Don't include the uid/gid of the final user in the image

This way the image is usable by everybody, independantly of its ids.

With docker, we modify the builder user in the entrypoint to match the
uid:gid of the user launching the container, and then continue with
the builder user thanks to gosu.

With podman we use the `--userns` option to map the builder user to
the user on the system. I haven't found a way with podman to use the
same mechanism as in docker, and vis versa.

Signed-off-by: Gaëtan Lehmann <[email protected]>

Author: glehmann

Dockerfile-7.x

@@ -2,9 +2,6 @@ ARG CENTOS_VERSION=7.2.1511
 
 FROM    centos:${CENTOS_VERSION}
 
-ARG     CUSTOM_BUILDER_UID=""
-ARG     CUSTOM_BUILDER_GID=""
-
 # Remove all repositories
 RUN     rm /etc/yum.repos.d/*
 
@@ -55,24 +52,18 @@ RUN     yum clean all
 # OCaml in XS is slightly older than in CentOS
 RUN     sed -i "/gpgkey/a exclude=ocaml*" /etc/yum.repos.d/Cent* /etc/yum.repos.d/epel*
 
-# Set up the builder user
-RUN     bash -c ' \
-            OPTS=(); \
-            if [ -n "${CUSTOM_BUILDER_UID}" ]; then \
-                OPTS+=("-u" "${CUSTOM_BUILDER_UID}"); \
-            fi; \
-            if [ -n "${CUSTOM_BUILDER_GID}" ]; then \
-                OPTS+=("-g" "${CUSTOM_BUILDER_GID}"); \
-                if ! getent group "${CUSTOM_BUILDER_GID}" >/dev/null; then \
-                    groupadd -g "${CUSTOM_BUILDER_GID}" builder; \
-                fi; \
-            fi; \
-            useradd "${OPTS[@]}" builder; \
-        ' \
+# create the builder user
+RUN     groupadd -g 1000 builder \
+        && useradd -u 1000 -g 1000 builder \
         && echo "builder:builder" | chpasswd \
-        && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers \
-        && usermod -G mock builder
+        && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 RUN     mkdir -p /usr/local/bin
+RUN     curl -fsSL "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64" -o /usr/local/bin/gosu \
+        && chmod +x /usr/local/bin/gosu
 COPY    files/init-container.sh /usr/local/bin/init-container.sh
-COPY    files/rpmmacros /home/builder/.rpmmacros
+COPY    files/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY    --chown=builder:builder files/rpmmacros /home/builder/.rpmmacros
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["bash"]

Dockerfile-8.x

@@ -2,9 +2,6 @@ ARG CENTOS_VERSION=7.5.1804
 
 FROM    centos:${CENTOS_VERSION}
 
-ARG     CUSTOM_BUILDER_UID=""
-ARG     CUSTOM_BUILDER_GID=""
-
 # Remove all repositories
 RUN     rm /etc/yum.repos.d/*
 
@@ -58,23 +55,18 @@ RUN     yum clean all
 # OCaml in XS may be older than in CentOS
 RUN     sed -i "/gpgkey/a exclude=ocaml*" /etc/yum.repos.d/Cent* /etc/yum.repos.d/epel*
 
-# Set up the builder user
-RUN     bash -c ' \
-            OPTS=(); \
-            if [ -n "${CUSTOM_BUILDER_UID}" ]; then \
-                OPTS+=("-u" "${CUSTOM_BUILDER_UID}"); \
-            fi; \
-            if [ -n "${CUSTOM_BUILDER_GID}" ]; then \
-                OPTS+=("-g" "${CUSTOM_BUILDER_GID}"); \
-                if ! getent group "${CUSTOM_BUILDER_GID}" >/dev/null; then \
-                    groupadd -g "${CUSTOM_BUILDER_GID}" builder; \
-                fi; \
-            fi; \
-            useradd "${OPTS[@]}" builder; \
-        ' \
+# create the builder user
+RUN     groupadd -g 1000 builder \
+        && useradd -u 1000 -g 1000 builder \
         && echo "builder:builder" | chpasswd \
         && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 RUN     mkdir -p /usr/local/bin
+RUN     curl -fsSL "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64" -o /usr/local/bin/gosu \
+        && chmod +x /usr/local/bin/gosu
 COPY    files/init-container.sh /usr/local/bin/init-container.sh
-COPY    files/rpmmacros /home/builder/.rpmmacros
+COPY    files/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY    --chown=builder:builder files/rpmmacros /home/builder/.rpmmacros
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["bash"]

