diff options
| author | Dan Duvall <dduvall@wikimedia.org> | 2018-03-09 15:46:19 -0800 |
|---|---|---|
| committer | Dan Duvall <dduvall@wikimedia.org> | 2018-03-22 10:57:11 -0700 |
| commit | 50c5793952a725b5629c5dcd82f26b92716e628a (patch) | |
| tree | e401fd1e65e9618dd6ad153e8ef29c4d3a30bd37 /config/variant_test.go | |
| parent | eb9b69dd3d710cb7afa1dfb6e23a5987842b21cc (diff) | |
| download | blubber-50c5793952a725b5629c5dcd82f26b92716e628a.tar.gz | |
Fix ownership on artifact copies
Summary:
The implementation of D984 did not include enforcing ownership for
`build.CopyFrom` instruction and so artifacts copied from one image to
another via `copies:` were problematically owned as root.
In order to fix this behavior:
1. `config.ArtifactConfig` `build.CopyFrom` instructions are now
injected duration `build.PhaseInstall`
2. `config.VariantConfig` calls `build.ApplyUser` for these artifact
instructions as well using the `runs.as` user
3. `build.CopyAs` was refactored to wrap any `build.Instruction` which
should only really be used with `build.Copy` or `build.CopyFrom`.
Test Plan:
Run `go test ./...`. Run `blubber` against configuration with a variant that
uses `copies` and verify that the `COPY --from` instructions also include a
`--chown` flag.
Reviewers: thcipriani, mmodell, hashar, #release-engineering-team, demon
Reviewed By: thcipriani, #release-engineering-team
Tags: #release-engineering-team
Differential Revision: https://phabricator.wikimedia.org/D1002
Diffstat (limited to 'config/variant_test.go')
| -rw-r--r-- | config/variant_test.go | 28 |
1 files changed, 16 insertions, 12 deletions
diff --git a/config/variant_test.go b/config/variant_test.go index f906e67..6a1f615 100644 --- a/config/variant_test.go +++ b/config/variant_test.go @@ -67,12 +67,6 @@ func TestVariantLoops(t *testing.T) { func TestVariantConfigInstructions(t *testing.T) { t.Run("PhaseInstall", func(t *testing.T) { - t.Run("copies", func(t *testing.T) { - cfg := config.VariantConfig{Copies: "foo"} - - assert.Empty(t, cfg.InstructionsForPhase(build.PhaseInstall)) - }) - t.Run("shared volume", func(t *testing.T) { cfg := config.VariantConfig{} cfg.Lives.In = "/srv/service" @@ -98,9 +92,7 @@ func TestVariantConfigInstructions(t *testing.T) { cfg.InstructionsForPhase(build.PhaseInstall), ) }) - }) - t.Run("PhasePostInstall", func(t *testing.T) { t.Run("for copies and artifacts", func(t *testing.T) { cfg := config.VariantConfig{ Copies: "foo", @@ -116,7 +108,7 @@ func TestVariantConfigInstructions(t *testing.T) { build.CopyFrom{"foo", build.Copy{[]string{config.LocalLibPrefix}, config.LocalLibPrefix}}, build.CopyFrom{"build", build.Copy{[]string{"/foo/src"}, "/foo/dst"}}, }, - cfg.InstructionsForPhase(build.PhasePostInstall), + cfg.InstructionsForPhase(build.PhaseInstall), ) }) @@ -125,17 +117,29 @@ func TestVariantConfigInstructions(t *testing.T) { Artifacts: []config.ArtifactsConfig{ {From: "build", Source: "/foo/src", Destination: "/foo/dst"}, }, - CommonConfig: config.CommonConfig{Lives: config.LivesConfig{In: "/srv/service"}}, + CommonConfig: config.CommonConfig{ + Lives: config.LivesConfig{ + In: "/srv/service", + UserConfig: config.UserConfig{ + UID: 123, + GID: 223, + }, + }, + }, } assert.Equal(t, []build.Instruction{ - build.CopyFrom{"build", build.Copy{[]string{"/foo/src"}, "/foo/dst"}}, + build.CopyAs{123, 223, build.Copy{[]string{"."}, "."}}, + build.CopyAs{123, 223, build.CopyFrom{"build", build.Copy{[]string{"/foo/src"}, "/foo/dst"}}}, }, - cfg.InstructionsForPhase(build.PhasePostInstall), + cfg.InstructionsForPhase(build.PhaseInstall), ) }) + }) + + t.Run("PhasePostInstall", func(t *testing.T) { t.Run("with entrypoint", func(t *testing.T) { cfg := config.VariantConfig{ CommonConfig: config.CommonConfig{ |