diff options
| author | Christian Poessinger <christian@poessinger.com> | 2019-01-11 07:31:05 +0100 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2019-01-11 07:33:16 +0100 |
| commit | 041bc80e71c3c700ff0c01702d9ffd0885d2b75b (patch) | |
| tree | 5d8e7319a1dfa82da0bd194d70d888712f92360e | |
| parent | 988a099f98e5cfb1b15d8b2adb45277342ac0304 (diff) | |
| download | vyos-build-041bc80e71c3c700ff0c01702d9ffd0885d2b75b.tar.gz vyos-build-041bc80e71c3c700ff0c01702d9ffd0885d2b75b.zip | |
CI/CD: Improve 'goso' handling for Docker and Jenkins
* Inside the container user can call 'sudo' without password
* Added Docker environment variables to controll the 'gosu' UID/GID
| -rw-r--r-- | Dockerfile | 13 | ||||
| -rw-r--r-- | Jenkinsfile | 5 | ||||
| -rwxr-xr-x | scripts/docker-entrypoint.sh | 33 |
3 files changed, 29 insertions, 22 deletions
@@ -123,7 +123,7 @@ RUN apt-get update && apt-get install -y \ liblua5.1-dev # Packages needed for vyos-frr -RUN sudo apt-get update && sudo apt-get install -y \ +RUN apt-get update && apt-get install -y \ texinfo \ imagemagick \ groff \ @@ -156,12 +156,9 @@ RUN export LATEST="$(curl -s https://checkpoint-api.hashicorp.com/v1/check/packe curl -K- | gzip -d > /usr/bin/packer && \ chmod +x /usr/bin/packer -COPY scripts/docker-entrypoint.sh /usr/local/bin/ -# Create vyos_bld user account and enable sudo -#RUN useradd -ms /bin/bash -u 1006 --gid users vyos_bld && \ -# usermod -aG sudo vyos_bld && \ -# echo "%sudo ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers +# Allow password-less 'sudo' for all users in group 'sudo' +RUN sed "s/^%sudo.*/%sudo\tALL=(ALL) NOPASSWD:ALL/g" -i /etc/sudoers && \ + chmod a+s /usr/sbin/useradd /usr/sbin/gosu /usr/sbin/usermod -#USER vyos_bld -#WORKDIR /home/vyos_bld +COPY scripts/docker-entrypoint.sh /usr/local/bin/ ENTRYPOINT ["docker-entrypoint.sh"] diff --git a/Jenkinsfile b/Jenkinsfile index 611777cc..3406e606 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -21,7 +21,7 @@ pipeline { dockerfile { filename 'Dockerfile' label 'jessie-amd64' - args '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0' + args '--privileged --sysctl net.ipv6.conf.lo.disable_ipv6=0 -e GOSU_UID=1006 -e GOSU_GID=1006' } } @@ -44,8 +44,7 @@ pipeline { sh ''' #!/bin/sh ./configure --build-by="autobuild@vyos.net" --debian-mirror="http://ftp.us.debian.org/debian/" - ls -al - ls -al packages + ls -al packages/*.deb sudo make iso ''' } diff --git a/scripts/docker-entrypoint.sh b/scripts/docker-entrypoint.sh index 7520a8d9..845cb2ff 100755 --- a/scripts/docker-entrypoint.sh +++ b/scripts/docker-entrypoint.sh @@ -1,17 +1,28 @@ #!/bin/bash - set -e -# Use GOSU_USER if its specified, else wirking dir user -if [ -n "$GOSU_USER" ]; then - ID=$GOSU_USER -else - ID=$(stat -c "%u:%g" .) +USER_NAME="vyos_bld" +NEW_UID=$(stat -c "%u" .) +NEW_GID=$(stat -c "%g" .) + +# Change effective UID to the one specified via "-e GOSU_UID=`id -u $USER`" +if [ -n "$GOSU_UID" ]; then + NEW_UID=$GOSU_UID fi -# Don't use GOSU if we are root -if [ ! "$ID" = "0:0" ]; then - exec gosu $ID "$@" -else - exec "$@" +# Change effective UID to the one specified via "-e GOSU_GID=`id -g $USER`" +if [ -n "$GOSU_GID" ]; then + NEW_GID=$GOSU_GID fi + +# Notify user about selected UID/GID +echo "Current UID/GID: $NEW_UID/$NEW_GID" + +# Create user called "docker" with selected UID +useradd --shell /bin/bash -u $NEW_UID -g $NEW_GID -o -m $USER_NAME +usermod -aG sudo $USER_NAME +sudo chown $NEW_UID:$NEW_GID /home/$USER_NAME +export HOME=/home/$USER_NAME + +# Execute process +exec /usr/sbin/gosu $USER_NAME "$@" |