Define policy for performing updates (new prereqs) on DockerStatic test machines

[sxa]

As alluded to in #2954 we do not currently have a policy for ensuring that the DockerStatic containers used for running tests can be update when a new test prerequisite is required. This issue will cover identifying a recipe/process for ensuring that in the fairly rare case when a new dependency appears that we can handle adding it to all the DockerStatic containers that we have.

[Haroon-Khel]

Could create a jenkins job which connects to each of the static docker nodes to update and install any packages we need. This would involve giving the jenkins user partial sudo access, enough to run install commands. This would be pretty easy to setup and maintain since the static docker nodes are all in jenkins.

An alternative is to modify this script, https://github.com/adoptium/infrastructure/blob/master/ansible/playbooks/AdoptOpenJDK_Unix_Playbook/roles/DockerStatic/scripts/updatepackages.sh, to update/install a specified list of packages. This script is currently used to run as a cron job on dockerhost machines to keep its hosted containers updated

[sxa]

I don't want any of the jenkins agents to have elevated access. Doing so would allow any jobs to make modifications to the system and would be a major security concern.

As you suggest, that job is already performing the security updates - the additional concern here is that if we update the dockerstatic playbooks to add some new prerequisite the machines don't get updated so they end up out of date and potentially start failing tests.

[sxa]

@Haroon-Khel Now that #3152 is in can you do an update to the TODO section of https://github.com/adoptium/infrastructure/blob/master/FAQ.md#dockerhost-todo to document the process we now have please?

[sxa]

@Haroon-Khel Anything outstanding here now?

[Haroon-Khel]

This is complete