[FR] Support running Docker image as non-root user

[KrisF-Midnight]

Internal/External
External otherwise. (Midnight)

Area
Other Any other topic (Delegation, Ranking, ...).

Summary
The run-node script unconditionally writes to /usr/local/bin/env, a root-owned path inside the container filesystem, making it impossible to run the container as a non-root user. Additionally, when using the config merge feature, the entrypoint script writes to /opt/cardano/config//, which also fails as non-root.

Steps to reproduce

1. Run ghcr.io/intersectmbo/cardano-node:10.5.2 with a non-root security context:
   securityContext:
   runAsNonRoot: true
   runAsUser: 1001
   runAsGroup: 1001
2. Container crashes with:
   /usr/local/bin/run-node: line 91: /usr/local/bin/env: Permission denied
3. If CARDANO_CONFIG_JSON_MERGE is also set, the entrypoint additionally fails with:
   /usr/local/bin/entrypoint: line 31: /opt/cardano/config/preview/config-merged.json: Permission denied

Expected behavior
The container should support running as a non-root user. Generated files should be written to a user-writable location (e.g. /tmp) instead of root-owned paths:

• run-node writeRootEnv() (line 91): write to /tmp/env instead of /usr/local/bin/env
• entrypoint (line 31): write config-merged.json / topology-merged.json to /tmp instead of /opt/cardano/config//

System info (please complete the following information):

• OS Name: Linux (Kubernetes)
• OS Version: Kernel 5.10
• Node version: cardano-node 10.5.2 (ghcr.io/intersectmbo/cardano-node:10.5.2)
• CLI version: N/A

[sgillespie]

As far as I can tell, the script at /usr/local/bin/env is unused, and I can't see how it can possibly be useful since nothing is exported. I, therefore, propose we remove this.

As for the config-merged permissions, we can just make /opt/cardano/config user writable. I think writing the merged config here would be useful to see the final state, although /tmp would probably work too.

Anyone have any thoughts on these?