diff options
| author | Dan Duvall <dduvall@wikimedia.org> | 2017-06-15 17:34:47 -0700 |
|---|---|---|
| committer | Dan Duvall <dduvall@wikimedia.org> | 2017-06-20 10:17:53 -0700 |
| commit | 77b95b1f94de7cc6c1e28c0fdf2b4ecab93dd91a (patch) | |
| tree | c136226a28999b65f85fd8c4257591478ca99d7f | |
| parent | bbb5eba26ae3edb671693c10d6d73a958546af27 (diff) | |
| download | blubber-77b95b1f94de7cc6c1e28c0fdf2b4ecab93dd91a.tar.gz | |
Set HOME environment variable for runs-as user
Summary:
Fixes build issues around home permissions by setting `HOME` to the
unprivileged user's home directory once the "privileges dropped" build
phase has been reached.
Test Plan: Run `go test ./...`.
Reviewers: thcipriani, mobrovac, hashar, Jrbranaa, mmodell, #release-engineering-team
Reviewed By: mobrovac
Tags: #release-engineering-team
Differential Revision: https://phabricator.wikimedia.org/D686
| -rw-r--r-- | build/instructions.go | 1 | ||||
| -rw-r--r-- | config/runs.go | 28 | ||||
| -rw-r--r-- | docker/compiler.go | 2 | ||||
| -rw-r--r-- | docker/compiler_test.go | 9 |
4 files changed, 28 insertions, 12 deletions
diff --git a/build/instructions.go b/build/instructions.go index 2676a75..eda651c 100644 --- a/build/instructions.go +++ b/build/instructions.go @@ -5,6 +5,7 @@ type InstructionType int const ( Run InstructionType = iota Copy + Env ) type Instruction struct { diff --git a/config/runs.go b/config/runs.go index f2756a5..7567685 100644 --- a/config/runs.go +++ b/config/runs.go @@ -25,25 +25,29 @@ func (run RunsConfig) InstructionsForPhase(phase build.Phase) []build.Instructio switch phase { case build.PhasePrivileged: if run.In != "" { - ins = append(ins, []build.Instruction{{build.Run, []string{"mkdir -p ", run.In}}}...) + ins = append(ins, build.Instruction{build.Run, []string{"mkdir -p ", run.In}}) } if run.As != "" { - ins = append(ins, []build.Instruction{ - {build.Run, []string{ - "groupadd -o -g ", strconv.Itoa(run.Gid), " -r ", run.As, " && ", - "useradd -o -m -r -g ", run.As, " -u ", strconv.Itoa(run.Uid), " ", run.As, - }}, - }...) + ins = append(ins, build.Instruction{build.Run, []string{ + "groupadd -o -g ", strconv.Itoa(run.Gid), " -r ", run.As, " && ", + "useradd -o -m -d /home/", run.As, " -r -g ", run.As, + " -u ", strconv.Itoa(run.Uid), " ", run.As, + }}) if run.In != "" { - ins = append(ins, []build.Instruction{ - {build.Run, []string{ - "chown ", run.As, ":", run.As, " ", run.In, - }}, - }...) + ins = append(ins, build.Instruction{build.Run, []string{ + "chown ", run.As, ":", run.As, " ", run.In, + + }}) } } + case build.PhasePrivilegeDropped: + if run.As != "" { + ins = append(ins, build.Instruction{build.Env, []string{ + "HOME=\"/home/" + run.As + "\"", + }}) + } } return ins diff --git a/docker/compiler.go b/docker/compiler.go index 0a16362..f398164 100644 --- a/docker/compiler.go +++ b/docker/compiler.go @@ -96,6 +96,8 @@ func CompileInstruction(buffer *bytes.Buffer, instruction build.Instruction) { Writeln(buffer, append([]string{"RUN "}, instruction.Arguments...)...) case build.Copy: Writeln(buffer, "COPY [\"", instruction.Arguments[0], "\", \"", instruction.Arguments[1], "\"]") + case build.Env: + Writeln(buffer, "ENV ", strings.Join(instruction.Arguments, " ")) } } diff --git a/docker/compiler_test.go b/docker/compiler_test.go index c6fec1b..7f6ee87 100644 --- a/docker/compiler_test.go +++ b/docker/compiler_test.go @@ -52,3 +52,12 @@ func TestCompileInstructionCopy(t *testing.T) { assert.Equal(t, "COPY [\"foo\", \"bar\"]\n", buffer.String()) } + +func TestCompileInstructionEnv(t *testing.T) { + buffer := new(bytes.Buffer) + instruction := build.Instruction{build.Env, []string{"foo=bar", "baz=qux"}} + + docker.CompileInstruction(buffer, instruction) + + assert.Equal(t, "ENV foo=bar baz=qux\n", buffer.String()) +} |