Bug: "distroless" local docker build fails

[galmasi]

Bug description

The keylime agent is capable of building its own docker container, using a distroless image, or fedora, or wolfi. The distroless build option does not work (fails while building)

Root cause

The problem seems to be the last command, creating a keylime user with tss group membership. My interpretation of this bug is that the command fails because there is no /bin/sh to run the command; to not even mention the useradd command which is also not part of distroless.

------
Dockerfile.distroless:99
--------------------
  97 |     
  98 |     # Create a system user 'keylime' to allow dropping privileges
  99 | >>> RUN useradd -s /sbin/nologin -r -G tss keylime
 100 |     
 101 |     # run as root by default
--------------------
ERROR: failed to solve: process "/bin/sh -c useradd -s /sbin/nologin -r -G tss keylime" did not complete successfully: exit code: 1
Error response from daemon: No such image: keylime_agent:latest-distroless

Possible fixes

1. copy /bin/bash and other commands from a busybox type container image, and use them. Not ideal because we don't actually need any shell in the final container; it's bloat and a security violation.
2. prepare /etc/passwd and /etc/group files ahead of time and copy them into place in the container. Better than the previous option but leaves open the question of what user and group IDs to use.
3. forego creation of keylime and tss user and group, since container-local group names and IDs don't really matter.

[ansasaki]

Hum, I added that user creation to the containers as it would otherwise be impossible to make the agent to drop the privileges inside the container (at least I couldn't). If that adds any security or not was out of scope, the goal was to run the agent inside the container in the same way we run it outside.

I think we can simply drop the creation of the user in this image as it doesn't work anyway.