diff options
author | MarcoFalke <falke.marco@gmail.com> | 2022-11-22 12:46:05 +0100 |
---|---|---|
committer | MarcoFalke <falke.marco@gmail.com> | 2022-11-22 12:46:40 +0100 |
commit | 85892f77c98c7a08834a06d52af3eb474275afd8 (patch) | |
tree | a4161a985b7c12151d13735fefc1a6c91da8b1a3 /ci/test | |
parent | 1ef498f75b1cc0b915ca65410b1dfb63860d9347 (diff) | |
parent | 849f20a6d3e437631a07469d3c4af5faa0aa06ed (diff) |
Merge bitcoin/bitcoin#25900: ci: run docker wrapper with a non-root user
849f20a6d3e437631a07469d3c4af5faa0aa06ed ci: create and use non-root user for docker image (josibake)
Pull request description:
Previously, everything in the ci docker image ran as the root user. This would lead to certain directories (`ci/scratch`, `depends`) being owned by `root` after running the ci locally which would lead to annoying behavior such as subsequent guix builds failing due to `depends/` being owned by root.
This PR adds a non-root user in the container and chowns the mounted working directory. All the `docker exec` commands now run as the non-root user, except for the few that still need to run as root (mainly, installing packages).
To test this I checked out a fresh copy of the repo, applied my changes, ran the CI, and verified all the local file permissions were unchanged after the CI was finished running.
ACKs for top commit:
hebasto:
ACK 849f20a6d3e437631a07469d3c4af5faa0aa06ed, tested on Ubuntu 22.04 by running commands as follows:
Tree-SHA512: 734dca0f36157fce5fab243b4ff657fc17ba980e8e4e4644305f41002ff21bd5cef02c306ea1e0b5c841d4c07c095e8e4be16722e6a38c890717c60a3f5ec62a
Diffstat (limited to 'ci/test')
-rwxr-xr-x | ci/test/04_install.sh | 34 | ||||
-rwxr-xr-x | ci/test/05_before_script.sh | 1 |
2 files changed, 27 insertions, 8 deletions
diff --git a/ci/test/04_install.sh b/ci/test/04_install.sh index a4f1a8a7ff..c25abb99ee 100755 --- a/ci/test/04_install.sh +++ b/ci/test/04_install.sh @@ -27,6 +27,11 @@ export P_CI_DIR="$PWD" if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then echo "Creating $DOCKER_NAME_TAG container to run in" + LOCAL_UID=$(id -u) + LOCAL_GID=$(id -g) + + # the name isn't important, so long as we use the same UID + LOCAL_USER=nonroot ${CI_RETRY_EXE} docker pull "$DOCKER_NAME_TAG" if [ -n "${RESTART_CI_DOCKER_BEFORE_RUN}" ] ; then @@ -44,7 +49,16 @@ if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then --env-file /tmp/env \ --name $CONTAINER_NAME \ $DOCKER_NAME_TAG) - export DOCKER_CI_CMD_PREFIX="docker exec $DOCKER_ID" + + # Create a non-root user inside the container which matches the local user. + # + # This prevents the root user in the container modifying the local file system permissions + # on the mounted directories + docker exec "$DOCKER_ID" useradd -u "$LOCAL_UID" -o -m "$LOCAL_USER" + docker exec "$DOCKER_ID" groupmod -o -g "$LOCAL_GID" "$LOCAL_USER" + docker exec "$DOCKER_ID" chown -R "$LOCAL_USER":"$LOCAL_USER" "${BASE_ROOT_DIR}" + export DOCKER_CI_CMD_PREFIX_ROOT="docker exec -u 0 $DOCKER_ID" + export DOCKER_CI_CMD_PREFIX="docker exec -u $LOCAL_UID $DOCKER_ID" else echo "Running on host system without docker wrapper" fi @@ -52,15 +66,19 @@ fi CI_EXEC () { $DOCKER_CI_CMD_PREFIX bash -c "export PATH=$BASE_SCRATCH_DIR/bins/:\$PATH && cd \"$P_CI_DIR\" && $*" } +CI_EXEC_ROOT () { + $DOCKER_CI_CMD_PREFIX_ROOT bash -c "export PATH=$BASE_SCRATCH_DIR/bins/:\$PATH && cd \"$P_CI_DIR\" && $*" +} export -f CI_EXEC +export -f CI_EXEC_ROOT if [ -n "$DPKG_ADD_ARCH" ]; then - CI_EXEC dpkg --add-architecture "$DPKG_ADD_ARCH" + CI_EXEC_ROOT dpkg --add-architecture "$DPKG_ADD_ARCH" fi if [[ $DOCKER_NAME_TAG == *centos* ]]; then - ${CI_RETRY_EXE} CI_EXEC dnf -y install epel-release - ${CI_RETRY_EXE} CI_EXEC dnf -y --allowerasing install "$DOCKER_PACKAGES" "$PACKAGES" + ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y install epel-release + ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y --allowerasing install "$DOCKER_PACKAGES" "$PACKAGES" elif [ "$CI_USE_APT_INSTALL" != "no" ]; then if [[ "${ADD_UNTRUSTED_BPFCC_PPA}" == "true" ]]; then # Ubuntu 22.04 LTS and Debian 11 both have an outdated bpfcc-tools packages. @@ -68,10 +86,10 @@ elif [ "$CI_USE_APT_INSTALL" != "no" ]; then # packages. Meanwhile, use an untrusted PPA to install an up-to-date version of the bpfcc-tools # package. # TODO: drop this once we can use newer images in GCE - CI_EXEC add-apt-repository ppa:hadret/bpfcc + CI_EXEC_ROOT add-apt-repository ppa:hadret/bpfcc fi - ${CI_RETRY_EXE} CI_EXEC apt-get update - ${CI_RETRY_EXE} CI_EXEC apt-get install --no-install-recommends --no-upgrade -y "$PACKAGES" "$DOCKER_PACKAGES" + ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get update + ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get install --no-install-recommends --no-upgrade -y "$PACKAGES" "$DOCKER_PACKAGES" fi if [ -n "$PIP_PACKAGES" ]; then @@ -126,7 +144,7 @@ if [[ "${RUN_TIDY}" == "true" ]]; then CI_EXEC "mkdir -p ${DIR_IWYU}/build/" CI_EXEC "git clone --depth=1 https://github.com/include-what-you-use/include-what-you-use -b clang_14 ${DIR_IWYU}/include-what-you-use" CI_EXEC "cd ${DIR_IWYU}/build && cmake -G 'Unix Makefiles' -DCMAKE_PREFIX_PATH=/usr/lib/llvm-14 ../include-what-you-use" - CI_EXEC "cd ${DIR_IWYU}/build && make install $MAKEJOBS" + CI_EXEC_ROOT "cd ${DIR_IWYU}/build && make install $MAKEJOBS" fi fi diff --git a/ci/test/05_before_script.sh b/ci/test/05_before_script.sh index ef3dff86ca..dd2b43d38b 100755 --- a/ci/test/05_before_script.sh +++ b/ci/test/05_before_script.sh @@ -11,6 +11,7 @@ if [ "$CI_OS_NAME" == "macos" ]; then echo > "${HOME}/Library/Application Support/Bitcoin" else CI_EXEC echo \> \$HOME/.bitcoin + CI_EXEC_ROOT echo \> \$HOME/.bitcoin fi CI_EXEC mkdir -p "${DEPENDS_DIR}/SDKs" "${DEPENDS_DIR}/sdk-sources" |