Patchwork [06,of,10,v2] dockerrpm: run docker build process as the current user, not as root

login
register
mail settings
Submitter Mads Kiilerich
Date Aug. 31, 2014, 11:41 a.m.
Message ID <621bc86e14384cba8819.1409485296@localhost.localdomain>
Download mbox | patch
Permalink /patch/5662/
State Accepted
Headers show

Comments

Mads Kiilerich - Aug. 31, 2014, 11:41 a.m.
# HG changeset patch
# User Mads Kiilerich <madski@unity3d.com>
# Date 1401452073 -7200
#      Fri May 30 14:14:33 2014 +0200
# Node ID 621bc86e14384cba8819ba0d38882d84012b5e9a
# Parent  ad706c5fef1b103c6b37851d2b02f70d0f19fbda
dockerrpm: run docker build process as the current user, not as root

Docker can be run by ordinary users if they are in the docker group. The build
process would however be run as a root user, only protected by the sandboxing.
That caused problems with the shared directory where rpmbuild would be picky
about building from sources owned by less privileged users and producing files
owned by root.

Instead, add a build user with the right uid/gid to the image and run the
docker process as that user.

Patch

diff --git a/contrib/dockerrpm b/contrib/dockerrpm
--- a/contrib/dockerrpm
+++ b/contrib/dockerrpm
@@ -24,6 +24,12 @@  DFILE="$ROOTDIR/contrib/docker/$PLATFORM
 
 CONTAINER="hg-dockerrpm-$PLATFORM"
 
-$DOCKER build --tag $CONTAINER - < $DFILE
-$DOCKER run --rm -v $ROOTDIR:/hg $CONTAINER bash -c \
+DBUILDUSER=build
+(
+cat $DFILE
+echo RUN groupadd $DBUILDUSER -g `id -g`
+echo RUN useradd $DBUILDUSER -u `id -u` -g $DBUILDUSER
+) | $DOCKER build --tag $CONTAINER -
+
+$DOCKER run -u $DBUILDUSER --rm -v $ROOTDIR:/hg $CONTAINER bash -c \
     "cp -a hg hg-build; cd hg-build; make clean local $PLATFORM; cp packages/$PLATFORM/* /hg/packages/$PLATFORM/"