From 4ebf00e102c17a082a0de23e26be9b7dfd6802cb Mon Sep 17 00:00:00 2001 From: Philipp Strube Date: Wed, 6 May 2020 13:13:59 +0200 Subject: [PATCH] Handle root -> user differently Previously the container was started already as non-root. The purpose of this is to have files created under the mounted volume match the outside user's user and group id. Using this approach ssh would complain that a user with the outside uid and gid did not actually exist inside the container. So libnss_wrapper was used to fake the user. This "magic" approach was from a previous Openshift documentation, but has since been removed there aswell. Further, to be able to talk to the mounted Docker socket for the local lab this approach did not work because non-root users can't change their own groups. This change creates a user and its groups correctly matching the host system user and group ids as root. It then executes the auth helpers and final command using this newly created user. --- .github/workflows/main.yml | 3 -- oci/Dockerfile | 3 +- oci/entrypoint | 69 ++++++-------------------------------- oci/entrypoint_user | 65 +++++++++++++++++++++++++++++++++++ 4 files changed, 77 insertions(+), 63 deletions(-) create mode 100755 oci/entrypoint_user diff --git a/.github/workflows/main.yml b/.github/workflows/main.yml index ea96ce97..7225fe03 100644 --- a/.github/workflows/main.yml +++ b/.github/workflows/main.yml @@ -106,7 +106,6 @@ jobs: run: | docker run --rm \ -v `pwd`:/infra \ - -u `id -u`:`id -g` \ test-image:${{ github.sha }} \ terraform init @@ -115,7 +114,6 @@ jobs: run: | docker run --rm \ -v `pwd`:/infra \ - -u `id -u`:`id -g` \ test-image:${{ github.sha }} \ terraform workspace new ops @@ -124,7 +122,6 @@ jobs: run: | docker run --rm \ -v `pwd`:/infra \ - -u `id -u`:`id -g` \ test-image:${{ github.sha }} \ terraform validate diff --git a/oci/Dockerfile b/oci/Dockerfile index 2bc6e7d0..624925be 100644 --- a/oci/Dockerfile +++ b/oci/Dockerfile @@ -50,7 +50,7 @@ RUN echo "TERRAFORM_PROVIDER_KUSTOMIZE_VERSION: ${TERRAFORM_PROVIDER_KUSTOMIZE_V && mv terraform-provider-kustomization-${TERRAFORM_PROVIDER_KUSTOMIZE_VERSION}-linux-amd64 /opt/bin/terraform-provider-kustomization \ && chmod +x /opt/bin/terraform-provider-kustomization -COPY entrypoint /opt/bin/entrypoint +COPY entrypoint entrypoint_user /opt/bin/ # @@ -144,7 +144,6 @@ RUN apt-get update && apt-get install -y \ wget \ openssh-client \ dnsutils \ - libnss-wrapper \ unzip \ && rm -rf /var/lib/apt/lists/* diff --git a/oci/entrypoint b/oci/entrypoint index d4658bf6..54f6ef03 100755 --- a/oci/entrypoint +++ b/oci/entrypoint @@ -1,70 +1,23 @@ #!/bin/sh set -e +uid=$(stat -c '%u' /infra) +gid=$(stat -c '%g' /infra) + # home may be modified from multiple sources # try to normalize before using it in paths below REALHOME=$(realpath $HOME) mkdir -p $REALHOME +chown $uid:$gid $REALHOME -echo "kbst:x:$(id -u):$(id -g):Kubestack User:${REALHOME}:/bin/sh" > /tmp/passwd - -export LD_PRELOAD=libnss_wrapper.so -export NSS_WRAPPER_PASSWD=/tmp/passwd -export NSS_WRAPPER_GROUP=/etc/group - -# -# -# AWS auth -AWS_CONFIG_PATH=$REALHOME/.aws -mkdir -p $AWS_CONFIG_PATH - -# handle base64 encoded AWS crendentials -if [ ! -z "$KBST_AUTH_AWS" ]; then - echo "$KBST_AUTH_AWS" | base64 --decode > $AWS_CONFIG_PATH/credentials - aws sts get-caller-identity -fi - - -# -# -# Azure auth -AZ_CONFIG_PATH=$REALHOME/.azure -mkdir -p $AZ_CONFIG_PATH -touch $AZ_CONFIG_PATH/KBST_AUTH_AZ +echo "kbst:x:${uid}:${gid}:Kubestack User:${REALHOME}:/bin/sh" >> /etc/passwd +echo "kbst:x:${gid}:" >> /etc/group -# handle base64 encoded AZ crendentials -if [ ! -z "$KBST_AUTH_AZ" ]; then - echo "$KBST_AUTH_AZ" | base64 --decode > $AZ_CONFIG_PATH/KBST_AUTH_AZ - . $AZ_CONFIG_PATH/KBST_AUTH_AZ - az login --service-principal --username $ARM_CLIENT_ID --password $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID +# if docker.sock is mounted, add our user to the socket's group +if test -S "/var/run/docker.sock"; then + echo "docker:x:$(stat -c '%g' /var/run/docker.sock):kbst" >> /etc/group fi -# always source and export the ARM_ env variables -# required by the azurerm Terraform provider -. $AZ_CONFIG_PATH/KBST_AUTH_AZ -export ARM_ACCESS_KEY -export ARM_CLIENT_ID -export ARM_CLIENT_SECRET -export ARM_SUBSCRIPTION_ID -export ARM_TENANT_ID - - -# -# -# Gcloud auth -GCLOUD_CONFIG_PATH=$REALHOME/.config/gcloud -mkdir -p $GCLOUD_CONFIG_PATH - -# handle base64 encoded GCLOUD crendentials -if [ ! -z "$KBST_AUTH_GCLOUD" ]; then - echo "$KBST_AUTH_GCLOUD" | base64 --decode > $GCLOUD_CONFIG_PATH/application_default_credentials.json - gcloud auth activate-service-account --key-file $GCLOUD_CONFIG_PATH/application_default_credentials.json -fi - -# do not have KBST_AUTH_* env vars set in runtime env -unset KBST_AUTH_AWS -unset KBST_AUTH_AZ -unset KBST_AUTH_GCLOUD - -exec "$@" +# stop running as root to preserve volume mount file ownership +exec runuser -u kbst -- entrypoint_user "$@" diff --git a/oci/entrypoint_user b/oci/entrypoint_user new file mode 100755 index 00000000..6e3ab871 --- /dev/null +++ b/oci/entrypoint_user @@ -0,0 +1,65 @@ +#!/bin/sh +set -e + +# +# +# AWS auth +# only if aws cli is installed +if [ -x "$(command -v aws)" ]; then + AWS_CONFIG_PATH=~/.aws + mkdir -p $AWS_CONFIG_PATH + + # handle base64 encoded AWS crendentials + if [ ! -z "$KBST_AUTH_AWS" ]; then + echo "$KBST_AUTH_AWS" | base64 --decode > $AWS_CONFIG_PATH/credentials + aws sts get-caller-identity + fi +fi + +# +# +# Azure auth +# only if az cli is installed +if [ -x "$(command -v az)" ]; then + AZ_CONFIG_PATH=~/.azure + mkdir -p $AZ_CONFIG_PATH + touch $AZ_CONFIG_PATH/KBST_AUTH_AZ + + # handle base64 encoded AZ crendentials + if [ ! -z "$KBST_AUTH_AZ" ]; then + echo "$KBST_AUTH_AZ" | base64 --decode > $AZ_CONFIG_PATH/KBST_AUTH_AZ + . $AZ_CONFIG_PATH/KBST_AUTH_AZ + az login --service-principal --username $ARM_CLIENT_ID --password $ARM_CLIENT_SECRET --tenant $ARM_TENANT_ID + fi + + # always source and export the ARM_ env variables + # required by the azurerm Terraform provider + . $AZ_CONFIG_PATH/KBST_AUTH_AZ + export ARM_ACCESS_KEY + export ARM_CLIENT_ID + export ARM_CLIENT_SECRET + export ARM_SUBSCRIPTION_ID + export ARM_TENANT_ID +fi + +# +# +# Gcloud auth +# only if az cli is installed +if [ -x "$(command -v gcloud)" ]; then + GCLOUD_CONFIG_PATH=~/.config/gcloud + mkdir -p $GCLOUD_CONFIG_PATH + + # handle base64 encoded GCLOUD crendentials + if [ ! -z "$KBST_AUTH_GCLOUD" ]; then + echo "$KBST_AUTH_GCLOUD" | base64 --decode > $GCLOUD_CONFIG_PATH/application_default_credentials.json + gcloud auth activate-service-account --key-file $GCLOUD_CONFIG_PATH/application_default_credentials.json + fi +fi + +# do not have KBST_AUTH_* env vars set in runtime env +unset KBST_AUTH_AWS +unset KBST_AUTH_AZ +unset KBST_AUTH_GCLOUD + +exec "$@"