Support for specifying the runner user.

maleadt · maleadt · commit 5c96587e6a8e · 2020-12-04T18:06:27.000+01:00
diff --git a/runner/Dockerfile.arch b/runner/Dockerfile.arch
@@ -12,14 +12,7 @@ RUN pacman -Suy --noconfirm --needed \
     # clean-up
     && find /var/cache/pacman/ -type f -delete
 
-RUN useradd --create-home --shell /bin/bash --groups wheel pkgeval && \
-    echo '%wheel ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
-
-RUN mkdir /storage /cache && \
-    chown pkgeval /storage /cache
-
-WORKDIR /home/pkgeval
-USER pkgeval
+RUN mkdir /storage /cache
 
 COPY ./entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/runner/Dockerfile.ubuntu b/runner/Dockerfile.ubuntu
@@ -14,14 +14,7 @@ RUN apt-get update && apt-get install --no-install-recommends -y \
     # clean-up
     && rm -rf /var/lib/apt/lists/*
 
-RUN useradd --create-home --shell /bin/bash --groups sudo pkgeval && \
-    echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
-
-RUN mkdir /storage /cache && \
-    chown pkgeval /storage /cache
-
-WORKDIR /home/pkgeval
-USER pkgeval
+RUN mkdir /storage /cache
 
 COPY ./entrypoint.sh /
 ENTRYPOINT ["/entrypoint.sh"]
diff --git a/runner/entrypoint.sh b/runner/entrypoint.sh
@@ -1,23 +1,40 @@
 #!/bin/bash -ue
 
-DEPOT=$1
-shift
 
-mkdir $DEPOT
+# prepare the user
 
-mkdir -p /storage/artifacts
-ln -s /storage/artifacts $DEPOT/artifacts
+USER=$1
+USER_ID=$2
+GROUP=$3
+GROUP_ID=$4
+shift 4
+
+groupadd --gid $GROUP_ID $GROUP
+echo "$GROUP ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+
+useradd --uid $USER_ID --gid $GROUP_ID --shell /bin/bash --no-create-home --no-user-group $USER
+# manual home creation because it might be mounted tmpfs already
+mkdir -p /home/$USER
+chown $USER:$GROUP /home/$USER
+
+# make the storage and cache writable, in case we didn't mount one
+chown $USER /storage /cache
 
-# allow identification of PkgEal
-export CI=true
-export PKGEVAL=true
-export JULIA_PKGEVAL=true
 
-# disable system discovery of Python and R
-export PYTHON=""
-export R_HOME="*"
+# prepare the depot
+
+mkdir /home/$USER/.julia
+chown $USER:$GROUP /home/$USER/.julia
+
+mkdir -p /storage/artifacts
+ln -s /storage/artifacts /home/$USER/.julia/artifacts
+
 
-# no automatic precompilation
-export JULIA_PKG_PRECOMPILE_AUTO=0
+# run the command
 
-exec "$@"
+cd /home/$USER
+sudo --user $USER --set-home \
+    CI=true PKGEVAL=true JULIA_PKGEVAL=true \
+    JULIA_PKG_PRECOMPILE_AUTO=0 \
+    PYTHON="" R_HOME="*" \
+    -- "$@"
diff --git a/src/run.jl b/src/run.jl
@@ -42,9 +42,9 @@ end
 function runner_sandboxed_julia(install::String, args=``; interactive=true, tty=true,
                                 name=nothing, cpus::Vector{Int}=Int[], tmpfs::Bool=true,
                                 storage=nothing, cache=nothing, sysimage=nothing,
-                                depot="/home/pkgeval/.julia", install_dir="/opt/julia",
                                 xvfb::Bool=true, init::Bool=true,
-                                runner="ubuntu")
+                                runner="ubuntu", user="pkgeval", group="pkgeval",
+                                install_dir="/opt/julia")
     ## Docker args
 
     cmd = `docker run --rm`
@@ -61,7 +61,7 @@ function runner_sandboxed_julia(install::String, args=``; interactive=true, tty=
     @assert isdir(registry_path)
     cmd = ```$cmd --mount type=bind,source=$julia_path,target=$install_dir,readonly
                   --mount type=bind,source=$registry_path,target=/usr/local/share/julia/registries,readonly
-                  --env JULIA_DEPOT_PATH="$depot:/usr/local/share/julia"
+                  --env JULIA_DEPOT_PATH="::/usr/local/share/julia"
                   --env JULIA_PKG_SERVER
           ```
 
