From 4c39e54ca9cae248403477496e739ee103f7fe3f Mon Sep 17 00:00:00 2001 From: Andrea Bolognani Date: Thu, 15 Aug 2019 15:37:38 +0200 Subject: [PATCH] ci: Run $(CI_PREPARE_SCRIPT) as root MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In order for the prepare script to be really useful, it needs to be able to perform privileged operations such as installing additional packages or setting up custom mount points. In order to achieve that, we now run the container as root, run the prepare script with full privilege, and only then switch to the unprivileged account with sudo. Signed-off-by: Andrea Bolognani Reviewed-by: Ján Tomko --- ci/Makefile | 19 +++++++++++-------- ci/prepare.sh | 4 ++++ 2 files changed, 15 insertions(+), 8 deletions(-) diff --git a/ci/Makefile b/ci/Makefile index 67776c0404..aa9e5293e9 100644 --- a/ci/Makefile +++ b/ci/Makefile @@ -178,7 +178,6 @@ CI_GIT_ARGS = \ # --tty Ensure we have ability to Ctrl-C the build CI_ENGINE_ARGS = \ --rm \ - --user $(CI_UID):$(CI_GID) \ --interactive \ --tty \ $(CI_PODMAN_ARGS) \ @@ -219,13 +218,17 @@ ci-run-command@%: ci-prepare-tree $(CI_ENGINE) run $(CI_ENGINE_ARGS) $(CI_IMAGE_PREFIX)$*$(CI_IMAGE_TAG) \ /bin/bash -c ' \ $(CI_USER_HOME)/prepare || exit 1; \ - export CI_CONT_SRCDIR="$(CI_CONT_SRCDIR)"; \ - export CI_CONT_BUILDDIR="$(CI_CONT_BUILDDIR)"; \ - export CI_SMP="$(CI_SMP)"; \ - export CI_CONFIGURE="$(CI_CONFIGURE)"; \ - export CI_CONFIGURE_ARGS="$(CI_CONFIGURE_ARGS)"; \ - export CI_MAKE_ARGS="$(CI_MAKE_ARGS)"; \ - $(CI_COMMAND) || exit 1' + sudo \ + --login \ + --user="#$(CI_UID)" \ + --group="#$(CI_GID)" \ + CI_CONT_SRCDIR="$(CI_CONT_SRCDIR)" \ + CI_CONT_BUILDDIR="$(CI_CONT_BUILDDIR)" \ + CI_SMP="$(CI_SMP)" \ + CI_CONFIGURE="$(CI_CONFIGURE)" \ + CI_CONFIGURE_ARGS="$(CI_CONFIGURE_ARGS)" \ + CI_MAKE_ARGS="$(CI_MAKE_ARGS)" \ + $(CI_COMMAND) || exit 1' @test "$(CI_CLEAN)" = "1" && rm -rf $(CI_SCRATCHDIR) || : ci-shell@%: diff --git a/ci/prepare.sh b/ci/prepare.sh index f70107bd62..da6fc9a1b5 100644 --- a/ci/prepare.sh +++ b/ci/prepare.sh @@ -7,3 +7,7 @@ # CI_PREPARE_SCRIPT=/path/to/your/prepare/script # # to make. +# +# Note that this script will have root privileges inside the +# container, so it can be used for things like installing additional +# packages.