safer/simpler uid/gid mapping w/ reduced build privs
This commit is contained in:
parent
8a2ac4b000
commit
1badff2241
8
Makefile
8
Makefile
|
@ -111,7 +111,7 @@ sign: $(RELEASE_DIR)/*.rom $(RELEASE_DIR)/*.iso
|
||||||
.PHONY: shell
|
.PHONY: shell
|
||||||
shell:
|
shell:
|
||||||
$(docker) inspect "$(NAME)" \
|
$(docker) inspect "$(NAME)" \
|
||||||
&& $(docker) exec --interactive --tty "$(NAME)" shell \
|
&& $(docker) exec --interactive --user=root --tty "$(NAME)" shell \
|
||||||
|| $(contain) shell
|
|| $(contain) shell
|
||||||
|
|
||||||
|
|
||||||
|
@ -119,7 +119,7 @@ shell:
|
||||||
menuconfig:
|
menuconfig:
|
||||||
$(contain) menuconfig
|
$(contain) menuconfig
|
||||||
|
|
||||||
.PHONY: menuconfig
|
.PHONY: linux-menuconfig
|
||||||
linux-menuconfig:
|
linux-menuconfig:
|
||||||
$(contain) linux-menuconfig
|
$(contain) linux-menuconfig
|
||||||
|
|
||||||
|
@ -163,7 +163,6 @@ contain := \
|
||||||
--interactive \
|
--interactive \
|
||||||
--name "$(NAME)" \
|
--name "$(NAME)" \
|
||||||
--hostname "$(NAME)" \
|
--hostname "$(NAME)" \
|
||||||
--user $(userid):$(groupid) \
|
|
||||||
--env TARGET="$(TARGET)" \
|
--env TARGET="$(TARGET)" \
|
||||||
--env DEVICES="$(DEVICES)" \
|
--env DEVICES="$(DEVICES)" \
|
||||||
--env GIT_DATETIME="$(GIT_DATETIME)" \
|
--env GIT_DATETIME="$(GIT_DATETIME)" \
|
||||||
|
@ -172,7 +171,8 @@ contain := \
|
||||||
--env GIT_AUTHOR="$(GIT_AUTHOR)" \
|
--env GIT_AUTHOR="$(GIT_AUTHOR)" \
|
||||||
--env GIT_KEY="$(GIT_KEY)" \
|
--env GIT_KEY="$(GIT_KEY)" \
|
||||||
--env GIT_STATE="$(GIT_STATE)" \
|
--env GIT_STATE="$(GIT_STATE)" \
|
||||||
--security-opt seccomp=unconfined \
|
--env UID="$(shell id -u)" \
|
||||||
|
--env GID="$(shell id -g)" \
|
||||||
--volume $(PWD)/build:/home/build/build \
|
--volume $(PWD)/build:/home/build/build \
|
||||||
--volume $(PWD)/config:/home/build/config \
|
--volume $(PWD)/config:/home/build/config \
|
||||||
--volume $(PWD)/release:/home/build/release \
|
--volume $(PWD)/release:/home/build/release \
|
||||||
|
|
|
@ -1,39 +1,4 @@
|
||||||
ARG DEBIAN_IMAGE_HASH=4ab3309ba955211d1db92f405be609942b595a720de789286376f030502ffd6f
|
ARG DEBIAN_IMAGE_HASH=4ab3309ba955211d1db92f405be609942b595a720de789286376f030502ffd6f
|
||||||
ARG GOLANG_IMAGE_HASH=84349ee862d8bafff35e0d2bfd539da565b536b4dfce654773fc21a1db2da6d7
|
|
||||||
|
|
||||||
FROM golang@sha256:${GOLANG_IMAGE_HASH} as gotools
|
|
||||||
|
|
||||||
ARG FIXUID_GIT_REF="0ec93d22e52bde5b7326e84cb62fd26a3d20cead"
|
|
||||||
ARG OZZOCONFIG_GIT_REF="0ff174cf5aa6480026e0b40c14fd9cfb61c4abf6"
|
|
||||||
ARG JSONPREPROCESS_GIT_REF="a4e954386171be645f1eb7c41865d2624b69259d"
|
|
||||||
ARG TOML_GIT_REF="3012a1dbe2e4bd1391d42b32f0577cb7bbc7f005"
|
|
||||||
ARG YAMLV2_GIT_REF="51d6538a90f86fe93ac480b35f37b2be17fef232"
|
|
||||||
ARG GLIDE_GIT_REF="b94b39d657d8abcccba6545e148f1201aee6ffec"
|
|
||||||
|
|
||||||
RUN apk add bash git make
|
|
||||||
|
|
||||||
RUN printf "\
|
|
||||||
github.com/boxboat/fixuid.git github.com/boxboat/fixuid ${FIXUID_GIT_REF} \n\
|
|
||||||
github.com/go-ozzo/ozzo-config github.com/go-ozzo/ozzo-config ${OZZOCONFIG_GIT_REF} \n\
|
|
||||||
github.com/hnakamur/jsonpreprocess github.com/hnakamur/jsonpreprocess ${JSONPREPROCESS_GIT_REF} \n\
