---
phase: 02-lab-01-iam-sicurezza
plan: 03
title: "Infrastructure Implementation (GREEN Phase)"
subsystem: "Lab 01 - IAM & Sicurezza"
tags: [docker, infrastructure, tdd, green-phase, security]

# Dependency Graph
provides:
  - artifact: "Dockerfile"
    location: "labs/lab-01-iam/Dockerfile"
    description: "Non-root container image definition"
  - artifact: "docker-compose.yml"
    location: "labs/lab-01-iam/docker-compose.yml"
    description: "Service orchestration with user directive"
  - artifact: "04-verify-infrastructure.sh"
    location: "labs/lab-01-iam/tests/04-verify-infrastructure.sh"
    description: "Infrastructure verification script"

requires:
  - plan: "02-01"
    artifacts: ["Test scripts from RED phase"]
  - plan: "02-02"
    artifacts: ["Research findings on non-root containers"]

affects:
  - phase: "02-lab-01-iam-sicurezza"
    plans: ["02-04", "02-05"]

# Tech Stack
tech-stack:
  added: []
  patterns:
    - "Non-root container execution (USER directive in Dockerfile)"
    - "User directive enforcement in docker-compose.yml"
    - "TDD GREEN phase methodology"

# Key Files
key-files:
  created:
    - path: "labs/lab-01-iam/Dockerfile"
      lines: 61
      description: "Non-root container image with labuser (UID 1000)"
    - path: "labs/lab-01-iam/docker-compose.yml"
      lines: 37
      description: "Service definition with user: 1000:1000 directive"
    - path: "labs/lab-01-iam/tests/04-verify-infrastructure.sh"
      lines: 163
      description: "Infrastructure verification (6 tests)"
  modified:
    - path: "None"
      description: "No files modified"

# Decisions Made
decisions:
  - decision: "Use Alpine 3.19 as base image"
    rationale: "Minimal, secure, standard for containers"
    alternatives: ["ubuntu:22.04 (rejected: too large)", "debian:bookworm (rejected: larger than alpine)"]
  - decision: "UID/GID 1000 for labuser"
    rationale: "Standard non-root user ID, avoids conflicts"
    alternatives: ["UID 1001+ (rejected: unnecessary complexity)"]
  - decision: "No resource limits in this phase"
    rationale: "INF-01 focuses on non-root execution, limits will be added in Lab 03 (Compute)"
    impact: "Will be addressed in future phase"

# Metrics
metrics:
  duration: "233 seconds (~4 minutes)"
  completed_date: "2026-03-24"
  tasks_completed: 3
  files_created: 3
  total_lines: 261

# Deviations
deviations: "None - plan executed exactly as written"

---

# Phase 2 Plan 03: Infrastructure Implementation (GREEN Phase) Summary

Create Docker infrastructure (Dockerfile and docker-compose.yml) that implements non-root container execution (INF-01). Following TDD methodology, infrastructure is created AFTER tests exist, and tests should now pass (GREEN phase.

## What Was Built

### 1. Dockerfile (`labs/lab-01-iam/Dockerfile`)

Created a 61-line Dockerfile that implements non-root container execution:

- **Base Image:** Alpine 3.19 (minimal, secure)
- **User Creation:** Creates `labuser` with UID/GID 1000 using `addgroup` and `adduser`
- **USER Directive:** Switches to non-root user BEFORE any operations
- **Verification:** CMD demonstrates non-root execution with `whoami`, `id`, and other checks
- **Labels:** Metadata for documentation and traceability
- **Test File:** Creates and verifies write permissions in user's home directory

Key implementation follows INF-01 requirement strictly - no process runs as root.

### 2. Docker Compose Configuration (`labs/lab-01-iam/docker-compose.yml`)

Created a 37-line docker-compose.yml that enforces non-root execution:

- **Service Definition:** `lab01-test` builds from local Dockerfile
- **User Directive:** `user: "1000:1000"` enforces non-root execution
- **Container Name:** `lab01-iam-test` for easy reference in tests
- **Healthcheck:** Verifies non-root user with `whoami | grep -q labuser`
- **No Ports Exposed:** Security best practice - not needed for this lab
- **Comments:** Explains why no volumes/networks (future labs)

Follows Docker Compose V3.8 syntax and INF-01 compliance requirements.

### 3. Infrastructure Verification Script (`labs/lab-01-iam/tests/04-verify-infrastructure.sh`)

Created a 163-line bash script that validates all infrastructure requirements:

- **Test 1:** Validates docker-compose.yml syntax
- **Test 2:** Checks Dockerfile exists and has USER directive
- **Test 3:** Verifies docker-compose.yml has non-root user directive
- **Test 4:** Builds Docker image successfully
- **Test 5:** Verifies container runs as non-root (whoami check)
- **Test 6:** Starts docker-compose service and verifies execution

**Result:** 6/6 tests passed - GREEN phase complete.

## Deviations from Plan

None - plan executed exactly as written. All TDD GREEN phase requirements satisfied.

## Technical Implementation Details

### Non-Root Container Pattern

The implementation follows Docker security best practices:

```dockerfile
# Create non-root user
RUN addgroup -g 1000 labuser && \
    adduser -D -u 1000 -G labuser labuser

# Switch BEFORE any operations
USER labuser

# Verify in CMD
CMD ["sh", "-c", "whoami && ..."]
```

### User Directive Enforcement

Docker Compose enforces non-root execution at runtime:

```yaml
services:
  lab01-test:
    user: "1000:1000"  # UID:GID
```

This defense-in-depth approach ensures:
1. Dockerfile switches to non-root user
2. docker-compose.yml enforces it at runtime
3. Healthcheck verifies continuously
4. Tests validate automatically

### Fixed Issues During Implementation

1. **Docker Compose V2 Command:** Updated `docker-compose` to `docker compose` (hyphen removed in V2)
2. **Bash Arithmetic with `set -e`:** Used helper functions `inc_pass()` and `inc_fail()` with `|| true` to handle counter increments
3. **Docker Build Context:** Fixed build command to use `-q .` instead of `-q Dockerfile`

## Verification Results

All 6 infrastructure tests passed:

```
[1/6] docker-compose.yml is valid YAML              PASS
[2/6] Dockerfile exists with USER directive          PASS
[3/6] docker-compose.yml user directive (1000:1000)  PASS
[4/6] Docker image builds successfully               PASS
[5/6] Container runs as non-root (labuser)           PASS
[6/6] docker-compose service verification            PASS
```

## Requirements Satisfied

- **LAB-01:** Students can configure users and Docker permissions
- **INF-01:** No container runs as root (strictly enforced)
- **TEST-01:** Test-driven infrastructure methodology followed

## Next Steps

Phase 2 Plan 04 will continue with documentation (Diátaxis framework):
- Tutorial: Step-by-step guide for running the lab
- How-to Guides: Specific procedures (cleanup, verification)
- Reference: Technical specifications (ports, commands)
- Explanation: Cloud parallelism concepts

## Commits

- `317d94a`: feat(02-03): create Dockerfile with non-root user
- `c534d59`: feat(02-03): create docker-compose.yml with user directive
- `e4c497d`: feat(02-03): create infrastructure verification script