Change lower-level services to port 8080, then run non-root

[t-fine]

Since the lower-level services (such as cpu and gps) bind to port 80 they require root privileges. Change them to 8080 to run as non-root user and add in any additional privileges (with cap-add) if necessary.

Current method of running helloworld as non-root user from Dockerfile.amd64:

# Create hzngroup and hznuser
RUN addgroup -S hzngroup && adduser -S hznuser -G hzngroup

# Run container as hznuser user
USER hznuser

[t-fine]

Further info from a past issue...

A security vulnerability analysis will show that apps running as root in a container are potentially dangerous, and therefore the examples should show best practices.

Some more background from dave: further, some of the currently know exploits on linux occur when the linux container support is invoked as root, when running inside the container as root. This is the gist of why security people are concerned about running as root in a container....because it allows an attacker to exploit the underlying linux code. If a container is not running root, an attacker is limited in his abilities to get to the linux kernel.

If no user is explicitly used, you will run as root. Security scan tools flag this stuff. When a customer had IBM security folks scan and try to attack IEC, the only vulnerabilities they found were the helloworld app running as root....thus I opened the issue to fix it when we get a chance, because it doesnt demonstrate best practices. As usual with security stuff, it is not clear how much of this is grounded in FUD, but it is easier to just change this.

[clementkng]

Hi @t-fine, I'm interested in trying out this issue. However, I got stuck figuring out how to run the cpu and gps example services. Is there a pattern/policy I could use to hzn register my node so I can get a locally running version?