Unroot docker examples and fix stdout permissions in container

[phlax]

Commit Message: Update examples to use non-well known ports and not the root user
Additional Description:
I have updated 80 -> 8000 for any ports I could see that were exposed by an envoy container.

I left one example (load-reporting-service) using port 80 and instead added the ENVOY_UID env var

Some docs (eg docs/root/start/sandboxes) that have port 80 coded in relation to these examples, have been updated

Also adds fix for envoy permissions on /dev/stdout and /dev/stderr

Risk Level: Low
Testing: Manual testing
Docs Changes:

• Sandbox examples updated to reflect port changes
• Note added about uid/gid of container user

Release Notes: N/A
Fix #11506
Fix #11551

[junr03]

Thanks for the contribution, do you mind updating any stale docs? Thanks!

/wait

[phlax]

@junr03 i have updated the relevant docs - not sure if there are others - but these seem to be the ones that directly referenced the port 80 settings.

I have again committed separately - but will happily squash

[phlax]

also, im wondering if i should add a doc about the ENVOY_UID setting. Adding to the existing load_reporting_service example seems a bit arbitrary

[junr03]

also, im wondering if i should add a doc about the ENVOY_UID setting.

Yes, please.

/wait

[phlax]

documentation added

[lu4t]

Adding a comment and link to this issue:

#11679

as @dio requested....

[phlax]

@lu4t @dio - i updated the docs to use py3-pip - but then i saw #11680 so i can remove this commit in favour of that pr if required

commit removed

[junr03]

@lu4t @dio does this look good to both of you?

[dio]

Looks good, just a question: @phlax, do you want to tackle the access issue to /dev/stdout here as well (since it is related to privileged access too)? Thank you!

[phlax]

@dio i added a fix for permissions on /dev/stdout.

I also added it for /dev/stderr on the basis that a config may well use that pipe too.

I have tested the built image with the fault-injection example and this seems to work ok.

I wasn't entirely clear where the envoy-dev image is built - but im assuming its based on the recipe in ci/Dockerfile-envoy

[dio]

I wasn't entirely clear where the envoy-dev image is built - but im assuming its based on the recipe in ci/Dockerfile-envoy

Yes, you're right.

[dio]

Thanks, LGTM. Just an ask to add a comment on the decision of making the envoy user owns stdout and stderr (probably since it is a common use case when we have access logging) and a tiny nit to make sure the doc is rendered as intended.

[dio]

Nit. To use double backticks instead of the single one, e.g. for uid and gid, and other words that need to be rendered inside <span class="pre"></span> tag. For example:

``docker``

gives:

[phlax]

updated

[dio]

Thanks!

[mattklein123]

Nice!