feat: harden security, bump alpine version, add healthcheck

[rare-magma]

This PR hardens the security of the container by:

• changing the default user in the container to a non root one (customizable with the UID and GID env vars)
• dropping all capabilities and adding only the ones that are required
• setting the filesystem as read only
• bumps the alpine version since 3.15 is end of life already
• removes the redundant su-exec and entrypoint.sh

It also adds a default healthcheck command.

For more info see https://cheatsheetseries.owasp.org/cheatsheets/Docker_Security_Cheat_Sheet.html#rule-3-limit-capabilities-grant-only-specific-capabilities-needed-by-a-container

[pldubouilh]

Hey, thanks a lot for the PR ! This sounds good to me, but it seems there's incompatibility with su-exec.

% sudo docker run --cap-drop=ALL --cap-add=SETUID --cap-add=SETGID -v ~/LocalDirToShare:/shared -p 8001:8001 gossa
su-exec: setgroups(1000): Operation not permitted

Cf. Dockerfile's USER directive is incompatible with su-exec, basically nobody is not allowed to run su-exec. I'll dig into possible solutions for this, maybe su-exec isn't necessary if we run as nobody already.

[rare-magma]

That's interesting @pldubouilh , I tested this on podman and didn't face that issue, perhaps there's some difference in the implementation between the two? In that case we could drop the SETUID and SETGID capabilities then I think.

[rare-magma]

@pldubouilh I found a solution for the issue you mentioned and tested both on docker and podman (both as root and non root), please let me know what you think.