automatically manage ownership in container to match host

deprecate /root volume, replaced by /workspace new entrypoint script: * creates a user in the container with the same uid and gid of the volume mapped workspace directory, or the --user parameter, and runs the pdk command as that user in the container. With one exception, if the workspace directory is owned by root on the host * support for volume mapping pdk cache to /cache * failure message, if /workspace is not mapped (or writable) * warning message, if /workspace or /cache have owners or permissions that may not work * startup message, if /cache is not mounted in container (performance)
puppetlabs · May 4, 2024 · 698033a · 698033a
1 parent 94a43e5
commit 698033a
Show file tree

Hide file tree

Showing 2 changed files with 74 additions and 1 deletion.
diff --git a/Dockerfile b/Dockerfile
@@ -5,6 +5,11 @@ WORKDIR /root
 ADD install-pdk-release.sh .
 ADD install-onceover.sh .
 ADD pdk-release.env .
+COPY entrypoint.sh /.entrypoint.sh
+
+RUN passwd -d root && \
+ mkdir /cache && \
+ chmod a+rwx /cache
 
 RUN apt-get update && \
  apt-get install -y curl openssh-client && \
@@ -25,4 +30,6 @@ ENV PATH="${PATH}:/opt/puppetlabs/pdk/private/git/bin"
 ENV PDK_DISABLE_ANALYTICS=true
 ENV LANG=C.UTF-8
 
-ENTRYPOINT ["/opt/puppetlabs/pdk/bin/pdk"]
+WORKDIR /workspace
+
+ENTRYPOINT ["/.entrypoint.sh"]
diff --git a/entrypoint.sh b/entrypoint.sh
@@ -0,0 +1,66 @@
+#!/bin/sh
+
+# re-entrant script to support automatically switching to an unprivileged user
+# that matches the ownership of the RUN_VOLUME (see below)
+
+set -e
+
+RUN_USER=pdk
+RUN_VOLUME=/workspace
+
+[ -z "${UID}" ] && UID=$(id -u)
+[ -z "${GID}" ] && GID=$(id -g)
+
+[ "$UID" -ne 0 ] && RUNNING_NON_ROOT=1
+
+# check if required path is mounted
+# check for deprecated /root volume
+if grep -sq " /root " < /proc/mounts ; then
+ [ -z "$ENTRYPOINT_RELOAD" ] && echo >&2 "mounting a volume to /root in the container is deprecated, use /workspace instead"
+ RUN_VOLUME=/root
+elif ! grep -sq " ${RUN_VOLUME} " < /proc/mounts ; then
+ echo >&2 "error: ${RUN_VOLUME} in the container is not mounted." ; exit 1
+fi
+
+create_user() {
+ if [ "$1" -gt 0 ] ; then
+ if [ "$2" -gt 0 ] ; then
+ su - -c "groupadd -g $2 $RUN_USER" 2>/dev/null || true
+ fi
+ su - -c "useradd -d /cache -u $1 -g $2 $RUN_USER ; chown $RUN_USER: /cache ; passwd -d $RUN_USER >/dev/null"
+ fi
+}
+
+# skip if re-running under newly created user
+if [ -z "$ENTRYPOINT_RELOAD" ] ; then
+ if [ -z "$RUNNING_NON_ROOT" ] ; then
+ UID=$(stat -c '%u' "$RUN_VOLUME")
+ GID=$(stat -c '%g' "$RUN_VOLUME")
+ [ "$UID" -eq 0 ] && RUN_USER="root"
+ fi
+ create_user "$UID" "$GID"
+ # re-run with new user
+ exec su - $RUN_USER -c "cd $RUN_VOLUME ; ENTRYPOINT_RELOAD=1 $0 $*"
+ exit
+fi
+
+# sanity check supported volumes
+for volume in ${RUN_VOLUME} /cache ; do
+ if [ ! -w "$volume" ] ; then
+ echo >&2 "error: unable to write to ${volume}. Ensure permissions are correct on the host." ; exit 1
+ fi
+ if ! find "$volume/." -maxdepth 1 -name '.' \( -uid "$UID" -a -perm -u+rw \) -o \( -group "$GID" -a -perm -g+rw \) -exec true {} + ; then
+ echo >&2 "warning: pdk may not function properly with the user/group ownership or permissions on ${volume}."
+ fi
+done
+
+# recommend cache path is mounted
+if ! grep -sq " /cache " < /proc/mounts ; then
+ echo >&2 "mount a volume to /cache in the container to improve performance."
+fi
+
+export PATH="${PATH}:/opt/puppetlabs/pdk/private/git/bin"
+export PDK_DISABLE_ANALYTICS=true
+export LANG=C.UTF-8
+
+exec /opt/puppetlabs/pdk/bin/pdk "$@"