diff options
| author | Dan Duvall <dduvall@wikimedia.org> | 2017-08-23 09:51:03 -0700 |
|---|---|---|
| committer | Dan Duvall <dduvall@wikimedia.org> | 2017-09-05 09:32:07 -0700 |
| commit | 588a5eec5428de559f55207b72e5e35a8ad72719 (patch) | |
| tree | 0cc777101661efb3368c3bf26327397044788e32 | |
| parent | a0ece14e6e34d7c64f95585859690e1bd1e1a32f (diff) | |
| download | blubber-588a5eec5428de559f55207b72e5e35a8ad72719.tar.gz | |
Create directory for common unprivileged app dependencies
Summary:
Establish `/opt/lib` as the location for installing application
dependencies that are installed via unprivileged execution and from
untrusted sources. The directory is created during the privileged build
phase and owned by the unprivileged runtime user.
Depends on D741
Test Plan: Run `go test ./...` or `arc unit`.
Reviewers: thcipriani, mobrovac, mmodell, #release-engineering-team
Reviewed By: thcipriani, mobrovac, mmodell, #release-engineering-team
Tags: #release-engineering-team
Differential Revision: https://phabricator.wikimedia.org/D756
| -rw-r--r-- | config/runs.go | 8 | ||||
| -rw-r--r-- | config/runs_test.go | 2 | ||||
| -rw-r--r-- | config/variant.go | 6 |
3 files changed, 12 insertions, 4 deletions
diff --git a/config/runs.go b/config/runs.go index 12184bf..b8bf6af 100644 --- a/config/runs.go +++ b/config/runs.go @@ -6,6 +6,8 @@ import ( "phabricator.wikimedia.org/source/blubber.git/build" ) +const LocalLibPrefix = "/opt/lib" + type RunsConfig struct { In string `yaml:"in"` As string `yaml:"as"` @@ -50,7 +52,9 @@ func (run RunsConfig) InstructionsForPhase(phase build.Phase) []build.Instructio switch phase { case build.PhasePrivileged: - runAll := build.RunAll{} + runAll := build.RunAll{[]build.Run{ + {"mkdir -p", []string{LocalLibPrefix}}, + }} if run.In != "" { runAll.Runs = append(runAll.Runs, @@ -64,6 +68,8 @@ func (run RunsConfig) InstructionsForPhase(phase build.Phase) []build.Instructio []string{strconv.Itoa(run.Gid), run.As}}, build.Run{"useradd -o -m -d %s -r -g %s -u %s", []string{run.Home(), run.As, strconv.Itoa(run.Uid), run.As}}, + build.Run{"chown %s:%s", + []string{run.As, run.As, LocalLibPrefix}}, ) if run.In != "" { diff --git a/config/runs_test.go b/config/runs_test.go index cb5e1df..457c09b 100644 --- a/config/runs_test.go +++ b/config/runs_test.go @@ -60,9 +60,11 @@ func TestRunsConfigInstructions(t *testing.T) { t.Run("PhasePrivileged", func(t *testing.T) { assert.Equal(t, []build.Instruction{build.RunAll{[]build.Run{ + {"mkdir -p", []string{"/opt/lib"}}, {"mkdir -p", []string{"/some/directory"}}, {"groupadd -o -g %s -r", []string{"777", "someuser"}}, {"useradd -o -m -d %s -r -g %s -u %s", []string{"/home/someuser", "someuser", "666", "someuser"}}, + {"chown %s:%s", []string{"someuser", "someuser", "/opt/lib"}}, {"chown %s:%s", []string{"someuser", "someuser", "/some/directory"}}, }}}, cfg.InstructionsForPhase(build.PhasePrivileged), diff --git a/config/variant.go b/config/variant.go index 0aa56de..9309b9d 100644 --- a/config/variant.go +++ b/config/variant.go @@ -6,7 +6,7 @@ type VariantConfig struct { CommonConfig `yaml:",inline"` } -func (vc1 *VariantConfig) Merge(vc2 VariantConfig) { - vc1.Artifacts = append(vc1.Artifacts, vc2.Artifacts...) - vc1.CommonConfig.Merge(vc2.CommonConfig) +func (vc *VariantConfig) Merge(vc2 VariantConfig) { + vc.Artifacts = append(vc.Artifacts, vc2.Artifacts...) + vc.CommonConfig.Merge(vc2.CommonConfig) } |