Merge branch 'bindfs' into major-updates

Dockerfile.custom

@@ -3,6 +3,12 @@
 # for a customer using the Cloud Posse Reference Architecture.
 # Use it as a basis for your own customizations.
 #
+# Note that Geodesic supports runtime customizations that
+# do not require a custome Dockerfile. See:
+#   https://github.com/cloudposse/geodesic/blob/master/docs/customization.md
+#
+# See Dockerfile.options for some common options you might want.
+#
 # Note that the version numbers in this file are not maintained,
 # you will want to update them to current versions when you start
 # and then have a plan for regularly updating them as you go along.

Makefile

@@ -31,7 +31,7 @@ deps: init
 	docker tag $(DOCKER_IMAGE_NAME) $(DOCKER_IMAGE_NAME_BASE)
 
 %.install:
-	@docker run --rm --env DOCKER_IMAGE --env DOCKER_TAG $(DOCKER_IMAGE_NAME) | bash -s $(DOCKER_TAG) || (echo "Try: sudo make install"; exit 1)
+	@docker run --rm --env DOCKER_IMAGE --env DOCKER_TAG $(DOCKER_IMAGE_NAME) | bash -s $(DOCKER_TAG)
 
 build: $(DOCKER_BASE_OS).build
 

Makefile.custom

@@ -3,6 +3,13 @@
 # Modify the variable settings to create your own version of Geodesic
 # with your own Docker image name and app name.
 #
+# See Dockerfile.custom and Dockerfile.options for
+# how to customize your Dockerfile.
+# Note that Geodesic supports runtime customizations that
+# do not require a custom Dockerfile: See
+#   https://github.com/cloudposse/geodesic/blob/master/docs/customization.md
+#
+#
 # The `make` variables build up to $(DOCKER_IMAGE):$(DOCKER_TAG) being
 # what you would use for `docker run` and `docker push`.
 # You probably want to use either `latest` or `dev` for DOCKER_TAG
@@ -47,7 +54,7 @@ push:
 
 ## Install wrapper script from geodesic container
 install:
-	@docker run --rm $(DOCKER_IMAGE_NAME) | bash -s $(DOCKER_TAG) || (echo "Try: sudo make install"; exit 1)
+	@docker run --rm $(DOCKER_IMAGE_NAME) | bash -s $(DOCKER_TAG)
 
 ## Start the geodesic shell by calling wrapper script
 run:

rootfs/etc/profile.d/_20-localhost.sh

@@ -5,26 +5,25 @@
 # This file has only depends on colors.sh and should come before any scripts that
 # attempt to access files on the host via `/localhost`.
 