|
|
||||||
github.com/BurntSushi/toml github.com/BurntSushi/toml ${TOML_GIT_REF} \n\
|
|
||||||
github.com/go-yaml/yaml gopkg.in/yaml.v2 ${YAMLV2_GIT_REF} \n" \
|
|
||||||
> /go/src/repos
|
|
||||||
|
|
||||||
RUN echo ' \
|
|
||||||
set -o nounset -o pipefail -o errexit; \
|
|
||||||
cat /go/src/repos | while read -r line; do \
|
|
||||||
repo=$(echo $line | awk "{ print \$1 }"); \
|
|
||||||
folder=$(echo $line | awk "{ print \$2 }"); \
|
|
||||||
ref=$(echo $line | awk "{ print \$3 }"); \
|
|
||||||
git clone "https://${repo}" "/go/src/${folder}"; \
|
|
||||||
git -C "/go/src/${folder}" checkout ${ref}; \
|
|
||||||
done' \
|
|
||||||
| bash
|
|
||||||
|
|
||||||
RUN go build -o /usr/local/bin/fixuid github.com/boxboat/fixuid
|
|
||||||
|
|
||||||
|
|
||||||
FROM debian@sha256:${DEBIAN_IMAGE_HASH} as debian
|
FROM debian@sha256:${DEBIAN_IMAGE_HASH} as debian
|
||||||
|
|
||||||
ENV DEBIAN_FRONTEND=noninteractive \
|
ENV DEBIAN_FRONTEND=noninteractive \
|
||||||
|
@ -43,14 +8,6 @@ ENV DEBIAN_FRONTEND=noninteractive \
|
||||||
HOME=/home/build \
|
HOME=/home/build \
|
||||||
PATH=/home/build/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
PATH=/home/build/scripts:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
|
||||||
|
|
||||||
## Setup fixuid for mounting host-dirs with correct permissions during dev
|
|
||||||
COPY --from=gotools /usr/local/bin/ /usr/local/bin/
|
|
||||||
RUN chown root:root /usr/local/bin/fixuid \
|
|
||||||
&& chmod 4755 /usr/local/bin/fixuid \
|
|
||||||
&& mkdir -p /etc/fixuid \
|
|
||||||
&& printf "user: build\ngroup: build\npaths:\n - /\n - /home/build/build\n" > /etc/fixuid/config.yml
|
|
||||||
ENTRYPOINT ["/usr/local/bin/fixuid", "-q"]
|
|
||||||
|
|
||||||
ADD scripts/ /usr/local/bin/
|
ADD scripts/ /usr/local/bin/
|
||||||
|
|
||||||
## Install packages from packages.list with retry
|
## Install packages from packages.list with retry
|
||||||
|
@ -59,11 +16,6 @@ ADD config/container/packages.list /etc/apt/packages.list
|
||||||
ADD config/container/apt.conf /etc/apt/apt.conf
|
ADD config/container/apt.conf /etc/apt/apt.conf
|
||||||
RUN apt-install
|
RUN apt-install
|
||||||
|
|
||||||
## Create build user with sudo privs
|
|
||||||
RUN useradd -G plugdev,sudo -ms /bin/bash build \
|
|
||||||
&& chown -R build:build /home/build \
|
|
||||||
&& echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
|
|
||||||
|
|
||||||
WORKDIR /home/build
|
WORKDIR /home/build
|
||||||
|
|
||||||
USER build
|
ENTRYPOINT ["/usr/local/bin/host-env"]
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
#!/bin/bash
|
||||||
|
set -e
|
||||||
|
set -x
|
||||||
|
|
||||||
|
uid=${UID?}
|
||||||
|
gid=${GID?}
|
||||||
|
user=${USER:-"build"}
|
||||||
|
export HOME="/home/${user}"
|
||||||
|
|
||||||
|
groupadd -g "$gid" "${user}"
|
||||||
|
useradd \
|
||||||
|
-g "$gid" \
|
||||||
|
-u "$uid" \
|
||||||
|
-md "/home/${user}" \
|
||||||
|
-s /bin/bash \
|
||||||
|
"${user}"
|
||||||
|
|
||||||
|
mkdir -p "$HOME"
|
||||||
|
chown -R "$uid:$gid" "$HOME"
|
||||||
|
cd "$HOME"
|
||||||
|
setpriv --reuid="$uid" --regid="$gid" --init-groups "$@"
|
Loading…
Reference in New Issue