ITEP-78937: Update autocalib image to run as non root user

autocalibration/Dockerfile

@@ -91,18 +91,20 @@ ENV NETVLAD_MODEL_DIR="/usr/local/lib/python3.10/dist-packages/third_party/netvl
 RUN --mount=type=cache,target=/var/cache/apt,sharing=locked \
     --mount=type=cache,target=/var/lib/apt,sharing=locked \
     apt-get update && apt-get install -y --no-install-recommends \
-    bindfs gosu libgl1 libegl1 libglib2.0-0 libgomp1 python3 python3-pip sudo wget && \
+    libgl1 libegl1 libglib2.0-0 libgomp1 python3 python3-pip wget && \
     rm -rf /var/lib/apt/lists/* && \
     apt-get clean
 
-# Add user (this rarely changes)
-RUN useradd -r -m -s /bin/bash $WSUSER && \
+# Add user with specific UID/GID (not system user)
+RUN groupadd -g 1000 $WSUSER && \
+    useradd -u 1000 -g 1000 -m -s /bin/bash $WSUSER && \
     usermod -a -G video,users $WSUSER && \
     chmod a+rX /home/$WSUSER
 
-# Create model directory for on-demand downloads
-RUN mkdir -p $NETVLAD_MODEL_DIR && \
-    chown -R $WSUSER:$WSUSER $NETVLAD_MODEL_DIR
+# Create model directory and tmp directory for healthcheck
+RUN mkdir -p $NETVLAD_MODEL_DIR /tmp && \
+    chown -R $WSUSER:$WSUSER $NETVLAD_MODEL_DIR && \
+    chmod 1777 /tmp
 
 # Copy scene_common and fast_geometry from builder stage BEFORE installing other packages
 COPY --from=camcalibration-builder /usr/local/lib/python3.10/dist-packages/fast_geometry /usr/local/lib/python3.10/dist-packages/fast_geometry
@@ -130,35 +132,46 @@ RUN --mount=type=cache,target=/root/.cache/pip \
     rm -rf /tmp/*.whl
 
 # Copy application code (this changes frequently)
-COPY autocalibration/src/camcalibration $SCENESCAPE_HOME/
+COPY --chown=scenescape:scenescape autocalibration/src/camcalibration $SCENESCAPE_HOME/camcalibration
 RUN chmod +x $SCENESCAPE_HOME/camcalibration
-COPY autocalibration/src/*.py $SCENESCAPE_HOME/
-COPY autocalibration/src/camcalibration-init /usr/local/bin/
-RUN chmod +x /usr/local/bin/camcalibration-init
+COPY --chown=scenescape:scenescape autocalibration/src/*.py $SCENESCAPE_HOME/
+COPY --chown=scenescape:scenescape autocalibration/tools/ondemand_model_loader.py /usr/local/bin/download_models.py
+RUN chmod +x /usr/local/bin/download_models.py
 
-# Create a startup script that ensures model directory permissions and checks NetVLAD model
 RUN echo '#!/bin/bash\n\
 set -e\n\
-chown -R $WSUSER:$WSUSER $NETVLAD_MODEL_DIR\n\
 if [ "$SKIP_MODEL_DOWNLOAD" != "1" ]; then\n\
     echo "Checking NetVLAD model..."\n\
     python3 /usr/local/bin/download_models.py\n\
 fi\n\
-exec "$@"\n' > /usr/local/bin/startup.sh && chmod +x /usr/local/bin/startup.sh
+touch /tmp/healthy\n\
+exec "$@"\n' > /usr/local/bin/startup.sh && \
+    chmod +x /usr/local/bin/startup.sh && \
+    chown scenescape:scenescape /usr/local/bin/startup.sh
 
-HEALTHCHECK --interval=30s --timeout=5s --retries=3 \
-    CMD pgrep python3 || exit 1
-ENTRYPOINT ["/usr/local/bin/startup.sh", "/usr/local/bin/camcalibration-init"]
+# Switch to non-root user
+USER scenescape
+WORKDIR $SCENESCAPE_HOME
+
+HEALTHCHECK --interval=30s --timeout=5s --retries=10 \
+    CMD pgrep -f python3 || exit 1
+
+ENTRYPOINT ["/usr/local/bin/startup.sh", "/home/scenescape/SceneScape/camcalibration"]
 
