Bring back su-exec and entrypoint

projectcalico · Oct 16, 2023 · 02570a4 · 02570a4
1 parent 8455e75
commit 02570a4
Show file tree

Hide file tree

Showing 4 changed files with 63 additions and 8 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,5 @@
 ARG TARGETARCH=${TARGETARCH}
+
 FROM calico/bpftool:v5.3-${TARGETARCH} as bpftool
 
 FROM registry.access.redhat.com/ubi8/ubi:latest
@@ -115,6 +116,12 @@ ENV GOPATH /go
 ENV PATH $GOPATH/bin:$PATH
 RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH"
 
+# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID.
+RUN set -eux; \
+    curl -sfL https://raw.githubusercontent.com/ncopa/su-exec/master/su-exec.c -o /tmp/su-exec.c; \
+    gcc -Wall -O2 /tmp/su-exec.c -o /usr/bin/su-exec; \
+    rm -f /tmp/su-exec.c
+
 # Install Go utilities
 
 # coltroller-gen is used for generating CRD files.
@@ -173,7 +180,6 @@ RUN go install github.com/onsi/ginkgo/v2/[email protected] && mv /go/bin/ginkgo /go
 
 # Ensure that everything under the GOPATH is writable by everyone
 RUN chmod -R 777 $GOPATH
-ENV HOME $GOPATH
 
 # Disable ssh host key checking
 RUN echo $'Host *\n    StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf
@@ -190,4 +196,5 @@ RUN set -eux; \
         rm -fr /build; \
     fi
 
-WORKDIR $GOPATH
+COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
diff --git a/Makefile b/Makefile
@@ -114,7 +114,7 @@ test: register
 	for arch in $(ARCHES) ; do ARCH=$$arch $(MAKE) testcompile; done
 
 testcompile:
-	docker run --rm --user=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go
+	docker run --rm -e LOCAL_USER_ID=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go
 	docker run --rm -v ${PWD}:/code $(BUILDIMAGE) /code/hello-$(ARCH) | grep -q "hello world"
 	@echo "success"
 

diff --git a/Makefile.common b/Makefile.common
@@ -167,6 +167,19 @@ ifneq ($(OS),Windows_NT)
 DATE:=$(shell date -u +'%FT%T%z')
 endif
 
+# Figure out the users UID/GID.  These are needed to run docker containers
+# as the current user and ensure that files built inside containers are
+# owned by the current user.
+ifneq ($(OS),Windows_NT)
+LOCAL_USER_ID:=$(shell id -u)
+LOCAL_GROUP_ID:=$(shell id -g)
+endif
+
+ifeq ("$(LOCAL_USER_ID)", "0")
+# The build needs to run as root.
+EXTRA_DOCKER_ARGS+=-e RUN_AS_ROOT='true'
+endif
+
 # Allow the ssh auth sock to be mapped into the build container.
 ifdef SSH_AUTH_SOCK
 	EXTRA_DOCKER_ARGS += -v $(SSH_AUTH_SOCK):/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent
@@ -197,10 +210,10 @@ GOARCH_FLAGS :=-e GOARCH=$(ARCH)
 
 DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \
 	docker run --rm \
-		--init \
 		--net=host \
-		--user=$(shell id -u):$(shell id -g) \
+		--init \
 		$(EXTRA_DOCKER_ARGS) \
+		-e LOCAL_USER_ID=$(LOCAL_USER_ID) \
 		-e GOCACHE=/go-cache \
 		$(GOARCH_FLAGS) \
 		-e GOPATH=/go \
@@ -213,10 +226,10 @@ DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \
 
 DOCKER_RUN_RO := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \
 	docker run --rm \
-		--init \
 		--net=host \
-		--user=$(shell id -u):$(shell id -g) \
+		--init \
 		$(EXTRA_DOCKER_ARGS) \
+		-e LOCAL_USER_ID=$(LOCAL_USER_ID) \
 		-e GOCACHE=/go-cache \
 		$(GOARCH_FLAGS) \
 		-e GOPATH=/go \
@@ -383,7 +396,7 @@ git-commit:
 # different implementation.
 ###############################################################################
 
-CRANE_CMD         = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/go/.docker/config.json $(CALICO_BUILD) -c \
+CRANE_CMD         = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/home/user/.docker/config.json $(CALICO_BUILD) -c \
                     $(double_quote)crane
 GIT_CMD           = git
 DOCKER_CMD        = docker

diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+
+# Add local user
+# Either use the LOCAL_USER_ID if passed in at runtime or fallback
+
+USER_ID=${LOCAL_USER_ID:-9001}
+
+if [ "${RUN_AS_ROOT}" = "true" ]; then
+  exec "$@"
+fi
+
+echo "Starting with UID : $USER_ID" 1>&2
+# Do not create mail box.
+/bin/sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd
+# Don't pass "-m" to useradd if the home directory already exists (which can occur if it was volume mounted in) otherwise it will fail.
+if [[ ! -d "/home/user" ]]; then
+  /usr/sbin/useradd -m -U -s /bin/bash -u "$USER_ID" user
+else
+  /usr/sbin/useradd -U -s /bin/bash -u "$USER_ID" user
+fi
+
+export HOME=/home/user
+
+if [ -n "$EXTRA_GROUP_ID" ]; then
+  echo "Adding user to additional GID : $EXTRA_GROUP_ID" 1>&2
+  # Adding the group can fail if it already exists.
+  if addgroup --gid "$EXTRA_GROUP_ID" group; then
+    adduser user group
+  else
+    echo "Adding user to existing group instead" 1>&2
+    adduser user "$(getent group "$EXTRA_GROUP_ID" | cut -d: -f1)"
+  fi
+fi
+
+exec /usr/bin/su-exec user "$@"