-if [[ $SHLVL == 1 ]] && [[ -n $GEODESIC_HOST_UID ]] && [[ -n $GEODESIC_HOST_GID ]] \
-	&& [[ -n $GEODESIC_LOCALHOST ]] && df -a | grep -q " ${GEODESIC_LOCALHOST}\$"; then
-  if [[ $(df -a | grep ' /localhost$') =~ ^${GEODESIC_LOCALHOST} ]]; then
-    echo "# Host file ownership mapping already configured"
-  	export GEODESIC_LOCALHOST_MAPPED_DEVICE="${GEODESIC_LOCALHOST}"
-  elif df -a | grep -q ' /localhost$'; then
-  	red "# Host filesystems found mounted at both /localhost and /localhost.bindfs."
-  	red "#  * Verify that content under /localhost is what you expect."
-  	red "#  * Report the issue at https://github.com/cloudposse/geodesic/issues"
-  	red "#    Include the output of `env | grep GEODESIC` in your issue description."
-  elif bindfs -o nonempty ${GEODESIC_BINDFS_OPTIONS} --create-for-user="$GEODESIC_HOST_UID" --create-for-group="$GEODESIC_HOST_GID" "${GEODESIC_LOCALHOST}" /localhost; then
-  	green "# Files on host (under /localhost) will be created with UID:GID ${GEODESIC_HOST_UID}:${GEODESIC_HOST_GID}"
-  	export GEODESIC_LOCALHOST_MAPPED_DEVICE="${GEODESIC_LOCALHOST}"
-  else
-  	red "# ERROR: Unable to mirror /localhost.bindfs to /localhost"
-  	red "#  * Report the issue at https://github.com/cloudposse/geodesic/issues"
-  	red "#  * Work around the issue by setting shell environment variable"
-  	red "#      GEODESIC_HOST_BINDFS=disabled"
-  	red "#    before running Geodesic."
-  	red "#  * Exiting."
-  	exec false
-  fi
+if [[ $SHLVL == 1 ]] && [[ -n $GEODESIC_HOST_UID ]] && [[ -n $GEODESIC_HOST_GID ]] &&
+	[[ -n $GEODESIC_LOCALHOST ]] && df -a | grep -q " ${GEODESIC_LOCALHOST}\$"; then
+	if [[ $(df -a | grep ' /localhost$' | cut -f1 -d' ') == ${GEODESIC_LOCALHOST} ]]; then
+		echo "# Host file ownership mapping already configured"
+		export GEODESIC_LOCALHOST_MAPPED_DEVICE="${GEODESIC_LOCALHOST}"
+	elif df -a | grep -q ' /localhost$'; then
+		red "# Host filesystems found mounted at both /localhost and /localhost.bindfs."
+		red "#  * Verify that content under /localhost is what you expect."
+		red "#  * Report the issue at https://github.com/cloudposse/geodesic/issues"
+		red "#  * Include the output of \`env | grep GEODESIC\` and \`df -a\` in your issue description."
+	elif bindfs -o nonempty ${GEODESIC_BINDFS_OPTIONS} --create-for-user="$GEODESIC_HOST_UID" --create-for-group="$GEODESIC_HOST_GID" "${GEODESIC_LOCALHOST}" /localhost; then
+		green "# BindFS mapping of ${GEODESIC_LOCALHOST} to /localhost enabled."
+		green "# Files created under /localhost will have UID:GID ${GEODESIC_HOST_UID}:${GEODESIC_HOST_GID} on host."
+		export GEODESIC_LOCALHOST_MAPPED_DEVICE="${GEODESIC_LOCALHOST}"
+	else
+		red "# ERROR: Unable to mirror /localhost.bindfs to /localhost"
+		red "#  * Report the issue at https://github.com/cloudposse/geodesic/issues"
+		red "#  * Work around the issue by unsetting shell environment variable GEODESIC_HOST_BINDFS_ENABLED."
+		red "#  * Exiting."
+		exec false
+	fi
 fi

rootfs/etc/profile.d/_40-preferences.sh

@@ -60,12 +60,12 @@ fi
 
 if [[ ! -d $GEODESIC_CONFIG_HOME ]]; then
 	if ! df -a | grep -q " ${GEODESIC_LOCALHOST:-/localhost}\$"; then
-		if [[ -z $KUBERNETES_PORT ]]; then
+		if [[ -n $KUBERNETES_PORT ]]; then
+			echo $(green Kubernetes host detected, Geodesic customization disabled.)
+		else
 			red "########################################################################################" >&2
 			red "# No filesystem is mounted at $(bold ${GEODESIC_LOCALHOST:-/localhost}) which limits Geodesic functionality." >&2
 			boot install
-		else
-			echo $(green Kubernetes host detected, Geodesic customization disabled.)
 		fi
 		export GEODESIC_CUSTOMIZATION_DISABLED="/localhost not a volume"
 	elif mkdir -p $GEODESIC_CONFIG_HOME; then

rootfs/etc/profile.d/_50-workdir.sh

@@ -5,8 +5,9 @@
 # This file depends on colors.sh, localhost.sh, and preferences,sh and must come after them
 #
 
+# Outputs the device the file resides on, or /dev/null if the file does not exist
 function _file_device() {
-	df --output=source "$1" | tail -1
+	{ [[ -e $1 ]] && df --output=source "$1" | tail -1; } || echo '/dev/null'
 }
 
