chore: update testrunner image to use non-root user (#14106)

Updates the testrunner dockerfile to:

- Use non-root user
- Bonus: collapse some of the install steps so we can reduce the
resulting image size (7.27 GB vs 13.4 GB)

## Checklist
- [x] PR author has checked that all the criteria below are met
- The PR description includes an overview of the change
- The PR description articulates the motivation for the change
- The change includes tests OR the PR description describes a testing
strategy
- The PR description notes risks associated with the change, if any
- Newly-added code is easy to change
- The change follows the [library release note
guidelines](https://ddtrace.readthedocs.io/en/stable/releasenotes.html)
- The change includes or references documentation updates if necessary
- Backport labels are set (if
[applicable](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting))

## Reviewer Checklist
- [ ] Reviewer has checked that all the criteria below are met 
- Title is accurate
- All changes are related to the pull request's stated goal
- Avoids breaking
[API](https://ddtrace.readthedocs.io/en/stable/versioning.html#interfaces)
changes
- Testing strategy adequately addresses listed risks
- Newly-added code is easy to change
- Release note makes sense to a user of the library
- If necessary, author has acknowledged and discussed the performance
implications of this PR as reported in the benchmarks PR comment
- Backport labels are set in a manner that is consistent with the
[release branch maintenance
policy](https://ddtrace.readthedocs.io/en/latest/contributing.html#backporting)

Author: brettlangdon

docker/Dockerfile

@@ -4,41 +4,37 @@
 FROM debian:bookworm-slim
 
 ARG TARGETARCH
-ARG HATCH_VERSION=1.12.0
+ARG HATCH_VERSION=1.14.1
 ARG RIOT_VERSION=0.20.1
 
 # http://bugs.python.org/issue19846
 # > At the moment, setting "LANG=C" on a Linux system *fundamentally breaks Python 3*, and that's not OK.
-ENV LANG C.UTF-8
+ENV LANG=C.UTF-8
 
-# https://support.circleci.com/hc/en-us/articles/360045268074-Build-Fails-with-Too-long-with-no-output-exceeded-10m0s-context-deadline-exceeded-
-ENV PYTHONUNBUFFERED=1
-# Configure PATH environment for pyenv
-ENV PYENV_ROOT=/root/.pyenv
-ENV CARGO_ROOT=/root/.cargo
-ENV PATH=${PYENV_ROOT}/shims:${PYENV_ROOT}/bin:${CARGO_ROOT}/bin:$PATH
-ENV PYTHON_CONFIGURE_OPTS=--enable-shared
+# Use root user to install dependencies
+USER root
 
-WORKDIR /root/
-
-# Use .python-version to specify all Python versions for testing
-COPY .python-version /root/
+# Create our bits user
+RUN useradd -ms /bin/bash bits
 
 # Install system dependencies
 RUN apt-get update \
-  && apt-get install -y --no-install-recommends \
+    && apt-get install -y --no-install-recommends ca-certificates curl gnupg \
+    && curl https://mariadb.org/mariadb_release_signing_key.pgp | gpg --dearmor > /etc/apt/trusted.gpg.d/mariadb.gpg \
+    && echo "deb [arch=amd64,arm64] https://mirror.mariadb.org/repo/11.rolling/debian/ bookworm main" > /etc/apt/sources.list.d/mariadb.list \
+    && apt-get update \
+    && apt-get install -y --no-install-recommends \
       apt-transport-https \
       build-essential \
-      ca-certificates \
       clang-format \
-      curl \
       gdb \
       git \
-      gnupg \
       jq \
       libbz2-dev \
       libffi-dev \
       liblzma-dev \
+      libmariadb-dev \
+      libmariadb-dev-compat \
       libmemcached-dev \
       libmemcached-dev \
       libncurses5-dev \
@@ -49,61 +45,58 @@ RUN apt-get update \
       libsqlite3-dev \
       libsqliteodbc \
       libssh-dev \
+      nodejs \
+      npm \
       patch \
       unixodbc-dev \
       wget \
       zlib1g-dev \
-      awscli
-
-# Allow running datadog-ci in CI with npx
-RUN apt-get install -y --no-install-recommends nodejs npm \
-  && npm install -g @datadog/datadog-ci
+      awscli \
+    # Allow running datadog-ci in CI with npx
+    && npm install -g @datadog/datadog-ci \
+    # Install azure-functions-core-tools-4, only supported on amd64 architecture for Linux
+    # https://github.com/Azure/azure-functions-core-tools/issues/3112
+    && if [ "$TARGETARCH" = "amd64" ]; \
+    then \
+      curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg \
+      && mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg \
+      && echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-bookworm-prod bookworm main" > /etc/apt/sources.list.d/dotnetdev.list \
+      && apt-get update \
+      && apt-get install -y --no-install-recommends azure-functions-core-tools-4=4.0.6280-1; \
+    fi \
+    # Google Chrome is needed for selenium contrib tests but is currently only available on amd64
+    && if [ "$TARGETARCH" = "amd64" ]; \
+    then \
+      curl https://dl.google.com/linux/linux_signing_key.pub |gpg --dearmor > /etc/apt/trusted.gpg.d/google.gpg \
+      && echo 'deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main' > /etc/apt/sources.list.d/google-chrome.list \
+      && apt-get update \
+      && apt-get install -y --no-install-recommends google-chrome-stable ; \
+    fi \
+    # Cleaning up apt cache space
+    && rm -rf /var/lib/apt/lists/*
 