 # ---------- Cam Calibration Test Stage ------------------
 # This stage is meant to be used for test execution (not for final runtime)
 FROM camcalibration-runtime AS camcalibration-test
 ENV DEBIAN_FRONTEND=noninteractive
 ENV SKIP_MODEL_DOWNLOAD=1
 
+# Switch back to root to install test dependencies
+USER root
+
 # Install Python test dependencies
 RUN pip3 install --upgrade --no-cache-dir coverage pytest
 
-RUN : \
-    ; eval WSHOME=~$WSUSER \
-    ;
+# Switch back to non-root user for tests
+USER scenescape
+
+# Tests expect to run from /workspace where test files are mounted
+WORKDIR /workspace

kubernetes/scenescape-chart/templates/camcalibration-dep.yaml

@@ -7,8 +7,6 @@ metadata:
   name: {{ .Release.Name }}-camcalibration-dep
   labels:
     app: {{ .Release.Name }}-camcalibration
-  annotations:
-    container.apparmor.security.beta.kubernetes.io/camcalibration: unconfined
 spec:
   replicas: 1
   selector:
@@ -21,8 +19,8 @@ spec:
     spec:
       shareProcessNamespace: true
       securityContext:
-        runAsUser: 0
-        runAsGroup: 0
+        runAsUser: 1000
+        runAsGroup: 1000
       initContainers:
         - name: wait-for-web-initcontainer
           image: busybox
@@ -31,24 +29,44 @@ spec:
             runAsUser: 1000
             runAsGroup: 1000
             {{ include "defaultContainerSecurityContext" . | indent 12 }}
+        - name: fix-permissions-initcontainer
+          image: busybox
+          command: ["/bin/sh", "-c", "chown -R 1000:1000 /data/media /data/datasets && echo 'Permissions fixed'"]
+          securityContext:
+            runAsUser: 0
+            runAsGroup: 0
+          volumeMounts:
+          - mountPath: /data/media
+            name: media-storage
+          - mountPath: /data/datasets
+            name: datasets-storage
       containers:
         - args:
-          - camcalibration
-          - --broker
-          - broker.{{ .Release.Namespace }}.svc.cluster.local
+          - --restauth
+          - /run/secrets/calibration.auth
           - --resturl
           - https://web.{{ .Release.Namespace }}.svc.cluster.local/api/v1
+          - --brokerauth
+          - /run/secrets/calibration.auth
+          - --broker
+          - broker.{{ .Release.Namespace }}.svc.cluster.local
           image: {{ .Values.repository }}/{{ .Values.camcalibration.image }}:{{ .Chart.AppVersion }}
           name: {{ .Release.Name }}-camcalibration
           env:
           - name: EGL_PLATFORM
             value: surfaceless
+          - name: NETVLAD_MODEL_DIR
+            value: /usr/local/lib/python3.10/dist-packages/third_party/netvlad
           {{ include "proxy_envs" . | indent 10 }}
           imagePullPolicy: Always
           securityContext:
-            privileged: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
             capabilities:
-              add: ["SYS_ADMIN"]
+              drop:
+              - ALL
           readinessProbe:
             exec:
               command:
@@ -57,8 +75,6 @@ spec:
             periodSeconds: 1
           resources: {}
           volumeMounts:
-          - mountPath: /dev/fuse
-            name: dev-fuse
           - mountPath: /run/secrets/certs
             name: certs
             readOnly: true
@@ -69,19 +85,16 @@ spec:
             name: calibration-auth
             readOnly: true
             subPath: calibration.auth
-          - mountPath: /workspace/media
+          - mountPath: /home/scenescape/SceneScape/media
             name: media-storage
-          - mountPath: /workspace/datasets
+          - mountPath: /home/scenescape/SceneScape/datasets
             name: datasets-storage
       restartPolicy: Always
       {{- with .Values.imagePullSecrets }}
       imagePullSecrets:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       volumes:
-      - name: dev-fuse
-        hostPath:
-          path: /dev/fuse
       - name: certs
         secret:
           secretName: {{ .Release.Name }}-certs