Don't include the uid/gid of the host user in the image

glehmann · glehmann · commit 1f232a5f59ef · 2025-09-10T16:55:29.000+02:00
This way the image is usable by everybody, independantly of its ids.

With docker, we modify the builder user in the entrypoint to match the
uid:gid of the user launching the container, and then continue with
the builder user thanks to gosu.

With podman we use the `--userns` option to map the builder user to
the user on the system. I haven't found a way with podman to use the
same mechanism as in docker, and vis versa.

Signed-off-by: Gaëtan Lehmann &lt;gaetan.lehmann@vates.tech&gt;
diff --git a/src/xcp_ng_dev/build.sh b/src/xcp_ng_dev/build.sh
@@ -67,8 +67,6 @@ fi
 
 cd $(dirname "$0")
 
-CUSTOM_ARGS=()
-
 ALMA_VERSION=
 CENTOS_VERSION=
 case "$1" in
@@ -87,28 +85,8 @@ case "$1" in
         ;;
 esac
 
-CUSTOM_UID="$(id -u)"
-CUSTOM_GID="$(id -g)"
-
-if [ "${CUSTOM_UID}" -eq 0 ] || [ "${CUSTOM_GID}" -eq 0 ]; then
-  if [ -z "${SUDO_GID}" ] || [ -z "${SUDO_UID}" ] || [ -z "${SUDO_USER}" ] || \
-     [ -z "${SUDO_COMMAND}" ] || [ "${SUDO_GID}" -eq 0 ] || [ "${SUDO_UID}" -eq 0 ]; then
-    echo -e "[ERROR] This operation cannot be performed by the 'root' user directly:"
-    echo -e "\tplease use an unprivileged user (eventually with 'sudo')"
-    exit 1
-  fi
-  CUSTOM_UID="${SUDO_UID}"
-  CUSTOM_GID="${SUDO_GID}"
-fi
-
-# Support for seamless use of current host user
-# and Docker user "builder" inside the image
-CUSTOM_ARGS+=( "--build-arg" "CUSTOM_BUILDER_UID=${CUSTOM_UID}" )
-CUSTOM_ARGS+=( "--build-arg" "CUSTOM_BUILDER_GID=${CUSTOM_GID}" )
-
 "$RUNNER" build \
     --platform "$PLATFORM" \
-    "${CUSTOM_ARGS[@]}" \
     -t ghcr.io/xcp-ng/xcp-ng-build-env:${1} \
     --build-arg XCP_NG_BRANCH=${1} \
     --ulimit nofile=1024 \
diff --git a/src/xcp_ng_dev/cli.py b/src/xcp_ng_dev/cli.py
@@ -144,11 +144,17 @@ def buildparser():
     return parser
 
 def container(args):
-    docker_args = [RUNNER, "run", "-i", "-t",
-                   "-u", "builder",
-                   ]
+    docker_args = [RUNNER, "run", "-i", "-t"]
+
     if is_podman(RUNNER):
-        docker_args += ["--userns=keep-id", "--security-opt", "label=disable"]
+        # With podman we use the `--userns` option to map the builder user to the user on the system.
+        # The container will start with that user and not as root as with docker
+        docker_args += ["--userns=keep-id:uid=1000,gid=1000", "--security-opt", "label=disable"]
+    else:
+        # With docker, the container starts as root and modify the builder user in the entrypoint to
+        # match the uid:gid of the user launching the container, and then continue with the builder
+        # user thanks to gosu.
+        docker_args += ["-e", f'BUILDER_UID={os.getuid()}', "-e", f'BUILDER_GID={os.getgid()}']
 
     # common args
     if args.no_exit:
diff --git a/src/xcp_ng_dev/files/Dockerfile-8.x b/src/xcp_ng_dev/files/Dockerfile-8.x
@@ -2,22 +2,19 @@ ARG     CENTOS_VERSION=7.5.1804
 
 FROM    centos:${CENTOS_VERSION}
 
-ARG     CUSTOM_BUILDER_UID=""
-ARG     CUSTOM_BUILDER_GID=""
-
 # Remove all repositories
 RUN     rm /etc/yum.repos.d/*
 
 # Add only the specific CentOS 7.5 repositories, because that's what XS used for the majority of packages
 ARG     CENTOS_VERSION
 COPY    files/CentOS-Vault.repo.in /etc/yum.repos.d/CentOS-Vault-7.5.repo
-RUN     sed -e "s/@CENTOS_VERSION@/${CENTOS_VERSION}/g" -i /etc/yum.repos.d/CentOS-Vault-7.5.repo
+RUN     sed -i -e "s/@CENTOS_VERSION@/${CENTOS_VERSION}/g" /etc/yum.repos.d/CentOS-Vault-7.5.repo
 
 # Add our repositories
 # Repository file depends on the target version of XCP-ng, and is pre-processed by build.sh
 ARG     XCP_NG_BRANCH=8.3
 COPY    files/xcp-ng.repo.8.x.in /etc/yum.repos.d/xcp-ng.repo
-RUN     sed -e "s/@XCP_NG_BRANCH@/${XCP_NG_BRANCH}/g" -i /etc/yum.repos.d/xcp-ng.repo
+RUN     sed -i -e "s/@XCP_NG_BRANCH@/${XCP_NG_BRANCH}/g" /etc/yum.repos.d/xcp-ng.repo
 