 # file_on_host is true when the argument is a file or directory that appears to be on the Host file system.
@@ -26,13 +27,13 @@ else
 fi
 
 function file_on_host() {
-	if [[ $GEODESIC_LOCALHOST_DEVICE  =~ ^(disabled|missing)$ ]]; then
+	if [[ $GEODESIC_LOCALHOST_DEVICE =~ ^(disabled|missing)$ ]]; then
 		return 1
 	elif [[ $GEODESIC_LOCALHOST_DEVICE == "same-as-root" ]]; then
-		[[ $(readlink -e "$1") =~ ^/localhost(/.*)?$ ]]
+		[[ $(readlink -e "$1") =~ ^/localhost ]]
 	else
-		local regex="^(${GEODESIC_LOCALHOST_DEVICE}${GEODESIC_LOCALHOST_MAPPED_DEVICE:+|${GEODESIC_LOCALHOST_MAPPED_DEVICE}})\$"
-		[[ $(_file_device "$1") =~ ${regex} ]]
+		local dev="$(_file_device "$1")"
+		[[ $dev == $GEODESIC_LOCALHOST_DEVICE ]] || [[ $dev == $GEODESIC_LOCALHOST_MAPPED_DEVICE ]]
 	fi
 }
 
@@ -52,7 +53,7 @@ if [[ -d $GEODESIC_WORKDIR ]]; then
 	[[ $SHLVL == 1 ]] && green "# Initial working directory configured as ${GEODESIC_WORKDIR}"
 else
 	if [[ -d $GEODESIC_HOST_CWD ]]; then
-		if [[ -n $LOCAL_HOME ]] && { [[ $GEODESIC_LOCALHOST_DEVICE  == "disabled" ]] || file_on_host "$GEODESIC_HOST_CWD"; }; then
+		if [[ -n $LOCAL_HOME ]] && { [[ $GEODESIC_LOCALHOST_DEVICE == "disabled" ]] || file_on_host "$GEODESIC_HOST_CWD"; }; then
 			export GEODESIC_WORKDIR=$(readlink -e "${GEODESIC_HOST_CWD}")
 			green "# Initial working directory set from host CWD to ${GEODESIC_WORKDIR}"
 		else

rootfs/etc/profile.d/aws-okta.sh

@@ -1,7 +1,7 @@
 #!/usr/bin/env bash
 
 if [ "${AWS_OKTA_ENABLED}" == "true" ]; then
-  echo
+	echo
 	echo
 	red '* You have AWS_OKTA_ENABLED set to "true".'
 	red '* Cloud Posse no longer recommends using aws-okta and is'
@@ -35,7 +35,7 @@ if [ "${AWS_OKTA_ENABLED}" == "true" ]; then
 
 	PROMPT_HOOKS+=("aws_okta_prompt")
 	function aws_okta_prompt() {
-		if [[  -z "${AWS_OKTA_PROFILE}" && -z "${ASSUME_ROLE}" ]]; then
+		if [[ -z "${AWS_OKTA_PROFILE}" && -z "${ASSUME_ROLE}" ]]; then
 			echo -e "-> Run '$(green assume-role)' to login to AWS with aws-okta"
 		fi
 	}

rootfs/etc/profile.d/aws.sh

@@ -35,8 +35,8 @@ fi
 
 function aws_choose_role() {
 	_preview="${FZF_PREVIEW:-crudini --format=ini --get "$AWS_CONFIG_FILE" 'profile {}'}"
-	cat "${AWS_SHARED_CREDENTIALS_FILE:-~/.aws/credentials}" "${AWS_CONFIG_FILE:-~/.aws/config}" 2>/dev/null | \
-	crudini --get - | sed 's/^ *profile *//' | \
+	cat "${AWS_SHARED_CREDENTIALS_FILE:-~/.aws/credentials}" "${AWS_CONFIG_FILE:-~/.aws/config}" 2>/dev/null |
+		crudini --get - | sed 's/^ *profile *//' |
 		fzf \
 			--height 30% \
 			--preview-window right:70% \
@@ -67,7 +67,7 @@ function aws_sdk_assume_role() {
 	else
 		AWS_PROFILE="$role" $*
 	fi
-	ASSUME_ROLE="$assume_role";
+	ASSUME_ROLE="$assume_role"
 }
 
