From 02570a422a34ab836f7ee32bdbd54aeb9b3bbf1e Mon Sep 17 00:00:00 2001 From: Jiawei Huang Date: Mon, 16 Oct 2023 11:04:39 -0700 Subject: [PATCH] Bring back su-exec and entrypoint --- Dockerfile | 11 +++++++++-- Makefile | 2 +- Makefile.common | 23 ++++++++++++++++++----- entrypoint.sh | 35 +++++++++++++++++++++++++++++++++++ 4 files changed, 63 insertions(+), 8 deletions(-) create mode 100755 entrypoint.sh diff --git a/Dockerfile b/Dockerfile index a9adb69..a3c037b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,5 @@ ARG TARGETARCH=${TARGETARCH} + FROM calico/bpftool:v5.3-${TARGETARCH} as bpftool FROM registry.access.redhat.com/ubi8/ubi:latest @@ -115,6 +116,12 @@ ENV GOPATH /go ENV PATH $GOPATH/bin:$PATH RUN mkdir -p "$GOPATH/src" "$GOPATH/bin" && chmod -R 1777 "$GOPATH" +# su-exec is used by the entrypoint script to execute the user's command with the right UID/GID. +RUN set -eux; \ + curl -sfL https://raw.githubusercontent.com/ncopa/su-exec/master/su-exec.c -o /tmp/su-exec.c; \ + gcc -Wall -O2 /tmp/su-exec.c -o /usr/bin/su-exec; \ + rm -f /tmp/su-exec.c + # Install Go utilities # coltroller-gen is used for generating CRD files. @@ -173,7 +180,6 @@ RUN go install github.com/onsi/ginkgo/v2/ginkgo@v2.13.0 && mv /go/bin/ginkgo /go # Ensure that everything under the GOPATH is writable by everyone RUN chmod -R 777 $GOPATH -ENV HOME $GOPATH # Disable ssh host key checking RUN echo $'Host *\n StrictHostKeyChecking no' >> /etc/ssh/ssh_config.d/10-stricthostkey.conf @@ -190,4 +196,5 @@ RUN set -eux; \ rm -fr /build; \ fi -WORKDIR $GOPATH +COPY entrypoint.sh /usr/local/bin/entrypoint.sh +ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] diff --git a/Makefile b/Makefile index 4e1db53..bb5b1e1 100644 --- a/Makefile +++ b/Makefile @@ -114,7 +114,7 @@ test: register for arch in $(ARCHES) ; do ARCH=$$arch $(MAKE) testcompile; done testcompile: - docker run --rm --user=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go + docker run --rm -e LOCAL_USER_ID=$(shell id -u) -e GOARCH=$(ARCH) -w /code -v ${PWD}:/code $(BUILDIMAGE) go build -o hello-$(ARCH) hello.go docker run --rm -v ${PWD}:/code $(BUILDIMAGE) /code/hello-$(ARCH) | grep -q "hello world" @echo "success" diff --git a/Makefile.common b/Makefile.common index a1fa02b..aa590ab 100644 --- a/Makefile.common +++ b/Makefile.common @@ -167,6 +167,19 @@ ifneq ($(OS),Windows_NT) DATE:=$(shell date -u +'%FT%T%z') endif +# Figure out the users UID/GID. These are needed to run docker containers +# as the current user and ensure that files built inside containers are +# owned by the current user. +ifneq ($(OS),Windows_NT) +LOCAL_USER_ID:=$(shell id -u) +LOCAL_GROUP_ID:=$(shell id -g) +endif + +ifeq ("$(LOCAL_USER_ID)", "0") +# The build needs to run as root. +EXTRA_DOCKER_ARGS+=-e RUN_AS_ROOT='true' +endif + # Allow the ssh auth sock to be mapped into the build container. ifdef SSH_AUTH_SOCK EXTRA_DOCKER_ARGS += -v $(SSH_AUTH_SOCK):/ssh-agent --env SSH_AUTH_SOCK=/ssh-agent @@ -197,10 +210,10 @@ GOARCH_FLAGS :=-e GOARCH=$(ARCH) DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ docker run --rm \ - --init \ --net=host \ - --user=$(shell id -u):$(shell id -g) \ + --init \ $(EXTRA_DOCKER_ARGS) \ + -e LOCAL_USER_ID=$(LOCAL_USER_ID) \ -e GOCACHE=/go-cache \ $(GOARCH_FLAGS) \ -e GOPATH=/go \ @@ -213,10 +226,10 @@ DOCKER_RUN := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ DOCKER_RUN_RO := mkdir -p .go-pkg-cache bin $(GOMOD_CACHE) && \ docker run --rm \ - --init \ --net=host \ - --user=$(shell id -u):$(shell id -g) \ + --init \ $(EXTRA_DOCKER_ARGS) \ + -e LOCAL_USER_ID=$(LOCAL_USER_ID) \ -e GOCACHE=/go-cache \ $(GOARCH_FLAGS) \ -e GOPATH=/go \ @@ -383,7 +396,7 @@ git-commit: # different implementation. ############################################################################### -CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/go/.docker/config.json $(CALICO_BUILD) -c \ +CRANE_CMD = docker run -t --entrypoint /bin/sh -v $(DOCKER_CONFIG):/home/user/.docker/config.json $(CALICO_BUILD) -c \ $(double_quote)crane GIT_CMD = git DOCKER_CMD = docker diff --git a/entrypoint.sh b/entrypoint.sh new file mode 100755 index 0000000..0923730 --- /dev/null +++ b/entrypoint.sh @@ -0,0 +1,35 @@ +#!/bin/bash + +# Add local user +# Either use the LOCAL_USER_ID if passed in at runtime or fallback + +USER_ID=${LOCAL_USER_ID:-9001} + +if [ "${RUN_AS_ROOT}" = "true" ]; then + exec "$@" +fi + +echo "Starting with UID : $USER_ID" 1>&2 +# Do not create mail box. +/bin/sed -i 's/^CREATE_MAIL_SPOOL=yes/CREATE_MAIL_SPOOL=no/' /etc/default/useradd +# Don't pass "-m" to useradd if the home directory already exists (which can occur if it was volume mounted in) otherwise it will fail. +if [[ ! -d "/home/user" ]]; then + /usr/sbin/useradd -m -U -s /bin/bash -u "$USER_ID" user +else + /usr/sbin/useradd -U -s /bin/bash -u "$USER_ID" user +fi + +export HOME=/home/user + +if [ -n "$EXTRA_GROUP_ID" ]; then + echo "Adding user to additional GID : $EXTRA_GROUP_ID" 1>&2 + # Adding the group can fail if it already exists. + if addgroup --gid "$EXTRA_GROUP_ID" group; then + adduser user group + else + echo "Adding user to existing group instead" 1>&2 + adduser user "$(getent group "$EXTRA_GROUP_ID" | cut -d: -f1)" + fi +fi + +exec /usr/bin/su-exec user "$@"