Update autocalib image to run as non root user

[jakubsikorski]

📝 Description

Updates the autocalibration Docker image to run as non root user.
Adds init container to fix volume permissions.
Removes entire camcalib-init script, thanks to this change the container:

• no longer requires sys_admin capability
• no longer requires to be run as privileged
• can be run as non root user

Both Kubernetes deployment and Docker compose files are updated.

✨ Type of Change

Select the type of change your PR introduces:

• 🐞 Bug fix – Non-breaking change which fixes an issue
• 🚀 New feature – Non-breaking change which adds functionality
• 🔨 Refactor – Non-breaking change which refactors the code base
• 💥 Breaking change – Changes that break existing functionality
• 📚 Documentation update
• 🔒 Security update
• 🧪 Tests
• 🚂 CI

🧪 Testing Scenarios

Describe how the changes were tested and how reviewers can test them too:

• ✅ Tested manually
• 🤖 Ran automated end-to-end tests

✅ Checklist

Before submitting the PR, ensure the following:

• 🔍 PR title is clear and descriptive
• 📝 For internal contributors: If applicable, include the JIRA ticket number (e.g., ITEP-123456) in the PR title. Do not include full URLs
• 💬 I have commented my code, especially in hard-to-understand areas
• 📄 I have made corresponding changes to the documentation
• ✅ I have added tests that prove my fix is effective or my feature works

[Copilot]

Pull Request Overview

This PR updates the autocalibration Docker image to run as a non-root user for improved security. The changes eliminate the need for privileged containers and SYS_ADMIN capabilities by replacing the complex initialization script with a simpler entrypoint and using init containers for volume permission fixes.

• Removes the camcalibration-init script and replaces it with a lightweight entrypoint
• Configures the container to run as user ID 1000 instead of root
• Adds init containers in deployment configurations to fix volume permissions
• Removes privileged container requirements and security capabilities

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
sample_data/docker-compose-dls-perf.yml	Adds init container for volume permissions, configures camcalibration to run as user 1000, removes privileged settings
sample_data/docker-compose-dl-streamer-example.yml	Same changes as dls-perf compose file for consistency
kubernetes/scenescape-chart/templates/camcalibration-dep.yaml	Updates Kubernetes deployment to run as non-root with init container for permissions
autocalibration/src/camcalibration-init	Removes the entire 179-line initialization script
autocalibration/Dockerfile	Updates image to create user with UID 1000, removes root dependencies, adds new entrypoint script

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[MikolajKasprzak]

lgtm

[ltalarcz]

In review

[saratpoluri]

Why does the tmp folder require +x permissions? 666 should suffice.

[jakubsikorski]

This permission is very different on directories compared to files. Essentially, you can think of it as providing access to the directory. Having execute permission on a directory authorizes you to look at extended information on files in the directory (using ls -l, for instance) but also allows you to change your working directory (using cd) or pass through this directory on your way to a subdirectory underneath.

Lacking execute permission on a directory can limit the other permissions in interesting ways. For example, how can you add a new file to a directory (by leveraging the write permission) if you can't access the directory's metadata to store the information for a new, additional file? You cannot.

[saratpoluri]

Seems like we always call it with python3. So setting the execution permission is not needed.

[jakubsikorski]

Removed the chmod +x

[saratpoluri]

"${UID:-1000}:${GID:-1000}"

[jakubsikorski]

Changed

[saratpoluri]

we use alpine:latest in other places.

[jakubsikorski]

Using latest now

Done