-
Notifications
You must be signed in to change notification settings - Fork 386
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add pre-build hooks #635
Add pre-build hooks #635
Conversation
Awesome! This is really a workaround but it's quite neat. |
I'm not sure we necessarily need to - just seemed good practice to me especially since when hooks aren't provided the containers are run with the |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I just small code comment, but I'd like to say I like the idea, and it does avoid the need for many custom images.
// We need to specify the user for Docker, but not for Podman. | ||
let uid_gid = if let Ok(ce) = get_container_engine() { | ||
if ce.ends_with(DOCKER) { | ||
Some(( | ||
env::var("CROSS_CONTAINER_UID").unwrap_or(id::user().to_string()), | ||
env::var("CROSS_CONTAINER_GID").unwrap_or(id::group().to_string()), | ||
)) | ||
} else { | ||
None | ||
} | ||
} else { | ||
None | ||
}; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please move the code back to the original place as it is a non-required code change.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I can revert some of this, but not all of it. In order for for the pre-build hooks to install packages we have to remove the --user
flag when hooks are present. So we can either
- Remove
--user
all the time (cargo executes as root) - Check for pre-build hooks and remove
--user
when they exist (cargo executes as root only when pre-build hooks are specified) - Check for pre-build hooks and remove
--user
when they exist but de-escalate privileges so cargo still runs with the specified UID/GID (what the PR currently does)
I don't have a strong opinion which of them to use - but whichever one we go with this particular block has to move.
marking as draft as only one target is implemented right now |
I'm happy to get moving on the other targets if we're happy with the implementation. I'm also happy to revert the privilege de escalation first, just need to know what the preference is from your side. |
I think the gid/uid setting is good, there is a reason we allow setting it. |
see my comment on #643 (comment) regarding the "issue" that the image is now centos. |
Been thinking about this some more now, would it make sense to actually not do this, and just use the technique in #678 and hook into a dockerfile passed to stdin to
This way we can even support custom images, and we get a cache |
This is a great feature! |
Closed since it has been superseded by #678. |
This PR addresses #565 and hopefully a number of the open issues about the lack of openssl in the builders. It does add a dependency on gosu which handles lowering the privileges down to user level after the pre-build hooks are run. For now I've only added it to the x86_64-unknown-linux-gnu target for testing pending feedback on it.
I was able to build Cargo successfully with all features with