feat(cli): validator container runs with cartesi unprivileged user

Using the post_start docker compose hook, we can create the snapshot
directory and copy the snapshot using the root user and start the
container with cartesi unprivileged user.

Requires compose plugin 2.30.0

See: https://docs.docker.com/compose/how-tos/lifecycle/

.changeset/seven-seals-pull.md

@@ -0,0 +1,5 @@
+---
+"@cartesi/cli": patch
+---
+
+validator container will run with cartesi unprivileged user

apps/cli/src/commands/doctor.ts

@@ -8,7 +8,7 @@ export default class DoctorCommand extends BaseCommand<typeof DoctorCommand> {
     static examples = ["<%= config.bin %> <%= command.id %>"];
 
     private static MINIMUM_DOCKER_VERSION = "23.0.0"; // Replace with our minimum required Docker version
-    private static MINIMUM_DOCKER_COMPOSE_VERSION = "2.21.0"; // Replace with our minimum required Docker Compose version
+    private static MINIMUM_DOCKER_COMPOSE_VERSION = "2.30.0"; // Replace with our minimum required Docker Compose version
     private static MINIMUM_BUILDX_VERSION = "0.13.0"; // Replace with our minimum required Buildx version
 
     private async checkDocker(): Promise<true | never> {

apps/cli/src/node/docker-compose-validator.yaml

@@ -13,13 +13,21 @@ services:
             interval: 10s
             timeout: 1s
             retries: 5
-        user: root
+        post_start:
+            - command:
+                  - /bin/bash
+                  - -c
+                  - |
+                      mkdir -p "$CARTESI_SNAPSHOT_DIR"
+                      cp --recursive /tmp/snapshot/* "$CARTESI_SNAPSHOT_DIR"
+              user: root
         command:
             - /bin/bash
             - -c
             - |
-                mkdir -p "$CARTESI_SNAPSHOT_DIR"
-                cp --recursive /tmp/snapshot/* "$CARTESI_SNAPSHOT_DIR"
+                while ! stat "$CARTESI_SNAPSHOT_DIR" &>/dev/null; do
+                    sleep 0.5
+                done
                 exec cartesi-rollups-node
 
         env_file: