Skip to content
This repository has been archived by the owner on Feb 25, 2023. It is now read-only.

Use host user for Docker builds #98

Merged
merged 1 commit into from
Jun 26, 2019
Merged

Use host user for Docker builds #98

merged 1 commit into from
Jun 26, 2019

Conversation

hkjn
Copy link
Contributor

@hkjn hkjn commented Jun 25, 2019

By using the same user inside the container as on the host, we avoid
issues with the host user lacking the privileges to e.g remove files
under build/, which are bind-mounted from the host into the container.

Before this change, those files would run as the super-user (id -u of
0), which caused the issues mentioned above, specifically on Gitlab,
where subsequent test runners would find themselves unable to clean up
the build/ artifacts from prior builds.

The unfortunate edge case here is for users that (wisely!) require
sudo to run docker commands, there is no way for the Makefile
to deduce what their non-privileged user's id is. Those users
need to either deal with the super-user (id 0, commonly root)
owning the files under build/, or to explicitly specify their
non-privileged user's id when calling make commands:

sudo make BUILDER_UID=$(id -u)

@hkjn
Copy link
Contributor Author

hkjn commented Jun 25, 2019

This PR can be tested by removing the build/ directory entirely, then restoring the build/README.md from the repo (i.e bring the repo back to a clean state), then doing a build, and observing that the files are owned by the non-privileged user:

$ sudo rm -rf build/
$ git checkout -- build/README.md
$ sudo make docker-build-go BUILDER_UID=$(id -u)
$ ls -hsal build/
total 14M
4.0K drwxr-xr-x  2 user user 4.0K Jun 25 17:45 .
4.0K drwxr-xr-x 13 user user 4.0K Jun 25 17:50 ..
8.6M -rwxr-xr-x  1 user user 8.6M Jun 25 17:45 base-middleware
2.3M -rwxr-xr-x  1 user user 2.3M Jun 25 17:45 bbbfancontrol
4.0K -rw-r--r--  1 user user  227 Jun 25 17:45 bbbfancontrol.service
2.5M -rwxr-xr-x  1 user user 2.5M Jun 25 17:45 bbbsupervisor
4.0K -rw-r--r--  1 user user  194 Jun 25 17:45 bbbsupervisor.service
4.0K -rw-r--r--  1 user user  167 Jun 25 17:45 README.md
``

@hkjn hkjn mentioned this pull request Jun 25, 2019
Closed
@hkjn
Use host user for Docker builds
736aa3d 
By using the same user inside the container as on the host, we avoid
issues with the host user lacking the privileges to e.g remove files
under `build/`, which are bind-mounted from the host into the container.

Before this change, those files would run as the super-user (`id -u` of
`0`), which caused the issues mentioned above, specifically on Gitlab,
where subsequent test runners would find themselves unable to clean up
the `build/` artifacts from prior builds.

The unfortunate edge case here is for users that (wisely!) require
`sudo` to run `docker` commands, there is no way for the `Makefile`
to deduce what their non-privileged user's id is. Those users
need to either deal with the super-user (id `0`, commonly `root`)
owning the files under `build/`, or to explicitly specify their
non-privileged user's id when calling `make` commands:

```
sudo make BUILDER_UID=$(id -u)
```
@hkjn hkjn force-pushed the 20190625-docker-builder-user branch from 9d751d0 to 736aa3d Compare June 26, 2019 08:44
@Stadicus
Copy link
Collaborator

utACK 736aa3d

@hkjn hkjn requested a review from Stadicus June 26, 2019 08:46
@hkjn hkjn merged commit 0e5efd5 into BitBoxSwiss:master Jun 26, 2019
@hkjn hkjn deleted the 20190625-docker-builder-user branch June 26, 2019 08:53
hkjn added a commit to hkjn/bitbox-base that referenced this pull request Jun 26, 2019
@hkjn
Revert "Use host user for Docker builds (BitBoxSwiss#98)"
85be255 
This reverts commit 0e5efd5.

We noticed that 0e5efd5 introduced a regression, which made it
necessary for users who require `sudo` for their `docker` commands
to also specify `BUILDER_UID=$(id -u)` explicitly on the commandline.

(We were aware that this parameter was needed if users wanted to run
`docker` commands with `sudo`, and they also wanted the `build/`
directory to be owned by their non-privileged user, but it was not known
or intended that the build wouldn't work at all with `sudo make`.)
hkjn
hkjn commented Jun 26, 2019
View reviewed changes
Dockerfile
@@ -32,6 +32,8 @@ RUN make -C "tools"

# Final
FROM golang:1.12.5-stretch as final

ARG builder_uid
RUN adduser --disabled-password --gecos "" --uid ${builder_uid} builder
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This commit actually introduced a regression, where if users have sudo required to run docker commands, their build will fail on this line. I've sent #99 to revert this commit for now, as we figure out the best path forward.

hkjn pushed a commit that referenced this pull request Jun 26, 2019
Revert "Use host user for Docker builds (#98)" (#99)
fbbed66 
This reverts commit 0e5efd5.

We noticed that 0e5efd5 introduced a regression, which made it
necessary for users who require `sudo` for their `docker` commands
to also specify `BUILDER_UID=$(id -u)` explicitly on the commandline.

(We were aware that this parameter was needed if users wanted to run
`docker` commands with `sudo`, and they also wanted the `build/`
directory to be owned by their non-privileged user, but it was not known
or intended that the build wouldn't work at all with `sudo make`.)
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@Stadicus Stadicus Awaiting requested review from Stadicus

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hkjn @Stadicus