 # Install GPG key
 RUN     curl -sSf https://xcp-ng.org/RPM-GPG-KEY-xcpng -o /etc/pki/rpm-gpg/RPM-GPG-KEY-xcpng
@@ -58,23 +55,18 @@ RUN     yum clean all
 # OCaml in XS may be older than in CentOS
 RUN     sed -i "/gpgkey/a exclude=ocaml*" /etc/yum.repos.d/Cent* /etc/yum.repos.d/epel*
 
-# Set up the builder user
-RUN     bash -c ' \
-            OPTS=(); \
-            if [ -n "${CUSTOM_BUILDER_UID}" ]; then \
-                OPTS+=("-u" "${CUSTOM_BUILDER_UID}"); \
-            fi; \
-            if [ -n "${CUSTOM_BUILDER_GID}" ]; then \
-                OPTS+=("-g" "${CUSTOM_BUILDER_GID}"); \
-                if ! getent group "${CUSTOM_BUILDER_GID}" >/dev/null; then \
-                    groupadd -g "${CUSTOM_BUILDER_GID}" builder; \
-                fi; \
-            fi; \
-            useradd "${OPTS[@]}" builder; \
-        ' \
+# create the builder user
+RUN     groupadd -g 1000 builder \
+        && useradd -u 1000 -g 1000 builder \
         && echo "builder:builder" | chpasswd \
         && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 RUN     mkdir -p /usr/local/bin
+RUN     curl -fsSL "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64" -o /usr/local/bin/gosu \
+        && chmod +x /usr/local/bin/gosu
 COPY    files/init-container.sh /usr/local/bin/init-container.sh
-COPY    files/rpmmacros /home/builder/.rpmmacros
+COPY    files/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY    --chown=builder:builder files/rpmmacros /home/builder/.rpmmacros
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["bash"]
diff --git a/src/xcp_ng_dev/files/Dockerfile-9.x b/src/xcp_ng_dev/files/Dockerfile-9.x
@@ -1,8 +1,5 @@
 FROM    ghcr.io/almalinux/10-base:10.0
 
-ARG     CUSTOM_BUILDER_UID=""
-ARG     CUSTOM_BUILDER_GID=""
-
 # Add our repositories
 # temporary bootstrap repository
 COPY    files/xcp-ng-8.99.repo /etc/yum.repos.d/xcp-ng.repo
@@ -55,25 +52,19 @@ RUN     dnf config-manager --enable crb
 # workaround sudo not working (e.g. in podman 4.9.3 in Ubuntu 24.04)
 RUN     chmod 0400 /etc/shadow
 
-# Set up the builder user
-RUN     bash -c ' \
-            OPTS=(); \
-            if [ -n "${CUSTOM_BUILDER_UID}" ]; then \
-                OPTS+=("-u" "${CUSTOM_BUILDER_UID}"); \
-            fi; \
-            if [ -n "${CUSTOM_BUILDER_GID}" ]; then \
-                OPTS+=("-g" "${CUSTOM_BUILDER_GID}"); \
-                if ! getent group "${CUSTOM_BUILDER_GID}" >/dev/null; then \
-                    groupadd -g "${CUSTOM_BUILDER_GID}" builder; \
-                fi; \
-            fi; \
-            useradd "${OPTS[@]}" builder; \
-        ' \
+# create the builder user
+RUN     groupadd -g 1000 builder \
+        && useradd -u 1000 -g 1000 builder \
         && echo "builder:builder" | chpasswd \
         && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 RUN     mkdir -p /usr/local/bin
+RUN     curl -fsSL "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64" -o /usr/local/bin/gosu \
+        && chmod +x /usr/local/bin/gosu
 COPY    files/init-container.sh /usr/local/bin/init-container.sh
-
+COPY    files/entrypoint.sh /usr/local/bin/entrypoint.sh
 # FIXME: check it we really need any of this
-# COPY    files/rpmmacros /home/builder/.rpmmacros
+# COPY    --chown=builder:builder files/rpmmacros /home/builder/.rpmmacros
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["bash"]
diff --git a/src/xcp_ng_dev/files/entrypoint.sh b/src/xcp_ng_dev/files/entrypoint.sh
@@ -0,0 +1,23 @@
+#!/usr/bin/env bash
+
+set -e
+if [ -n "${SCRIPT_DEBUG}" ]; then
+    set -x
+fi
+
+if [ "${BUILDER_UID}" ]; then
+    # BUILDER_UID is defined, update the builder ids, and continue with the builder user
+    if [ "${BUILDER_GID}" != "1000" ]; then
+        groupmod -g "${BUILDER_GID}" builder
+    fi
+    if [ "${BUILDER_UID}" != "1000" ]; then
+        usermod -u "${BUILDER_UID}" -g "${BUILDER_GID}" builder
+    fi
+    find ~builder -maxdepth 1 -type f | xargs chown builder:builder
+    # use gosu to switch user to make the command run the root process and properly
+    # deal with signals
+    exec /usr/local/bin/gosu builder "$@"
+else
+    # no BUILDER_ID, just continue as the current user
+    exec "$@"
+fi