 # Asks AWS what the currently active identity is and

rootfs/etc/profile.d/banner.sh

@@ -5,22 +5,11 @@ BANNER_INDENT="${BANNER_INDENT:-    }"
 BANNER_FONT="${BANNER_FONT:-Nancyj.flf}" # " IDE parser fix
 
 if [ "${SHLVL}" == "1" ]; then
-  function _check_support() {
+	function _check_support() {
 		[[ $(arch) != "x86_64" ]] || grep -qsE 'GenuineIntel|AuthenticAMD' /proc/cpuinfo && return
-		echo
-		echo
-		red '**********************************************************************'
-		red '**********************************************************************'
-		red '**                                                                  **'
-		red '**    You appear to be running Geodesic on an Apple M1 CPU          **'
-		red '**  Geodesic is not supported on the Apple M1 and has known issues  **'
-		red '**     See https://github.com/cloudposse/geodesic/issues/719        **'
-		red '**                                                                  **'
-		red '**********************************************************************'
-		red '**********************************************************************'
-		echo
-		echo
-  }
+		yellow '# Detected Apple M1 emulating Intel CPU. Support for this configuration is evolving.'
+		yellow '# Report issues and read about solutions at https://github.com/cloudposse/geodesic/issues/719'
+	}
 
 	function _header() {
 		local vstring
@@ -44,15 +33,12 @@ if [ "${SHLVL}" == "1" ]; then
 			elif [ "$BANNER_COMMAND" == "figurine" ]; then
 				${BANNER_COMMAND} -f "${BANNER_FONT}" "${BANNER}" | sed "s/^/${BANNER_INDENT}/"
 			else
-			  ${BANNER_COMMAND}
+				${BANNER_COMMAND}
 			fi
 		fi
 	}
-	# We call _check_support twice so that the warning appears
-	# both above and below the banner
 	_check_support
 	_header
-	_check_support
 	unset _check_support
 	unset _header
 fi

rootfs/etc/profile.d/iterm.sh

@@ -17,6 +17,3 @@ if [ "${TERM_PROGRAM}" == "iTerm.app" ]; then
 		trap _geodesic_iterm_exit EXIT
 	fi
 fi
-
-
-

rootfs/etc/profile.d/prompt.sh

@@ -85,8 +85,8 @@ function geodesic_prompt() {
 		# See https://github.com/cloudposse/geodesic/issues/417
 		[[ -z $ASSUME_ROLE_ACTIVE_MARK ]] && ASSUME_ROLE_ACTIVE_MARK=$'\x01'$(tput bold)$(tput setaf 2)$'\x02\u221a\x01'$(tput sgr0)$'\x02'     # green bold '√'
 		[[ -z $ASSUME_ROLE_INACTIVE_MARK ]] && ASSUME_ROLE_INACTIVE_MARK=$'\x01'$(tput bold)$(tput setaf 1)$'\x02\u2717\x01'$(tput sgr0)$'\x02' # red bold '✗'
-		[[ -z $BLACK_RIGHTWARDS_ARROWHEAD ]] && BLACK_RIGHTWARDS_ARROWHEAD=$'\u27A4' # '➤'
-		[[ -z $BANNER_MARK ]] && BANNER_MARK='⧉' # \u29c9 TWO JOINED SQUARES
+		[[ -z $BLACK_RIGHTWARDS_ARROWHEAD ]] && BLACK_RIGHTWARDS_ARROWHEAD=$'\u27A4'                                                            # '➤'
+		[[ -z $BANNER_MARK ]] && BANNER_MARK='⧉'                                                                                                # \u29c9 TWO JOINED SQUARES
 		;;
 
