support running the agent in a non root container

[allentc]

Attempting to run the agent with the docker run --user option causes the (non-edge mode) agent to fail with the following error:

[ERROR] [main,tls] [message: Unable to generate self-signed certificates] [error: open cert.pem: permission denied]

The error happens because the /app directory is not writable by an unprivileged user and the agent program attempts to generate a self-signed certificate and key into the /app directory.

The intent is to run the portainer/agent container with least privileges. The --user flag is supplied with an unprivileged UID and the docker group GID (for docker.sock, etc.) The --user flag actually works in the case of portainer/portainer because files are persisted in the /data volume where permission to write as some unprivileged user can be arranged.

Perhaps the agent should follow the same pattern and write files to a /data volume as well.

[deviantony]

The agent has always been designed to be stateless (up to the recent arrival of Edge features).

I believe we can default to /data for certs even though we're not exposing any volume, this would keep the existing behavior and allow any user to persist the volume or provide a specific folder to work with.