Dockerfile-9.x

@@ -1,8 +1,5 @@
 FROM    ghcr.io/almalinux/10-base:10.0
 
-ARG     CUSTOM_BUILDER_UID=""
-ARG     CUSTOM_BUILDER_GID=""
-
 # Add our repositories
 # temporary bootstrap repository
 COPY    files/xcp-ng-8.99.repo /etc/yum.repos.d/xcp-ng.repo
@@ -49,25 +46,19 @@ RUN     dnf install -y \
             xcp-ng-release \
             xcp-ng-release-presets
 
-# Set up the builder user
-RUN     bash -c ' \
-            OPTS=(); \
-            if [ -n "${CUSTOM_BUILDER_UID}" ]; then \
-                OPTS+=("-u" "${CUSTOM_BUILDER_UID}"); \
-            fi; \
-            if [ -n "${CUSTOM_BUILDER_GID}" ]; then \
-                OPTS+=("-g" "${CUSTOM_BUILDER_GID}"); \
-                if ! getent group "${CUSTOM_BUILDER_GID}" >/dev/null; then \
-                    groupadd -g "${CUSTOM_BUILDER_GID}" builder; \
-                fi; \
-            fi; \
-            useradd "${OPTS[@]}" builder; \
-        ' \
+# create the builder user
+RUN     groupadd -g 1000 builder \
+        && useradd -u 1000 -g 1000 builder \
         && echo "builder:builder" | chpasswd \
         && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 RUN     mkdir -p /usr/local/bin
+RUN     curl -fsSL "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64" -o /usr/local/bin/gosu \
+        && chmod +x /usr/local/bin/gosu
 COPY    files/init-container.sh /usr/local/bin/init-container.sh
-
+COPY    files/entrypoint.sh /usr/local/bin/entrypoint.sh
 # FIXME: check it we really need any of this
-# COPY    files/rpmmacros /home/builder/.rpmmacros
+# COPY    --chown=builder:builder files/rpmmacros /home/builder/.rpmmacros
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["bash"]

build.sh

@@ -89,25 +89,6 @@ case "$1" in
         ;;
 esac
 
-CUSTOM_UID="$(id -u)"
-CUSTOM_GID="$(id -g)"
-
-if [ "${CUSTOM_UID}" -eq 0 ] || [ "${CUSTOM_GID}" -eq 0 ]; then
-  if [ -z "${SUDO_GID}" ] || [ -z "${SUDO_UID}" ] || [ -z "${SUDO_USER}" ] || \
-     [ -z "${SUDO_COMMAND}" ] || [ "${SUDO_GID}" -eq 0 ] || [ "${SUDO_UID}" -eq 0 ]; then
-    echo -e "[ERROR] This operation cannot be performed by the 'root' user directly:"
-    echo -e "\tplease use an unprivileged user (eventually with 'sudo')"
-    exit 1
-  fi
-  CUSTOM_UID="${SUDO_UID}"
-  CUSTOM_GID="${SUDO_GID}"
-fi
-
-# Support for seamless use of current host user
-# and Docker user "builder" inside the image
-CUSTOM_ARGS+=( "--build-arg" "CUSTOM_BUILDER_UID=${CUSTOM_UID}" )
-CUSTOM_ARGS+=( "--build-arg" "CUSTOM_BUILDER_GID=${CUSTOM_GID}" )
-
 "$RUNNER" build \
     --platform "$PLATFORM" \
     "${CUSTOM_ARGS[@]}" \

files/entrypoint.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -e
+if [ -n "${SCRIPT_DEBUG}" ]; then
+    set -x
+fi
+
+if [ "${BUILDER_ID}" ]; then
+    # BUILDER_ID is defined, update the builder ids, and continue with the builder user
+    if [ "${BUILDER_ID}" != "1000:1000" ]; then
+        uid=$(echo "$BUILDER_ID" | awk -F':' '{print $1}')
+        gid=$(echo "$BUILDER_ID" | awk -F':' '{print $2}')
+        groupmod -g "${gid}" builder
+        usermod -u "${uid}" -g "${gid}" builder
+        find ~builder -maxdepth 1 -type f | xargs chown builder:builder
+    fi
+    exec /usr/local/bin/gosu builder "$@"
+else
+    # no BUILDER_ID, just continue as the current user
+    exec "$@"
+fi

run.py

@@ -102,11 +102,13 @@ def main():
     docker_arch = args.platform or ("linux/amd64/v2" if branch == "9.0" else "linux/amd64")
 
     docker_args = [RUNNER, "run", "-i", "-t",
-                   "-u", "builder",
                    "--platform", docker_arch,
                    ]
     if is_podman(RUNNER):
-        docker_args += ["--userns=keep-id"]
+        docker_args += [f"--userns=keep-id:uid=1000,gid=1000"]
+    else:
+        docker_args += ["-e", f'BUILDER_ID={os.getuid()}:{os.getgid()}']
+
     if args.rm:
         docker_args += ["--rm=true"]