@@ -75,10 +75,7 @@ function runner_sandboxed_julia(install::String, args=``; interactive=true, tty=
 
     # mount working directory in tmpfs
     if tmpfs
-        cmd = `$cmd --tmpfs /home/pkgeval:exec,uid=1000,gid=1000`
-        # FIXME: tmpfs mounts don't copy uid/gid back, so we need to correct this manually
-        #        https://github.com/opencontainers/runc/issues/1647
-        # FIXME: this also breaks mounting artifacts in the depot directly
+        cmd = `$cmd --tmpfs /home/$user:exec`
     end
 
     # restrict resource usage
@@ -105,16 +102,32 @@ function runner_sandboxed_julia(install::String, args=``; interactive=true, tty=
     cmd = `$cmd newpkgeval:$runner`
 
 
+    ## Entrypoint script args
+
+    # use the current user and group ID to ensure cache and storage are writable
+    uid = ccall(:getuid, Cint, ())
+    gid = ccall(:getgid, Cint, ())
+    if uid < 1000 || gid < 1000
+        # system ids might conflict with groups/users in the container
+        @warn "You are running PkgEval as a system user (with id $uid:$gid); this is not compatible with the container set-up.
+               I will be using id 1000:1000, but that means the cache and storage on the host file system will not be owned by you."
+        uid = 1000
+        gid = 1000
+    end
+
+    cmd = `$cmd $user $uid $group $gid`
+
+
     ## Julia args
 
     if sysimage !== nothing
         args = `--sysimage=$sysimage $args`
     end
 
     if xvfb
-        `$cmd $depot xvfb-run $install_dir/bin/julia $args`
+        `$cmd xvfb-run $install_dir/bin/julia $args`
     else
-        `$cmd $depot $install_dir/bin/julia $args`
+        `$cmd $install_dir/bin/julia $args`
     end
 end
 
@@ -443,7 +456,7 @@ function run_compiled_test(install::String, pkg; compile_time_limit=30*60, cache
     # in another path, etc)
     return run_sandboxed_test(install, pkg; runner="arch",
                               cache=cache, sysimage=sysimage_path,
-                              depot="/home/pkgeval/.another_julia",
+                              user="user", group="group",
                               install_dir="/usr/local/julia", kwargs...)
 end
 
@@ -495,15 +508,6 @@ function run(configs::Vector{Configuration}, pkgs::Vector;
     storage = storage_dir()
     mkpath(storage)
 
-    # make sure data is writable
-    for (config, (install,cache)) in instantiated_configs
-        Base.run(```docker run --mount type=bind,source=$storage,target=/storage
-                               --mount type=bind,source=$cache,target=/cache
-                               --entrypoint=''
-                               newpkgeval:ubuntu
-                               sudo chown -R pkgeval:pkgeval /storage /cache```)
-    end
-
     # ensure we can use Docker's API
     info = let
         docker = connect("/var/run/docker.sock")
@@ -737,12 +741,6 @@ function run(configs::Vector{Configuration}, pkgs::Vector;
         # clean-up
         for (config, (install,cache)) in instantiated_configs
             rm(install; recursive=true)
-            uid = ccall(:getuid, Cint, ())
-            gid = ccall(:getgid, Cint, ())
-            Base.run(```docker run --mount type=bind,source=$cache,target=/cache
-                                   --entrypoint=''
-                                   newpkgeval:ubuntu
-                                   sudo chown -R $uid:$gid /cache```)
             rm(cache; recursive=true)
         end
     end
