[SPARK-43370] Switch spark user only when run driver and executor

### What changes were proposed in this pull request?
Switch spark user only when run driver and executor

### Why are the changes needed?
Address doi comments: question 7 [1]

[1] docker-library/official-images#13089 (comment)
[2] docker-library/official-images#13089 (comment)

### Does this PR introduce _any_ user-facing change?
Yes

### How was this patch tested?
1. test mannuly
```
cd ~/spark-docker/3.4.0/scala2.12-java11-ubuntu
$ docker build . -t spark-test

$ docker run -ti spark-test bash
sparkafa78af05cf8:/opt/spark/work-dir$

$ docker run  --user root  -ti spark-test bash
root095e0d7651fd:/opt/spark/work-dir#
```
2. ci passed

Closes: #44

Closes #43 from Yikun/SPARK-43370.

Authored-by: Yikun Jiang <[email protected]>
Signed-off-by: Yikun Jiang <[email protected]>

Author: Yikun

3.4.0/scala2.12-java11-python3-r-ubuntu/Dockerfile

@@ -16,6 +16,8 @@
 #
 FROM spark:3.4.0-scala2.12-java11-ubuntu
 
+USER root
+
 RUN set -ex; \
     apt-get update; \
     apt install -y python3 python3-pip; \
@@ -24,3 +26,5 @@ RUN set -ex; \
     rm -rf /var/lib/apt/lists/*
 
 ENV R_HOME /usr/lib/R
+
+USER spark

3.4.0/scala2.12-java11-python3-ubuntu/Dockerfile

@@ -16,8 +16,12 @@
 #
 FROM spark:3.4.0-scala2.12-java11-ubuntu
 
+USER root
+
 RUN set -ex; \
     apt-get update; \
     apt install -y python3 python3-pip; \
     rm -rf /var/cache/apt/*; \
     rm -rf /var/lib/apt/lists/*
+
+USER spark

3.4.0/scala2.12-java11-r-ubuntu/Dockerfile

@@ -16,10 +16,14 @@
 #
 FROM spark:3.4.0-scala2.12-java11-ubuntu
 
+USER root
+
 RUN set -ex; \
     apt-get update; \
     apt install -y r-base r-base-dev; \
     rm -rf /var/cache/apt/*; \
     rm -rf /var/lib/apt/lists/*
 
 ENV R_HOME /usr/lib/R
+
+USER spark

3.4.0/scala2.12-java11-ubuntu/Dockerfile

@@ -77,4 +77,6 @@ ENV SPARK_HOME /opt/spark
 
 WORKDIR /opt/spark/work-dir
 
+USER spark
+
 ENTRYPOINT [ "/opt/entrypoint.sh" ]

3.4.0/scala2.12-java11-ubuntu/entrypoint.sh

@@ -69,6 +69,13 @@ elif ! [ -z ${SPARK_HOME+x} ]; then
   SPARK_CLASSPATH="$SPARK_HOME/conf:$SPARK_CLASSPATH";
 fi
 
+# Switch to spark if no USER specified (root by default) otherwise use USER directly
+switch_spark_if_root() {
+  if [ $(id -u) -eq 0 ]; then
+    echo gosu spark
+  fi
+}
+
 case "$1" in
   driver)
     shift 1
@@ -78,6 +85,8 @@ case "$1" in
       --deploy-mode client
       "$@"
     )
+    # Execute the container CMD under tini for better hygiene
+    exec $(switch_spark_if_root) /usr/bin/tini -s -- "${CMD[@]}"
     ;;
   executor)
     shift 1
@@ -96,20 +105,12 @@ case "$1" in
       --resourceProfileId $SPARK_RESOURCE_PROFILE_ID
       --podName $SPARK_EXECUTOR_POD_NAME
     )
+    # Execute the container CMD under tini for better hygiene
+    exec $(switch_spark_if_root) /usr/bin/tini -s -- "${CMD[@]}"
     ;;
 
   *)
     # Non-spark-on-k8s command provided, proceeding in pass-through mode...
-    CMD=("$@")
+    exec "$@"
     ;;
 esac
-
-# Switch to spark if no USER specified (root by default) otherwise use USER directly
-switch_spark_if_root() {
-  if [ $(id -u) -eq 0 ]; then
-    echo gosu spark
-  fi
-}
-
-# Execute the container CMD under tini for better hygiene
-exec $(switch_spark_if_root) /usr/bin/tini -s -- "${CMD[@]}"

Dockerfile.template

@@ -77,4 +77,6 @@ ENV SPARK_HOME /opt/spark
 
 WORKDIR /opt/spark/work-dir
 
+USER spark
+
 ENTRYPOINT [ "/opt/entrypoint.sh" ]

entrypoint.sh.template

@@ -69,6 +69,13 @@ elif ! [ -z ${SPARK_HOME+x} ]; then
   SPARK_CLASSPATH="$SPARK_HOME/conf:$SPARK_CLASSPATH";
 fi
 
+# Switch to spark if no USER specified (root by default) otherwise use USER directly
+switch_spark_if_root() {
+  if [ $(id -u) -eq 0 ]; then
+    echo gosu spark
+  fi
+}
+
 case "$1" in
   driver)
     shift 1
@@ -78,6 +85,8 @@ case "$1" in
       --deploy-mode client
       "$@"
     )
+    # Execute the container CMD under tini for better hygiene
+    exec $(switch_spark_if_root) /usr/bin/tini -s -- "${CMD[@]}"
     ;;
   executor)
     shift 1
@@ -96,20 +105,12 @@ case "$1" in
       --resourceProfileId $SPARK_RESOURCE_PROFILE_ID
       --podName $SPARK_EXECUTOR_POD_NAME
     )
+    # Execute the container CMD under tini for better hygiene
+    exec $(switch_spark_if_root) /usr/bin/tini -s -- "${CMD[@]}"
     ;;
 
   *)
     # Non-spark-on-k8s command provided, proceeding in pass-through mode...
-    CMD=("$@")
+    exec "$@"
     ;;
 esac
-
-# Switch to spark if no USER specified (root by default) otherwise use USER directly
-switch_spark_if_root() {
-  if [ $(id -u) -eq 0 ]; then
-    echo gosu spark
-  fi
-}
-
-# Execute the container CMD under tini for better hygiene
-exec $(switch_spark_if_root) /usr/bin/tini -s -- "${CMD[@]}"

r-python.template

@@ -16,6 +16,8 @@
 #
 FROM spark:{{ SPARK_VERSION }}-scala{{ SCALA_VERSION }}-java{{ JAVA_VERSION }}-ubuntu
 
+USER root
+
 RUN set -ex; \
     apt-get update; \
     {%- if HAVE_PY %}
@@ -30,3 +32,5 @@ RUN set -ex; \
 
 ENV R_HOME /usr/lib/R
 {%- endif %}
+
+USER spark