From e6724b0cb6c6532cab5ac76b035b3a3a822038a0 Mon Sep 17 00:00:00 2001 From: Alex Richardson Date: Tue, 7 Sep 2021 14:32:23 +0100 Subject: [PATCH 1/5] docker: Use a single layer for all apt packages --- docker/Dockerfile | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index d0d0c4458..c79aa8d21 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -12,24 +12,15 @@ RUN apt-get update && apt-get install -y \ samba \ telnet \ texlive-base \ - texinfo - -# RUN git config --global http.sslVerify false -# RUN cd /tmp && git clone https://github.com/arichardson/bmake && cd bmake \ -# && ./configure --with-default-sys-path=/usr/local/share/mk --with-machine=amd64 --without-meta --without-filemon --prefix=/usr/local \ -# && sh ./make-bootstrap.sh && make install && rm -rf /tmp/bmake + texinfo \ + libtool pkg-config autotools-dev automake autoconf \ + libarchive-dev libglib2.0-dev libpixman-1-dev \ + bison groff-base flex \ + cmake \ + clang-12 lld-12 COPY cheribuild.json /root/.config/cheribuild.json -# deps to build QEMU+elftoolchain: -RUN apt-get update && apt-get install -y \ - libtool pkg-config autotools-dev automake autoconf libglib2.0-dev libpixman-1-dev \ - bison groff-base libarchive-dev flex - -RUN apt-get update && apt-get install -y cmake - -RUN apt-get install -y clang-12 lld-12 - VOLUME ["/cheribuild", "/source", "/build", "/output"] ENV PATH /cheribuild:$PATH CMD bash From debe56b64466382dbc9c6da65c2ec5b21dc786fe Mon Sep 17 00:00:00 2001 From: Alex Richardson Date: Tue, 7 Sep 2021 15:14:32 +0100 Subject: [PATCH 2/5] docker image: switch to a new non-root user when started as root Instead of manually adding a matching user with the docker-adduser cheribuild target, this adds an ENTRYPOINT script to the docker image that automatically creates an unprivileged user. The UID/GID/name can be passed using environment variables (-e flag to `docker run`). --- docker/Dockerfile | 11 +++++++++-- docker/entrypoint.sh | 17 +++++++++++++++++ 2 files changed, 26 insertions(+), 2 deletions(-) create mode 100755 docker/entrypoint.sh diff --git a/docker/Dockerfile b/docker/Dockerfile index c79aa8d21..c226fdfc8 100644 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -17,10 +17,17 @@ RUN apt-get update && apt-get install -y \ libarchive-dev libglib2.0-dev libpixman-1-dev \ bison groff-base flex \ cmake \ - clang-12 lld-12 + clang-12 lld-12 \ + gosu && \ + apt-get clean COPY cheribuild.json /root/.config/cheribuild.json +COPY entrypoint.sh /usr/bin/entrypoint.sh VOLUME ["/cheribuild", "/source", "/build", "/output"] ENV PATH /cheribuild:$PATH -CMD bash +# We use an ENTRYPOINT script to ensure that cheribuild is run as a non-root +# user that has a UID/GID matching the host so that file ownership in the +# volumes +ENTRYPOINT ["/usr/bin/entrypoint.sh"] +CMD ["/bin/bash"] diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh new file mode 100755 index 000000000..c6fe72a99 --- /dev/null +++ b/docker/entrypoint.sh @@ -0,0 +1,17 @@ +#!/bin/sh -e + +if [ "$(id -u)" != 0 ]; then + echo "Already running as non-root, can't change user." + exec "$@" +fi +# Create a non-root user with UID/GID matching the host user to ensure that +# files written to the volumes are not owned by root. +: "${cheribuild_uid:=1234}" +: "${cheribuild_gid:=1234}" +: "${cheribuild_user:=cheri}" +addgroup --quiet --gid ${cheribuild_gid} "${cheribuild_user}" +yes | adduser --quiet --uid ${cheribuild_uid} --disabled-password --ingroup "${cheribuild_user}" "${cheribuild_user}" > /dev/null + +# Run the actual command: +export HOME="/home/${cheribuild_user}" +exec gosu "${cheribuild_user}" "$@" From a6912074e4c6d94da1a65a4d469a38d16a00bbd3 Mon Sep 17 00:00:00 2001 From: Alex Richardson Date: Wed, 8 Sep 2021 18:14:38 +0100 Subject: [PATCH 3/5] docker image: Use `useradd` instead of adduser Unlike adduser, the low-level useradd program does not have any prompts so works better in a non-interactive context. --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index c6fe72a99..1acb02455 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -10,7 +10,7 @@ fi : "${cheribuild_gid:=1234}" : "${cheribuild_user:=cheri}" addgroup --quiet --gid ${cheribuild_gid} "${cheribuild_user}" -yes | adduser --quiet --uid ${cheribuild_uid} --disabled-password --ingroup "${cheribuild_user}" "${cheribuild_user}" > /dev/null +useradd --uid "${cheribuild_uid}" --gid "${cheribuild_gid}" --create-home --no-user-group --password '*' "${cheribuild_user}" # Run the actual command: export HOME="/home/${cheribuild_user}" From f3b6c4aaf90a62d1e460eec2cacaf8d5c907eba8 Mon Sep 17 00:00:00 2001 From: Alex Richardson Date: Wed, 8 Sep 2021 18:15:01 +0100 Subject: [PATCH 4/5] docker image: silence debug echo --- docker/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 1acb02455..63305f5f5 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,7 +1,7 @@ #!/bin/sh -e if [ "$(id -u)" != 0 ]; then - echo "Already running as non-root, can't change user." + # echo "Already running as non-root, can't change user." exec "$@" fi # Create a non-root user with UID/GID matching the host user to ensure that From 16c6e6ac9068832fcbf6658019f1960b0c347ce1 Mon Sep 17 00:00:00 2001 From: Alex Richardson Date: Wed, 8 Sep 2021 18:22:13 +0100 Subject: [PATCH 5/5] docker image: Copy the cheribuild configuration to the home directory --- docker/entrypoint.sh | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index 63305f5f5..ba45486be 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -12,6 +12,10 @@ fi addgroup --quiet --gid ${cheribuild_gid} "${cheribuild_user}" useradd --uid "${cheribuild_uid}" --gid "${cheribuild_gid}" --create-home --no-user-group --password '*' "${cheribuild_user}" -# Run the actual command: +# Copy the cheribuild configuration to the unprivileged user's home directory: export HOME="/home/${cheribuild_user}" +mkdir "${HOME}/.config" +cp -f /root/.config/cheribuild.json "${HOME}/.config/cheribuild.json" +chown -R "${cheribuild_uid}:${cheribuild_gid}" "${HOME}/.config" +# Run the actual command: exec gosu "${cheribuild_user}" "$@"