Use of gcr.io/bazel-public/bazel:5.2.0 in Cloud Build is more restrictive than released images in marketplace.gcr.io/google/bazel

[tetsuok]

Docker image, gcr.io/bazel-public/bazel:5.2.0 (created by bazel/oci/Dockerfile based on #1290) was supposed to be compatible with previously released images in marketplace.gcr.io/google/bazel, but it seems not compatible. gcr.io/bazel-public/bazel:5.2.0 runs as non-root user whereas the previous images run as root. Updating Cloud Build CI pipelines that use the previously released images to gcr.io/bazel-public/bazel:5.2.0 results in permission issues when Bazel tries to create output files under /builder/home/.cache. This requires extra efforts to users (See below). I'm wondering whether this repository provides Docker images more compatible with the previously released images so that users of Cloud Build can smoothly update Bazel Docker images with 5.2.0 or newer.

Here is an incomplete list of extra efforts required when using gcr.io/bazel-public/bazel:5.2.0 in Cloud Build:

• With gcr.io/bazel-public/bazel:5.2.0, users need to run bazel with --output_user_root and --symlink_prefix= (because /workspace is not writable).
• With gcr.io/bazel-public/bazel:5.2.0, it is more challenging to push Docker images built with Bazel (e.g., container_image rule in rules_docker). It is very tricky to tag built images because gcr.io/bazel-public/bazel:5.2.0 doesn't install docker whereas the previously released images do (we would like to use Docker command instead of using container_push rule since it modifies external resource via bazel run). This limitation suggests us to invoke the docker command in a different build step such as gcr.io/cloud-builders/docker:latest along with user-defined volumes to persist Bazel outputs, but that's also tricky since creating user-defined volume under / requires root permission, but gcr.io/bazel-public/bazel:5.2.0 is ran as non-root.