From 492b2c56abfc378c356c91217f09271ac7a0c97c Mon Sep 17 00:00:00 2001
From: Jan Kiszka <jan.kiszka@siemens.com>
Date: Sun, 5 Feb 2023 21:02:07 +0100
Subject: [PATCH] container: Rework uid/gid alignment with caller

Already create the builder user/group during container image build and
only align the IDs in the entrypoint if started with a non-zero USER_ID.
The primary gain is code simplification because this removes some
dynamics from the entrypoint.

As this refactoring avoids that gitlab-ci runners start the container as
root, it was also supposed to resolve the mismatch between the owner of
the checked-out repo and builder user. Unfortunately, this does not work
yet, and the reason is still unclear.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
---
 Dockerfile           |  7 +++++++
 container-entrypoint | 28 ++++++++--------------------
 kas-container        |  2 +-
 3 files changed, 16 insertions(+), 21 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 34fe9dc..d382b84 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -33,6 +33,8 @@ RUN echo "builder ALL=NOPASSWD: ALL" > /etc/sudoers.d/builder-nopasswd && \
 RUN echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy\"" \
     > /etc/sudoers.d/env_keep && chmod 660 /etc/sudoers.d/env_keep
 
+RUN useradd builder --user-group --create-home --home-dir /builder
+
 ENTRYPOINT ["/kas/container-entrypoint"]
 
 FROM kas-base as kas-isar
@@ -49,8 +51,11 @@ RUN apt-get update && \
             umoci skopeo && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    sbuild-adduser builder && \
     sed -i 's|# kas-isar: ||g' /kas/container-entrypoint
 
+USER builder
+
 FROM kas-base as kas
 
 # The install package list are actually taking 1:1 from their documentation,
@@ -67,3 +72,5 @@ RUN apt-get update && \
     fi && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+USER builder
diff --git a/container-entrypoint b/container-entrypoint
index 2de4346..a10e1dd 100755
--- a/container-entrypoint
+++ b/container-entrypoint
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-# kas-isar: update-binfmts --enable && [ -f /proc/sys/fs/binfmt_misc/status ]
+# kas-isar: sudo update-binfmts --enable && [ -f /proc/sys/fs/binfmt_misc/status ]
 
 if mount | grep -q "on / type aufs"; then
     cat <<EOF >&2
@@ -13,29 +13,17 @@ may also need to update the host distribution (e.g. Debian Jessie -> Stretch).
 EOF
 fi
 
-USER_ID=${USER_ID:-30000}
-GROUP_ID=${GROUP_ID:-30000}
-
-if [ "$USER_ID" == 0 ]; then
-	# We shall run everything as root
-	mkdir -p /builder
-
-	GOSU=""
-elif [ "$USER_ID" == "$UID" ]; then
+if [ -z "$USER_ID" ] || [ "$USER_ID" == 0 ]; then
+	# Not a kas-container call, or we shall run everything as root
 	GOSU=""
 else
-	if ! grep -q "^builder:" /etc/group; then
-		groupadd -o --gid "$GROUP_ID" builder
-	fi
-	if ! id builder >/dev/null 2>&1; then
-		# Create a non-root user that will perform the actual build
-		useradd -o --uid "$USER_ID" --gid "$GROUP_ID" --create-home \
-			--home-dir /builder builder
-	fi
+	GROUP_ID=${GROUP_ID:-$(id -g)}
+
+	groupmod -o --gid "$GROUP_ID" builder
+	usermod -o --uid "$USER_ID" --gid "$GROUP_ID" builder >/dev/null
+	chown -R "$USER_ID":"$GROUP_ID" /builder
 
 	GOSU="gosu builder"
-
-	# kas-isar: sbuild-adduser builder >/dev/null 2>&1
 fi
 
 if [ "$PWD" = / ]; then
diff --git a/kas-container b/kas-container
index 306d986..18d8722 100755
--- a/kas-container
+++ b/kas-container
@@ -176,7 +176,7 @@ if [ -z "${KAS_CONTAINER_ENGINE}" ]; then
 	fi
 fi
 
-KAS_RUNTIME_ARGS="--log-driver=none"
+KAS_RUNTIME_ARGS="--log-driver=none --user=root"
 
 case "${KAS_CONTAINER_ENGINE}" in
 docker)