 	*)
@@ -102,7 +102,7 @@ function geodesic_prompt() {
 		# '▶︎' ($'\u25b6\ufe0e') BLACK RIGHT-POINTING TRIANGLE which is sometimes presented as an emoji (as GitHub likes to) '▶️'
 		# '⏩︎' ($'\u23e9\ufe0e') BLACK RIGHT-POINTING DOUBLE TRIANGLE
 		[[ -z $BLACK_RIGHTWARDS_ARROWHEAD ]] && BLACK_RIGHTWARDS_ARROWHEAD=$'\u2a20' # '⨠' Z NOTATION SCHEMA PIPING
-		[[ -z $BANNER_MARK ]] && BANNER_MARK='⧉' # \u29c9 TWO JOINED SQUARES
+		[[ -z $BANNER_MARK ]] && BANNER_MARK='⧉'                                     # \u29c9 TWO JOINED SQUARES
 		;;
 	esac
 

rootfs/templates/bootstrap

@@ -3,8 +3,8 @@ export DOCKER_IMAGE="{{getenv "DOCKER_IMAGE" "cloudposse/geodesic"}}"
 export DOCKER_TAG="{{- getenv "DOCKER_TAG" (printf "${1:-%s-%s}" ((index (split (getenv "GEODESIC_VERSION") " ") 0) | default "dev") (getenv "GEODESIC_OS" "alpine")) -}}"
 export APP_NAME=${APP_NAME:-$(basename $DOCKER_IMAGE)}
 export INSTALL_PATH=${INSTALL_PATH:-/usr/local/bin}
+export SAFE_INSTALL_PATH="$HOME/.local/bin" # per XDG recommendations
 export INSTALLER_NAME="${APP_NAME}-installer"
-export OUTPUT=${OUTPUT:-/dev/null} # Replace with /dev/stdout to audit output
 export REQUIRE_PULL=${REQUIRE_PULL:-false}
 
 if [ -z "${DOCKER_IMAGE}" ]; then
@@ -43,9 +43,23 @@ if [ $? -ne 0 ]; then
 fi
 
 # Check that we can write to install path
-if [ ! -w "${INSTALL_PATH}" ]; then
-	echo "Cannot write to ${INSTALL_PATH}. Please retry using sudo." 2>&1
-	exit 1
+if ! $([ -d "${INSTALL_PATH}" ] && [ -r "${INSTALL_PATH}" ] &&
+	[ -w "${INSTALL_PATH}" ] && [ -x "${INSTALL_PATH}" ]); then
+	if [ ! -d "${SAFE_INSTALL_PATH}" ]; then
+		mkdir -p "${SAFE_INSTALL_PATH}" 2>/dev/null &&
+			echo "Creating ${SAFE_INSTALL_PATH}" >&2
+	fi
+
+	if [ -d "${SAFE_INSTALL_PATH}" ] && [ -r "${SAFE_INSTALL_PATH}" ] &&
+		[ -w "${SAFE_INSTALL_PATH}" ] && [ -x "${SAFE_INSTALL_PATH}" ]; then
+		echo "Inadequate permissions to install to ${INSTALL_PATH}. Installing to ${SAFE_INSTALL_PATH}." >&2
+		INSTALL_PATH="${SAFE_INSTALL_PATH}"
+	else
+		echo "Inadequate permissions to install to ${INSTALL_PATH} or ${SAFE_INSTALL_PATH}." >&2
+		echo "Please \`chmod u+rwx \"$INSTALL_PATH\"\` (you may need to use \`sudo\`)"
+		echo "or set INSTALL_PATH to a writable directory where you want to install ${APP_NAME}." >&2
+		exit 1
+	fi
 fi
 
 # Proceed with installation
@@ -61,14 +75,35 @@ fi
 # Sometimes docker might not exit cleanly
 docker rm -f "${INSTALLER_NAME}" >/dev/null 2>&1
 
-(docker run --name "${INSTALLER_NAME}" --rm -e DOCKER_IMAGE -e DOCKER_TAG -e APP_NAME "${DOCKER_IMAGE}:${DOCKER_TAG}" -c wrapper | tee "${INSTALL_PATH}/${APP_NAME}" >${OUTPUT}) &&
+docker run --name "${INSTALLER_NAME}" --rm -e DOCKER_IMAGE -e DOCKER_TAG -e APP_NAME "${DOCKER_IMAGE}:${DOCKER_TAG}" -c wrapper >"${INSTALL_PATH}/${APP_NAME}" &&
 	chmod 755 "${INSTALL_PATH}/${APP_NAME}"
 
