6e22650

echo gosu flink

.

Gosu itself is tagged by popular scanners as being vulnerable due to outdated golang usage (though gosu itself is not).

Instead of using gosu/su-exec, it may be preferrable to switch to flink user using USER flink or something similar in Dockerfile. This way we could avoid depending on gosu, and present a cleaner scan result.

While this does not really solve any vulnerabilties in the system, it can help satisfy auditors against false positive reports provided by heuristical scanners.

[gaborgsomogyi]

In general I agree to remove gosu but I suggest to do some testing because docker files are user facing. An immediate what the user will recognize that docker inheritance + install something would not work. That would mean all users must adjust their custom docker files. For large organizations that can be heavy or impossible so we must consider and highlight what this change would mean.

I think this PR must go into the dev-master branch generator script, when it's there the generated materials can be copied here. Can you do it plz?

[avi-sanwal]

In general I agree to remove gosu but I suggest to do some testing because docker files are user facing. An immediate what the user will recognize that docker inheritance + install something would not work. That would mean all users must adjust their custom docker files. For large organizations that can be heavy or impossible so we must consider and highlight what this change would mean.

I think this PR must go into the dev-master branch generator script, when it's there the generated materials can be copied here. Can you do it plz?

Thanks for your time reviewing this change. I will do this via dev-master.
Agreed, it may break compatibility.

I have already done this in our own base image with a modified copy of the entrypoint script and it has been running successfully in production for a few months now.

We use flink kubernetes operator managing the deployments.

[gaborgsomogyi]

Thanks for your time reviewing this change. I will do this via dev-master.

Ping me on the other PR and this can be closed.

I have already done this in our own base image with a modified copy of the entrypoint script and it has been running successfully in production for a few months now.

I think we should mention these steps somewhere to help others but the approach is fine as soon as the changes are manageable.

[avi-sanwal]

@gaborgsomogyi , please see #242 for dev-master changes.