[Core] feat: adjust Dockerfile use unprivileged user

[IdansPort]

User description

Description

What

Refactored the Docker image and startup scripts to transition the Ocean user to a strictly non-privileged account (UID 1001) without sudo access. Implemented a user-space mechanism for handling CA certificates.

Why

Many enterprise security policies (e.g., strict Kubernetes clusters, OpenShift) prohibit containers running with root privileges or users with sudo access. The previous implementation required sudo to run update-ca-certificates when new certs were mounted, which blocked deployment in these secure environments.

How

Removed Privileges: Removed the sudo package and the specific sudoers configuration that allowed the ocean user to run root commands.

User ID Update: Changed the default OCEAN_USER_ID to 1001 to align with standard non-system user ranges.

User-Space Cert Sync: Introduced sync_ca_certs.sh, a script that:

Scans system and mounted certificate directories (e.g., /etc/ssl/certs).

Copies them to a user-owned directory (/home/ocean/.local/share/ca-certificates).

Generates a local ca-certificates.crt bundle.

Environment Configuration: Configured standard SSL environment variables (SSL_CERT_DIR, SSL_CERT_FILE, REQUESTS_CA_BUNDLE) to force applications (Python, curl, etc.) to use the new user-owned certificate location instead of the system default.

Type of change

Please leave one option from the following and delete the rest:

• [ ] Bug fix (non-breaking change which fixes an issue)
• [ ] New feature (non-breaking change which adds functionality)
• [ ] New Integration (non-breaking change which adds a new integration)
• [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
• [ ] Non-breaking change (fix of existing functionality that will not change current behavior)
• [ ] Documentation (added/updated documentation)

All tests should be run against the port production environment(using a testing org).

Core testing checklist

• [ ] Integration able to create all default resources from scratch
• [ ] Resync finishes successfully
• [ ] Resync able to create entities
• [ ] Resync able to update entities
• [ ] Resync able to detect and delete entities
• [ ] Scheduled resync able to abort existing resync and start a new one
• [ ] Tested with at least 2 integrations from scratch
• [ ] Tested with Kafka and Polling event listeners
• [ ] Tested deletion of entities that don't pass the selector

Integration testing checklist

• [ ] Integration able to create all default resources from scratch
• [ ] Completed a full resync from a freshly installed integration and it completed successfully
• [ ] Resync able to create entities
• [ ] Resync able to update entities
• [ ] Resync able to detect and delete entities
• [ ] Resync finishes successfully
• [ ] If new resource kind is added or updated in the integration, add example raw data, mapping and expected result to the examples folder in the integration directory.
• [ ] If resource kind is updated, run the integration with the example data and check if the expected result is achieved
• [ ] If new resource kind is added or updated, validate that live-events for that resource are working as expected
• [ ] Docs PR link here

Preflight checklist

• [ ] Handled rate limiting
• [ ] Handled pagination
• [ ] Implemented the code in async
• [ ] Support Multi account

Screenshots

Include screenshots from your environment showing how the resources of the integration will look.

API Documentation

Provide links to the API documentation used for this integration.

---

PR Type

Enhancement

---

Description

• Transition Docker containers to unprivileged user for security compliance

• Create CA certificate sync mechanism for non-root user access

• Update user ID from 999 to 1001 and remove sudo dependency

• Configure SSL environment variables for certificate discovery

---

Diagram Walkthrough

flowchart LR
  A["Privileged Setup<br/>User ID 999<br/>sudo + update-ca-certificates"] -->|"Replace with"| B["Unprivileged Setup<br/>User ID 1001<br/>sync_ca_certs.sh"]
  B --> C["CA Certs in<br/>/home/ocean/.local/share"]
  B --> D["SSL Environment<br/>Variables Set"]
  C --> E["Non-root Container<br/>Security Compliant"]
  D --> E

File Walkthrough

Relevant files

Enhancement

sync_ca_certs.sh New CA certificate sync script for unprivileged user          integrations/_infra/sync_ca_certs.sh New script to sync CA certificates from system directories to unprivileged user home directory Copies certificates from multiple source locations with error handling Creates consolidated CA bundle and exports SSL environment variables Sets proper file permissions for unprivileged user access +37/-0    Dockerfile.Deb Configure unprivileged user and CA certificate handling    integrations/_infra/Dockerfile.Deb Changed OCEAN_USER_ID from 999 to 1001 for better security practices Added SSL environment variables pointing to user-accessible certificate directory Removed sudo package from apt-get dependencies Removed sudo-based update-ca-certificates approach Added CA certificate copy to user home directory with proper ownership and permissions Made sync_ca_certs.sh executable +18/-8    Dockerfile.local Update local Dockerfile for unprivileged user setup            integrations/_infra/Dockerfile.local Changed OCEAN_USER_ID from 999 to 1001 Added SSL environment variables for certificate discovery Updated CA certificate setup to use user-accessible directory Made sync_ca_certs.sh executable in build process +10/-3    entry_local.sh Source CA certificate sync in entry script                              integrations/_infra/entry_local.sh Added call to sync_ca_certs.sh script before venv setup Ensures CA certificates are available for unprivileged user at container startup +3/-0      init.sh Replace sudo certificate update with sync script                  integrations/_infra/init.sh Replaced sudo-based update-ca-certificates with sync_ca_certs.sh call Removes dependency on privileged operations for certificate handling +2/-3

---