container: Rework uid/gid alignment with caller

Already create the builder user/group during container image build and only align the IDs in the entrypoint if started with a non-zero USER_ID. The primary gain is code simplification because this removes some dynamics from the entrypoint. As this refactoring avoids that gitlab-ci runners start the container as root, it was also supposed to resolve the mismatch between the owner of the checked-out repo and builder user. Unfortunately, this does not work yet, and the reason is still unclear. Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
2023-02-05 21:02:07 +01:00
parent a596e2ac33
commit 492b2c56ab
3 changed files with 16 additions and 21 deletions
--- a/7
+++ b/7
@@ -33,6 +33,8 @@ RUN echo "builder ALL=NOPASSWD: ALL" > /etc/sudoers.d/builder-nopasswd && \
 RUN echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy\"" \
    > /etc/sudoers.d/env_keep && chmod 660 /etc/sudoers.d/env_keep

+RUN useradd builder --user-group --create-home --home-dir /builder
+
 ENTRYPOINT ["/kas/container-entrypoint"]

 FROM kas-base as kas-isar
@@ -49,8 +51,11 @@ RUN apt-get update && \
            umoci skopeo && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
+    sbuild-adduser builder && \
    sed -i 's|# kas-isar: ||g' /kas/container-entrypoint

+USER builder
+
 FROM kas-base as kas

 # The install package list are actually taking 1:1 from their documentation,
@@ -67,3 +72,5 @@ RUN apt-get update && \
    fi && \
    apt-get clean && \
    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+USER builder