From 37ecd745a0bc5d25c95729e083aa2411aeda8384 Mon Sep 17 00:00:00 2001 From: Adar Nimrod <nimrod@shore.co.il> Date: Tue, 1 May 2018 21:31:35 +0300 Subject: [PATCH] A single version of runas using gosu. --- content/docker_uid.rst | 42 ++++++++++++++++++++---------------- content/static/runas | 10 ++++++++- content/static/runas-busybox | 8 ------- content/static/runas-gnu | 8 ------- 4 files changed, 32 insertions(+), 36 deletions(-) mode change 120000 => 100755 content/static/runas delete mode 100755 content/static/runas-busybox delete mode 100755 content/static/runas-gnu diff --git a/content/docker_uid.rst b/content/docker_uid.rst index 36dea6d..4c8c098 100644 --- a/content/docker_uid.rst +++ b/content/docker_uid.rst @@ -23,9 +23,9 @@ The trivial solution is to run the container with the correct user id, like so gid="$(id -g)" docker run -v "$PWD:/volume" --user "$uid:$gid" buildimage make -I personally find it a tiresome after the 3rd time I had to rebuild the +I personally find it a tiresome after the 3rd time I had to `sudo chown` the project because I forgot to specify the uid and gid and it's a (low) barrier -to entry for new users. +of entry for new users. A better solution ----------------- @@ -38,32 +38,36 @@ commands. #!/bin/sh set -eu - command -v sudo > /dev/null || { echo "Can't find sudo, exiting."; exit 1; } - uid="$(stat . --format '%u')" - gid="$(stat . --format '%g')" - groupadd --force --non-unique --gid "$gid" builder - useradd --non-unique --uid "$uid" --gid "$gid" --home-dir "$PWD" --no-create-home --shell /bin/bash builder - sudo -Eu "#$uid" -g "#$gid" -- "$@" + [ "$(id -u)" = "0" ] || { echo "Not running as root, continuing as the current user."; eval exec "$@"; } + command -v stat > /dev/null || { echo "Can't find stat, exiting."; exit 1; } + command -v gosu > /dev/null || { echo "Can't find gosu, exiting."; exit 1; } + uid="$(stat . -c '%u')" + gid="$(stat . -c '%g')" + eval exec gosu "$uid:$gid" "$@" The script is also available for `download -<https://www.shore.co.il/blog/static/runas-gnu>`_. The only dependency is -:code:`sudo`. There's also a `version -<https://www.shore.co.il/blog/static/runas-busybox>`_ for images using BusyBox -(like Alpine). You can download and check it to your VCS and incorporate it -into your Dockerfile, or download it via the :code:`ADD` directive, like so: +<https://www.shore.co.il/blog/static/runas>`_. The only dependency is +`gosu <https://github.com/tianon/gosu>`_. You can download and check it to +your VCS and incorporate it into your Dockerfile, or download it via the +:code:`ADD` directive, like so: .. code:: shell - FROM debian:stable - RUN apt-get update && \ - DEBIAN_FRONTEND=noninteractive apt-get install -y sudo build-essential - ADD [ "https://www.shore.co.il/blog/static/runas-gnu", "/entrypoint" ] - ENTRYPOINT [ "/bin/sh", "/entrypoint" ] + FROM buildpack-deps + RUN curl -fsSL https://github.com/tianon/gosu/releases/download/1.10/gosu-amd64 -o gosu-amd64 && \ + install -o root -g root -m 755 gosu-amd64 /usr/local/bin/gosu && \ + rm gosu-amd64 && \ + curl -fsSL https://www.shore.co.il/blog/static/runas -o runas && \ + install -o root -g root -m 755 runas /entrypoint && \ + rm runas + ENTRYPOINT [ "/entrypoint" ] VOLUME /volume WORKDIR /volume ENV HOME /volume -And then finally, to build run +Setting the home directory to the mounted volume will result in some files (like +package managers cache) to be created there, which you may or may not want. And +then finally, to build run .. code:: shell diff --git a/content/static/runas b/content/static/runas deleted file mode 120000 index 129d4a6..0000000 --- a/content/static/runas +++ /dev/null @@ -1 +0,0 @@ -runas-gnu \ No newline at end of file diff --git a/content/static/runas b/content/static/runas new file mode 100755 index 0000000..bb0ea2c --- /dev/null +++ b/content/static/runas @@ -0,0 +1,9 @@ +#!/bin/sh +set -eu + +[ "$(id -u)" = "0" ] || { echo "Not running as root, continuing as the current user."; eval exec "$@"; } +command -v stat > /dev/null || { echo "Can't find stat, exiting."; exit 1; } +command -v gosu > /dev/null || { echo "Can't find gosu, exiting."; exit 1; } +uid="$(stat . -c '%u')" +gid="$(stat . -c '%g')" +eval exec gosu "$uid:$gid" "$@" diff --git a/content/static/runas-busybox b/content/static/runas-busybox deleted file mode 100755 index 74f92d3..0000000 --- a/content/static/runas-busybox +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -set -eu -command -v sudo > /dev/null || { echo "Can't find sudo, exiting."; exit 1; } -uid="$(stat . -c '%u')" -gid="$(stat . -c '%g')" -addgroup -g "$gid" builder -adduser -h "$PWD" -s /bin/sh -G builder -u "$uid" -H -D builder -sudo -Eu "#$uid" -g "#$gid" -- "$@" diff --git a/content/static/runas-gnu b/content/static/runas-gnu deleted file mode 100755 index d3dd2f7..0000000 --- a/content/static/runas-gnu +++ /dev/null @@ -1,8 +0,0 @@ -#!/bin/sh -set -eu -command -v sudo > /dev/null || { echo "Can't find sudo, exiting."; exit 1; } -uid="$(stat . --format '%u')" -gid="$(stat . --format '%g')" -groupadd --force --non-unique --gid "$gid" builder -useradd --non-unique --uid "$uid" --gid "$gid" --home-dir "$PWD" --no-create-home --shell /bin/bash builder -sudo -Eu "#$uid" -g "#$gid" -- "$@" -- GitLab