Patchwork [RFC,STABLE] dockerlib: allow non-unique uid and gid of $DBUILDUSER (issue4657)

login
register
mail settings
Submitter Anton Shestakov
Date Nov. 7, 2015, 5:12 p.m.
Message ID <91375e4b0326f943471a.1446916364@neuro>
Download mbox | patch
Permalink /patch/11320/
State Accepted
Headers show

Comments

Anton Shestakov - Nov. 7, 2015, 5:12 p.m.
# HG changeset patch
# User Anton Shestakov <av6@dwimlabs.net>
# Date 1446916252 -28800
#      Sun Nov 08 01:10:52 2015 +0800
# Branch stable
# Node ID 91375e4b0326f943471a402ec9162686d8b73133
# Parent  e7c618cee8df35aefedad15b991d628bae1c60c8
dockerlib: allow non-unique uid and gid of $DBUILDUSER (issue4657)

There are make targets for building mercurial packages for various
distributions using docker. One of the preparation steps before building is to
create inside the docker image a user with the same uid/gid as the current user
on the host system, so that the resulting files have appropriate
ownership/permissions.

It's possible to run `make docker-<distro>` as a user with uid or gid that is
already present in a vanilla docker container of that distibution. For example,
issue4657 is about failing to build fedora packages as a user with uid=999 and
gid=999 because these ids are already used in fedora, and groupadd fails.
useradd would fail too, if the flow ever got to it (and there was a user with
such uid already).

A straightforward (maybe too much) way to fix this is to allow non-unique uid
and gid for the new user and group that get created inside the image. I'm not
sure of the implications of this, but marmoute encouraged me to try and send
this patch for stable.
Matt Mackall - Nov. 9, 2015, 8:17 p.m.
On Sun, 2015-11-08 at 01:12 +0800, Anton Shestakov wrote:
> # HG changeset patch
> # User Anton Shestakov <av6@dwimlabs.net>
> # Date 1446916252 -28800
> #      Sun Nov 08 01:10:52 2015 +0800
> # Branch stable
> # Node ID 91375e4b0326f943471a402ec9162686d8b73133
> # Parent  e7c618cee8df35aefedad15b991d628bae1c60c8
> dockerlib: allow non-unique uid and gid of $DBUILDUSER (issue4657)

I guess. Queued for stable, thanks. The right answer long-term is
probably to not share with the host filesystem at all, for instance by
using tar or hg archive to inject files into the container. Docker (and
the underlying bind mounts it uses) is unlikely to ever grown full-
fledged UID remapping.
Augie Fackler - Nov. 10, 2015, 3:05 a.m.
On Mon, Nov 09, 2015 at 02:17:49PM -0600, Matt Mackall wrote:
> On Sun, 2015-11-08 at 01:12 +0800, Anton Shestakov wrote:
> > # HG changeset patch
> > # User Anton Shestakov <av6@dwimlabs.net>
> > # Date 1446916252 -28800
> > #      Sun Nov 08 01:10:52 2015 +0800
> > # Branch stable
> > # Node ID 91375e4b0326f943471a402ec9162686d8b73133
> > # Parent  e7c618cee8df35aefedad15b991d628bae1c60c8
> > dockerlib: allow non-unique uid and gid of $DBUILDUSER (issue4657)
>
> I guess. Queued for stable, thanks. The right answer long-term is
> probably to not share with the host filesystem at all, for instance by
> using tar or hg archive to inject files into the container. Docker (and
> the underlying bind mounts it uses) is unlikely to ever grown full-
> fledged UID remapping.

I believe the "right" way to handle this is to package files into a
docker volume, then mount that volume as part of the container setup,
then extract the completed files from the volume at the end of the
build process.

I've also not seen any good examples of this. As far as I can tell,
what we're doing is a "wrong" way to use docker, but nobody has really
had constructive ideas either.

Sigh.

>
>
> --
> Mathematics is the supreme nostalgia of our time.
>
> _______________________________________________
> Mercurial-devel mailing list
> Mercurial-devel@selenic.com
> https://selenic.com/mailman/listinfo/mercurial-devel

Patch

diff --git a/contrib/dockerlib.sh b/contrib/dockerlib.sh
--- a/contrib/dockerlib.sh
+++ b/contrib/dockerlib.sh
@@ -35,8 +35,8 @@  function initcontainer() {
         # running docker. This is *very likely* to fail at some point.
         echo RUN useradd $DBUILDUSER -u 1000
     else
-        echo RUN groupadd $DBUILDUSER -g `id -g`
-        echo RUN useradd $DBUILDUSER -u `id -u` -g $DBUILDUSER
+        echo RUN groupadd $DBUILDUSER -g `id -g` --non-unique
+        echo RUN useradd $DBUILDUSER -u `id -u` -g $DBUILDUSER --non-unique
     fi
   ) | $DOCKER build --tag $CONTAINER -
 }