Arbitrary user ID is comming $HOME

Fixes packit#85
jpopelka · Nov 24, 2020 · 4b282f7 · 4b282f7
1 parent f98fccd
commit 4b282f7
Show file tree

Hide file tree

Showing 5 changed files with 27 additions and 11 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -4,14 +4,17 @@ FROM docker.io/usercont/base
 
 ENV LC_ALL=C \
     PYTHONDONTWRITEBYTECODE=yes \
-    WORKDIR=/src
+    USER=sandcastle \
+    HOME=/home/sandcastle
 
-WORKDIR ${WORKDIR}
+WORKDIR ${HOME}
+# So the arbitrary user ID can access it.
+RUN chmod g+rw .
 
-COPY files/install-rpm-packages.yaml /src/files/install-rpm-packages.yaml
-RUN ansible-playbook -vv -c local -t basic-image -i localhost, files/install-rpm-packages.yaml \
+COPY files/install-rpm-packages.yaml ./
+RUN ansible-playbook -vv -c local -t basic-image -i localhost, install-rpm-packages.yaml \
     && dnf clean all
 
-COPY files/container-cmd.sh /src/
+COPY files/container-cmd.sh files/setup_env_in_openshift.sh ./
 # default command is sleep - so users can do .exec(command=[...])
-CMD ["/src/container-cmd.sh"]
+CMD ["./container-cmd.sh"]
diff --git a/Dockerfile.tests b/Dockerfile.tests
@@ -2,11 +2,9 @@
 # The expectation is to create sandbox pods from this one.
 FROM docker.io/usercont/sandcastle
 
-COPY tests/requirements.txt /src/tests/requirements.txt
-# Install packages first and reuse the cache as much as possible
-RUN cd /src/ \
-    && ansible-playbook -vv -c local -t with-sandcastle-deps -i localhost, files/install-rpm-packages.yaml
+COPY tests/requirements.txt ./
+RUN ansible-playbook -vv -c local -t with-sandcastle-deps -i localhost, install-rpm-packages.yaml
 
-COPY . /src/
+COPY . ./
 
 CMD ["make", "check"]
diff --git a/files/container-cmd.sh b/files/container-cmd.sh
@@ -1,4 +1,8 @@
 #!/bin/bash
 
+set -x
+
+source ./setup_env_in_openshift.sh
+
 # 10 minutes is a default timeout for the sandbox pod
 sleep 600
diff --git a/files/install-rpm-packages.yaml b/files/install-rpm-packages.yaml
@@ -44,6 +44,7 @@
           - libarchive-devel
           - rpm-devel
           - audit-libs-devel
+          - nss_wrapper
         state: present
       tags:
         - basic-image

diff --git a/files/setup_env_in_openshift.sh b/files/setup_env_in_openshift.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/bash
+
+set -x
+
+# Generate passwd file based on current uid, needed for fedpkg
+grep -v ^sandcastle /etc/passwd > "${HOME}/passwd"
+printf "sandcastle:x:$(id -u):0:Sandcastle:${HOME}:/bin/bash\n" >> "${HOME}/passwd"
+export LD_PRELOAD=libnss_wrapper.so
+export NSS_WRAPPER_PASSWD="${HOME}/passwd"
+export NSS_WRAPPER_GROUP=/etc/group