diff options
| author | Dan Duvall <dduvall@wikimedia.org> | 2018-03-09 15:46:19 -0800 |
|---|---|---|
| committer | Dan Duvall <dduvall@wikimedia.org> | 2018-03-22 10:57:11 -0700 |
| commit | 50c5793952a725b5629c5dcd82f26b92716e628a (patch) | |
| tree | e401fd1e65e9618dd6ad153e8ef29c4d3a30bd37 /config/variant.go | |
| parent | eb9b69dd3d710cb7afa1dfb6e23a5987842b21cc (diff) | |
| download | blubber-50c5793952a725b5629c5dcd82f26b92716e628a.tar.gz | |
Fix ownership on artifact copies
Summary:
The implementation of D984 did not include enforcing ownership for
`build.CopyFrom` instruction and so artifacts copied from one image to
another via `copies:` were problematically owned as root.
In order to fix this behavior:
1. `config.ArtifactConfig` `build.CopyFrom` instructions are now
injected duration `build.PhaseInstall`
2. `config.VariantConfig` calls `build.ApplyUser` for these artifact
instructions as well using the `runs.as` user
3. `build.CopyAs` was refactored to wrap any `build.Instruction` which
should only really be used with `build.Copy` or `build.CopyFrom`.
Test Plan:
Run `go test ./...`. Run `blubber` against configuration with a variant that
uses `copies` and verify that the `COPY --from` instructions also include a
`--chown` flag.
Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon
Reviewed By: thcipriani, #release-engineering-team
Tags: #release-engineering-team
Differential Revision: https://phabricator.wikimedia.org/D1002
Diffstat (limited to 'config/variant.go')
| -rw-r--r-- | config/variant.go | 25 |
1 files changed, 14 insertions, 11 deletions
diff --git a/config/variant.go b/config/variant.go index e3562bf..85bb1a0 100644 --- a/config/variant.go +++ b/config/variant.go @@ -34,14 +34,9 @@ func (vc *VariantConfig) Merge(vc2 VariantConfig) { // func (vc *VariantConfig) InstructionsForPhase(phase build.Phase) []build.Instruction { instructions := vc.CommonConfig.InstructionsForPhase(phase) - ainstructions := []build.Instruction{} - for _, artifact := range vc.allArtifacts() { - ainstructions = append(ainstructions, artifact.InstructionsForPhase(phase)...) - } - - instructions = append(ainstructions, instructions...) var switchUser string + var uid, gid uint switch phase { case build.PhasePrivileged: @@ -49,12 +44,14 @@ func (vc *VariantConfig) InstructionsForPhase(phase build.Phase) []build.Instruc case build.PhasePrivilegeDropped: switchUser = vc.Lives.As - instructions = build.ApplyUser(vc.Lives.UID, vc.Lives.GID, instructions) + uid, gid = vc.Lives.UID, vc.Lives.GID case build.PhasePreInstall: - instructions = build.ApplyUser(vc.Lives.UID, vc.Lives.GID, instructions) + uid, gid = vc.Lives.UID, vc.Lives.GID case build.PhaseInstall: + uid, gid = vc.Lives.UID, vc.Lives.GID + if vc.Copies == "" { if vc.SharedVolume.True { instructions = append(instructions, build.Volume{vc.Lives.In}) @@ -63,17 +60,19 @@ func (vc *VariantConfig) InstructionsForPhase(phase build.Phase) []build.Instruc } } - instructions = build.ApplyUser(vc.Lives.UID, vc.Lives.GID, instructions) - case build.PhasePostInstall: switchUser = vc.Runs.As - instructions = build.ApplyUser(vc.Runs.UID, vc.Runs.GID, instructions) + uid, gid = vc.Runs.UID, vc.Runs.GID if len(vc.EntryPoint) > 0 { instructions = append(instructions, build.EntryPoint{vc.EntryPoint}) } } + for _, artifact := range vc.allArtifacts() { + instructions = append(instructions, artifact.InstructionsForPhase(phase)...) + } + if switchUser != "" { instructions = append( []build.Instruction{ @@ -84,6 +83,10 @@ func (vc *VariantConfig) InstructionsForPhase(phase build.Phase) []build.Instruc ) } + if uid != 0 { + instructions = build.ApplyUser(uid, gid, instructions) + } + return instructions } |