SiegfriedSiegert/PTU5KAS
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

container: Rework uid/gid alignment with caller

Browse Source 
Already create the builder user/group during container image build and
only align the IDs in the entrypoint if started with a non-zero USER_ID.
The primary gain is code simplification because this removes some
dynamics from the entrypoint.

As this refactoring avoids that gitlab-ci runners start the container as
root, it was also supposed to resolve the mismatch between the owner of
the checked-out repo and builder user. Unfortunately, this does not work
yet, and the reason is still unclear.

Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
This commit is contained in:
Jan Kiszka 2023-02-05 21:02:07 +01:00
parent a596e2ac33
commit 492b2c56ab
3 changed files with 16 additions and 21 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
Dockerfile
View File

@ -33,6 +33,8 @@ RUN echo "builder ALL=NOPASSWD: ALL" > /etc/sudoers.d/builder-nopasswd && \
RUN echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy\"" \ RUN echo "Defaults env_keep += \"ftp_proxy http_proxy https_proxy no_proxy\"" \
> /etc/sudoers.d/env_keep && chmod 660 /etc/sudoers.d/env_keep > /etc/sudoers.d/env_keep && chmod 660 /etc/sudoers.d/env_keep
RUN useradd builder --user-group --create-home --home-dir /builder
ENTRYPOINT ["/kas/container-entrypoint"] ENTRYPOINT ["/kas/container-entrypoint"]
FROM kas-base as kas-isar FROM kas-base as kas-isar
@ -49,8 +51,11 @@ RUN apt-get update && \
umoci skopeo && \ umoci skopeo && \
apt-get clean && \ apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \ rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* && \
sbuild-adduser builder && \
sed -i 's|# kas-isar: ||g' /kas/container-entrypoint sed -i 's|# kas-isar: ||g' /kas/container-entrypoint
USER builder
FROM kas-base as kas FROM kas-base as kas
# The install package list are actually taking 1:1 from their documentation, # The install package list are actually taking 1:1 from their documentation,
@ -67,3 +72,5 @@ RUN apt-get update && \
fi && \ fi && \
apt-get clean && \ apt-get clean && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
USER builder

28
container-entrypoint
View File

@ -1,6 +1,6 @@
#!/bin/bash #!/bin/bash
# kas-isar: update-binfmts --enable && [ -f /proc/sys/fs/binfmt_misc/status ] # kas-isar: sudo update-binfmts --enable && [ -f /proc/sys/fs/binfmt_misc/status ]
if mount | grep -q "on / type aufs"; then if mount | grep -q "on / type aufs"; then
cat <<EOF >&2 cat <<EOF >&2
@ -13,29 +13,17 @@ may also need to update the host distribution (e.g. Debian Jessie -> Stretch).
EOF EOF
fi fi
USER_ID=${USER_ID:-30000} if [ -z "$USER_ID" ] || [ "$USER_ID" == 0 ]; then
GROUP_ID=${GROUP_ID:-30000} # Not a kas-container call, or we shall run everything as root
if [ "$USER_ID" == 0 ]; then
# We shall run everything as root
mkdir -p /builder
GOSU=""
elif [ "$USER_ID" == "$UID" ]; then
GOSU="" GOSU=""
else else
if ! grep -q "^builder:" /etc/group; then GROUP_ID=${GROUP_ID:-$(id -g)}
groupadd -o --gid "$GROUP_ID" builder
fi groupmod -o --gid "$GROUP_ID" builder
if ! id builder >/dev/null 2>&1; then usermod -o --uid "$USER_ID" --gid "$GROUP_ID" builder >/dev/null
# Create a non-root user that will perform the actual build chown -R "$USER_ID":"$GROUP_ID" /builder
useradd -o --uid "$USER_ID" --gid "$GROUP_ID" --create-home \
--home-dir /builder builder
fi
GOSU="gosu builder" GOSU="gosu builder"
# kas-isar: sbuild-adduser builder >/dev/null 2>&1
fi fi
if [ "$PWD" = / ]; then if [ "$PWD" = / ]; then

2
kas-container
View File

@ -176,7 +176,7 @@ if [ -z "${KAS_CONTAINER_ENGINE}" ]; then
fi fi
fi fi
KAS_RUNTIME_ARGS="--log-driver=none" KAS_RUNTIME_ARGS="--log-driver=none --user=root"
case "${KAS_CONTAINER_ENGINE}" in case "${KAS_CONTAINER_ENGINE}" in
docker) docker)