Patchwork [15,of,22] dockerrpm: run docker build process as the current user, not as root

login
register
mail settings
Submitter Mads Kiilerich
Date May 20, 2014, 2:10 a.m.
Message ID <faa57fbb78d29a730fa2.1400551810@mk-desktop>
Download mbox | patch
Permalink /patch/4837/
State Superseded
Commit cf7b5c0117370a0e81d23bdb6935802940935f2a
Headers show

Comments

Mads Kiilerich - May 20, 2014, 2:10 a.m.
# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 1400551681 -7200
#      Tue May 20 04:08:01 2014 +0200
# Node ID faa57fbb78d29a730fa2764fec50211dfc70c5b4
# Parent  74bca1400cea133b94089cb4297c12a6e7bd817e
dockerrpm: run docker build process as the current user, not as root

Docker can be run by ordinary users if they are in the docker group. The build
process would however be run as a root user, only protected by the sandboxing.
That caused problems with the shared directory where rpmbuild would be picky
about building from sources owned by less privileged users and producing files
owned by root.

Instead, add a build user with the right uid/gid to the image and run the
docker process as that user.

Patch

diff --git a/contrib/dockerrpm b/contrib/dockerrpm
--- a/contrib/dockerrpm
+++ b/contrib/dockerrpm
@@ -21,6 +21,11 @@  DFILE="$ROOTDIR/contrib/docker/$1"
 
 CONTAINER="hg-rpm-$1"
 
-$DOCKER build --tag $CONTAINER - < $BUILDDIR/docker/$1
-$DOCKER run --rm -v $ROOTDIR:/hg $CONTAINER bash -c \
+DBUILDUSER=build
+(
+cat $DFILE
+echo RUN groupadd $DBUILDUSER -g `id -g`
+echo RUN useradd $DBUILDUSER -u `id -u` -g $DBUILDUSER
+) | $DOCKER build --tag $CONTAINER -
+$DOCKER run -u $DBUILDUSER --rm -v $ROOTDIR:/hg $CONTAINER bash -c \
     "cp -a hg hg-build; cd hg-build; make clean local $1; cp build/$1/* /hg/build/$1/"