src: don't run snapcraft under sudo

Snapcraft 4.0 complains about running LXD builds under sudo. So instead add the CI user to the "lxd" group and use sg to switch to that membership.
snapcore · Jun 9, 2020 · 296b2ed · 296b2ed
1 parent 073d03c
commit 296b2ed
Show file tree

Hide file tree

Showing 5 changed files with 55 additions and 45 deletions.
diff --git a/__tests__/build.test.ts b/__tests__/build.test.ts
@@ -37,22 +37,15 @@ test('SnapcraftBuilder.build runs a snap build', async () => {
   expect(ensureSnapd).toHaveBeenCalled()
   expect(ensureLXD).toHaveBeenCalled()
   expect(ensureSnapcraft).toHaveBeenCalled()
-  expect(execMock).toHaveBeenCalledWith(
-    'sudo',
-    [
-      '--preserve-env=SNAPCRAFT_BUILD_ENVIRONMENT,SNAPCRAFT_BUILD_INFO,SNAPCRAFT_IMAGE_INFO',
-      'snapcraft'
-    ],
-    {
-      cwd: projectDir,
-      env: {
-        SNAPCRAFT_BUILD_ENVIRONMENT: 'lxd',
-        SNAPCRAFT_BUILD_INFO: '1',
-        SNAPCRAFT_IMAGE_INFO:
-          '{"build_url":"https://github.com/user/repo/actions/runs/42"}'
-      }
-    }
-  )
+  expect(execMock).toHaveBeenCalledWith('sg', ['lxd', '-c', 'snapcraft'], {
+    cwd: projectDir,
+    env: expect.objectContaining({
+      SNAPCRAFT_BUILD_ENVIRONMENT: 'lxd',
+      SNAPCRAFT_BUILD_INFO: '1',
+      SNAPCRAFT_IMAGE_INFO:
+        '{"build_url":"https://github.com/user/repo/actions/runs/42"}'
+    })
+  })
 })
 
 test('SnapcraftBuilder.build can disable build info', async () => {
@@ -76,13 +69,12 @@ test('SnapcraftBuilder.build can disable build info', async () => {
   const builder = new build.SnapcraftBuilder('.', false)
   await builder.build()
 
-  expect(execMock).toHaveBeenCalledWith('sudo', expect.any(Array), {
+  expect(execMock).toHaveBeenCalledWith('sg', expect.any(Array), {
     cwd: expect.any(String),
-    env: {
+    env: expect.not.objectContaining({
       // No SNAPCRAFT_BUILD_INFO variable
-      SNAPCRAFT_BUILD_ENVIRONMENT: 'lxd',
-      SNAPCRAFT_IMAGE_INFO: expect.any(String)
-    }
+      SNAPCRAFT_BUILD_INFO: expect.anything()
+    })
   })
 })
 

diff --git a/__tests__/tools.test.ts b/__tests__/tools.test.ts
@@ -114,7 +114,7 @@ test('ensureSnapd fixes permissions on the root directory', async () => {
 })
 
 test('ensureLXD installs the snap version of LXD if needed', async () => {
-  expect.assertions(3)
+  expect.assertions(4)
 
   const accessMock = jest.spyOn(fs.promises, 'access').mockImplementation(
     async (filename: fs.PathLike, mode?: number | undefined): Promise<void> => {
@@ -136,6 +136,13 @@ test('ensureLXD installs the snap version of LXD if needed', async () => {
     'lxd'
   ])
   expect(execMock).toHaveBeenNthCalledWith(2, 'sudo', ['lxd', 'init', '--auto'])
+  expect(execMock).toHaveBeenNthCalledWith(3, 'sudo', [
+    'usermod',
+    '--append',
+    '--groups',
+    'lxd',
+    os.userInfo().username
+  ])
 })
 
 test('ensureLXD removes the apt version of LXD', async () => {

diff --git a/dist/index.js b/dist/index.js
@@ -1279,6 +1279,9 @@ var external_process_ = __webpack_require__(765);
 // EXTERNAL MODULE: ./node_modules/@actions/exec/lib/exec.js
 var exec = __webpack_require__(986);
 
+// EXTERNAL MODULE: external "os"
+var external_os_ = __webpack_require__(87);
+
 // CONCATENATED MODULE: ./lib/tools.js
 // -*- mode: javascript; js-indent-level: 2 -*-
 var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _arguments, P, generator) {
@@ -1293,6 +1296,7 @@ var __awaiter = (undefined && undefined.__awaiter) || function (thisArg, _argume
 