 if [ $? -eq 0 ]; then
 	echo "# Installed ${APP_NAME} to ${INSTALL_PATH}/${APP_NAME}"
-	exit 0
 else
+	echo
 	echo "# Failed to install ${APP_NAME}"
-	echo "# Please let us know! Send an email to < hello@cloudposse.com > with what went wrong."
+	echo "# If this is not due to file system permissions, please"
+	echo "# check for known issues and consider reporting the failure at"
+	echo "#    https://github.com/cloudposse/geodesic/issues"
+	echo
+	exit 1
+fi
+
+hash -r || true
+if [ "$(realpath "${INSTALL_PATH}/${APP_NAME}")" != "$(command -v "${APP_NAME}" 2>/dev/null)" ]; then
+	if [ -x "${INSTALL_PATH}/${APP_NAME}" ]; then
+		if [ -n "$(command -v "${APP_NAME}" 2>/dev/null)" ]; then
+			echo "# WARNING: \`${APP_NAME}\` installed in ${INSTALL_PATH} but"
+			echo "#          also found in $(dirname "$(command -v "${APP_NAME}")")"
+			echo "#          which appears earlier in \$PATH. "
+			echo "#          Fix your PATH or \`rm \"$(command -v "${APP_NAME}")\""
+			echo
+		else
+			echo "# WARNING: It appears ${INSTALL_PATH} is not on your PATH. Please add it."
+		fi
+	else
+		echo "# WARNING: Install appeared to succeed but ${INSTALL_PATH}/${APP_NAME} is not executable."
+	fi
 	exit 1
 fi

rootfs/templates/wrapper

@@ -83,13 +83,21 @@ function use() {
 		DOCKER_ARGS=()
 	fi
 
-	if [ "${GEODESIC_HOST_BINDFS}" = "forced" ] || { [ "${OS}" = 'Linux' ] && [ "${GEODESIC_HOST_BINDFS}" != "disabled" ]; }; then
-		DOCKER_ARGS+=(
-			--env GEODESIC_HOST_UID="${USER_ID}"
-			--env GEODESIC_HOST_GID="${GROUP_ID}"
-			--env GEODESIC_LOCALHOST="${GEODESIC_LOCALHOST:=/localhost.bindfs}"
-			--env GEODESIC_BINDFS_OPTIONS
-			)
+	if [ "${GEODESIC_HOST_BINDFS_ENABLED}" = "true" ]; then
+		if [ "${USER_ID}" = 0 ]; then
+			echo "# WARNING: Host user is root. This is DANGEROUS."
+			echo "  * Geodesic should not be launched by the host root user."
+			echo "  * Use \"rootless\" mode instead. See https://docs.docker.com/engine/security/rootless/"
+			echo "# Not enabling BindFS host filesystem mapping because host user is root."
+		else
+			echo "# Enabling BindFS mapping of file system owner and group ID."
+			DOCKER_ARGS+=(
+				--env GEODESIC_HOST_UID="${USER_ID}"
+				--env GEODESIC_HOST_GID="${GROUP_ID}"
+				--env GEODESIC_LOCALHOST="${GEODESIC_LOCALHOST:=/localhost.bindfs}"
+				--env GEODESIC_BINDFS_OPTIONS
+				)
+		fi
 	fi
 
 	if [ "${WITH_DOCKER}" == "true" ]; then
@@ -164,7 +172,11 @@ function use() {
 	if [ "${local_home}" == "/localhost" ]; then
 		echo "WARNING: not mounting ${local_home} because it conflicts with geodesic"
 	else
-		echo "# Mounting ${local_home} into container with workdir ${GEODESIC_HOST_CWD}"
+		if [ "${GEODESIC_LOCALHOST:-/localhost}" != "/localhost" ]; then
+			echo "# Mounting ${local_home} into container at ${GEODESIC_LOCALHOST} with workdir ${GEODESIC_HOST_CWD}"
+		else
+			echo "# Mounting ${local_home} into container with workdir ${GEODESIC_HOST_CWD}"
+		fi
 		DOCKER_ARGS+=(
 		--volume="${local_home}:${GEODESIC_LOCALHOST:-/localhost}"
 		--env LOCAL_HOME="${local_home}"