-# MariaDB is a dependency for tests
-RUN curl https://mariadb.org/mariadb_release_signing_key.pgp | gpg --dearmor > /etc/apt/trusted.gpg.d/mariadb.gpg \
-  && echo "deb [arch=amd64,arm64] https://mirror.mariadb.org/repo/11.rolling/debian/ bookworm main" > /etc/apt/sources.list.d/mariadb.list \
-  && apt-get update \
-  && apt-get install -y --no-install-recommends libmariadb-dev libmariadb-dev-compat
 
-# Install azure-functions-core-tools-4, only supported on amd64 architecture for Linux
-# https://github.com/Azure/azure-functions-core-tools/issues/3112
-RUN if [ "$TARGETARCH" = "amd64" ]; \
-  then \
-    curl https://packages.microsoft.com/keys/microsoft.asc | gpg --dearmor > microsoft.gpg \
-    && mv microsoft.gpg /etc/apt/trusted.gpg.d/microsoft.gpg \
-    && echo "deb [arch=amd64] https://packages.microsoft.com/repos/microsoft-debian-bookworm-prod bookworm main" > /etc/apt/sources.list.d/dotnetdev.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends azure-functions-core-tools-4=4.0.6280-1; \
-  fi
+USER bits
+WORKDIR /home/bits/
 
-# Google Chrome is needed for selenium contrib tests but is currently only available on amd64
-RUN if [ "$TARGETARCH" = "amd64" ]; \
-  then \
-    curl https://dl.google.com/linux/linux_signing_key.pub |gpg --dearmor > /etc/apt/trusted.gpg.d/google.gpg \
-    && echo 'deb [arch=amd64] http://dl.google.com/linux/chrome/deb/ stable main' > /etc/apt/sources.list.d/google-chrome.list \
-    && apt-get update \
-    && apt-get install -y --no-install-recommends google-chrome-stable ; \
-  fi
-
-# Cleaning up apt cache space
-RUN rm -rf /var/lib/apt/lists/*
+ENV PYTHONUNBUFFERED=1
+ENV PYENV_ROOT=/home/bits/.pyenv
+ENV CARGO_ROOT=/home/bits/.cargo
+ENV PATH=/home/bits/.local/bin:${PYENV_ROOT}/shims:${PYENV_ROOT}/bin:${CARGO_ROOT}/bin:$PATH
+ENV PYTHON_CONFIGURE_OPTS=--enable-shared
 
 # Install Rust toolchain
 RUN curl https://sh.rustup.rs -sSf | \
     sh -s -- --default-toolchain stable -y
 
+# Use .python-version to specify all Python versions for testing
+COPY .python-version /home/bits/
+
 # Install pyenv and necessary Python versions
-RUN git clone --depth 1 --branch v2.4.22 https://github.com/pyenv/pyenv "${PYENV_ROOT}" \
+RUN git clone --depth 1 --branch "v2.6.4" https://github.com/pyenv/pyenv "${PYENV_ROOT}" \
   && pyenv local | xargs -L 1 pyenv install \
   && cd -
 
-RUN if [ "$TARGETARCH" = "amd64" ]; \
-    then curl -L https://github.com/pypa/hatch/releases/download/hatch-v${HATCH_VERSION}/hatch-x86_64-unknown-linux-gnu.tar.gz | tar zx; \
-    else curl -L https://github.com/pypa/hatch/releases/download/hatch-v${HATCH_VERSION}/hatch-aarch64-unknown-linux-gnu.tar.gz | tar zx; \
-    fi \
-  && install -t /usr/local/bin hatch \
-  && hatch -q
-
-RUN pip install --no-cache-dir -U "riot==${RIOT_VERSION}"
+RUN pip install --no-cache-dir -U "riot==${RIOT_VERSION}" "hatch==${HATCH_VERSION}"
 
 CMD ["/bin/bash"]