 
 
+
 function haveExecutable(path) {
     return __awaiter(this, void 0, void 0, function* () {
         try {
@@ -1332,6 +1336,13 @@ function ensureLXD() {
             Object(core.info)('Installing LXD...');
             yield Object(exec.exec)('sudo', ['snap', 'install', 'lxd']);
             yield Object(exec.exec)('sudo', ['lxd', 'init', '--auto']);
+            yield Object(exec.exec)('sudo', [
+                'usermod',
+                '--append',
+                '--groups',
+                'lxd',
+                Object(external_os_.userInfo)().username
+            ]);
         }
     });
 }
@@ -1378,17 +1389,15 @@ class build_SnapcraftBuilder {
                 // eslint-disable-next-line @typescript-eslint/camelcase
                 build_url: `https://github.com/${external_process_.env.GITHUB_REPOSITORY}/actions/runs/${external_process_.env.GITHUB_RUN_ID}`
             };
-            const env = {
-                SNAPCRAFT_BUILD_ENVIRONMENT: 'lxd',
-                SNAPCRAFT_IMAGE_INFO: JSON.stringify(imageInfo)
-            };
+            // Copy and update environment to pass to snapcraft
+            const env = {};
+            Object.assign(env, external_process_.env);
+            env['SNAPCRAFT_BUILD_ENVIRONMENT'] = 'lxd';
+            env['SNAPCRAFT_IMAGE_INFO'] = JSON.stringify(imageInfo);
             if (this.includeBuildInfo) {
                 env['SNAPCRAFT_BUILD_INFO'] = '1';
             }
-            yield Object(exec.exec)('sudo', [
-                '--preserve-env=SNAPCRAFT_BUILD_ENVIRONMENT,SNAPCRAFT_BUILD_INFO,SNAPCRAFT_IMAGE_INFO',
-                'snapcraft'
-            ], {
+            yield Object(exec.exec)('sg', ['lxd', '-c', 'snapcraft'], {
                 cwd: this.projectRoot,
                 env
             });

diff --git a/src/build.ts b/src/build.ts
@@ -33,25 +33,19 @@ export class SnapcraftBuilder {
       // eslint-disable-next-line @typescript-eslint/camelcase
       build_url: `https://github.com/${process.env.GITHUB_REPOSITORY}/actions/runs/${process.env.GITHUB_RUN_ID}`
     }
-    const env: {[key: string]: string} = {
-      SNAPCRAFT_BUILD_ENVIRONMENT: 'lxd',
-      SNAPCRAFT_IMAGE_INFO: JSON.stringify(imageInfo)
-    }
+    // Copy and update environment to pass to snapcraft
+    const env: {[key: string]: string} = {}
+    Object.assign(env, process.env)
+    env['SNAPCRAFT_BUILD_ENVIRONMENT'] = 'lxd'
+    env['SNAPCRAFT_IMAGE_INFO'] = JSON.stringify(imageInfo)
     if (this.includeBuildInfo) {
       env['SNAPCRAFT_BUILD_INFO'] = '1'
     }
 
-    await exec.exec(
-      'sudo',
-      [
-        '--preserve-env=SNAPCRAFT_BUILD_ENVIRONMENT,SNAPCRAFT_BUILD_INFO,SNAPCRAFT_IMAGE_INFO',
-        'snapcraft'
-      ],
-      {
-        cwd: this.projectRoot,
-        env
-      }
-    )
+    await exec.exec('sg', ['lxd', '-c', 'snapcraft'], {
+      cwd: this.projectRoot,
+      env
+    })
   }
 
   // This wrapper is for the benefit of the tests, due to the crazy

diff --git a/src/tools.ts b/src/tools.ts
@@ -1,6 +1,7 @@
 // -*- mode: javascript; js-indent-level: 2 -*-
 
 import * as fs from 'fs'
+import * as os from 'os'
 import * as core from '@actions/core'
 import * as exec from '@actions/exec'
 
@@ -39,6 +40,13 @@ export async function ensureLXD(): Promise<void> {
     core.info('Installing LXD...')
     await exec.exec('sudo', ['snap', 'install', 'lxd'])
     await exec.exec('sudo', ['lxd', 'init', '--auto'])
+    await exec.exec('sudo', [
+      'usermod',
+      '--append',
+      '--groups',
+      'lxd',
+      os.userInfo().username
+    ])
   }
 }