Run the builds as a non-root user

Co-authored-by: medwards <[email protected]>
softprops · Jul 30, 2020 · 197bc16 · 197bc16
1 parent 72ec415
commit 197bc16
Show file tree

Hide file tree

Showing 5 changed files with 47 additions and 26 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -3,7 +3,7 @@ FROM lambci/lambda:build-provided
 ARG RUST_VERSION=stable
 RUN yum install -y jq
 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \
- | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION
+ | CARGO_HOME=/cargo RUSTUP_HOME=/rustup sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION
 ADD build.sh /usr/local/bin/
 VOLUME ["/code"]
 WORKDIR /code

diff --git a/Makefile b/Makefile
@@ -16,8 +16,9 @@ test: build
 
 debug: build
 	@docker run --rm -it \
+		-u $(id -u):$(id -g) \
 		-v ${PWD}:/code \
-		-v ${HOME}/.cargo/registry:/root/.cargo/registry \
-		-v ${HOME}/.cargo/git:/root/.cargo/git  \
+		-v ${HOME}/.cargo/registry:/cargo/registry \
+		-v ${HOME}/.cargo/git:/cargo/git  \
 		--entrypoint=/bin/bash \
-		$(REPO)
+		$(REPO)
diff --git a/README.md b/README.md
@@ -41,22 +41,33 @@ A typical docker run might look like the following.
 
 ```sh
 $ docker run --rm \
+    -u $(id -u):$(id -g) \
     -v ${PWD}:/code \
-    -v ${HOME}/.cargo/registry:/root/.cargo/registry \
-    -v ${HOME}/.cargo/git:/root/.cargo/git \
+    -v ${HOME}/.cargo/registry:/cargo/registry \
+    -v ${HOME}/.cargo/git:/cargo/git \
     softprops/lambda-rust
 ```
-> 💡 The -v (volume mount) flags for `/root/.cargo/{registry,git}` are optional but when supplied, provides a much faster turn around when doing iterative development
+> 💡 The -v (volume mount) flags for `/cargo/{registry,git}` are optional but when supplied, provides a much faster turn around when doing iterative development
+
+Note that `-u $(id -u):$(id -g)` argument is crucial for the container to produce artifacts
+owned by the current host user, otherwise you won't be able to `rm -rf target/lambda`
+or run `cargo update`, because the container will write artifacts owned by `root` docker user
+to `target/lambda` and `./cargo/{registry,git}` dirs which will break your dev and/or ci environment.
+
+You should also ensure that you do have `${HOME}/.cargo/{registry,git}` dirs created
+on your host machine, otherwise docker will create them automatically and assign `root` user
+as an owner for these dirs which is unfortunate...
 
 If you are using Windows, the command above may need to be modified to include
 a `BIN` environment variable set to the name of the binary to be build and packaged
 
-```sh
+```diff
 $ docker run --rm \
-    -e BIN={your-binary-name} \
+    -u $(id -u):$(id -g) \
++   -e BIN={your-binary-name} \
     -v ${PWD}:/code \
-    -v ${HOME}/.cargo/registry:/root/.cargo/registry \
-    -v ${HOME}/.cargo/git:/root/.cargo/git \
+    -v ${HOME}/.cargo/registry:/cargo/registry \
+    -v ${HOME}/.cargo/git:/cargo/git \
     softprops/lambda-rust
 ```
 
@@ -65,10 +76,11 @@ This can be especially useful when using path dependencies for local crates.
 
 ```sh
 $ docker run --rm \
+    -u $(id -u):$(id -g) \
     -v ${PWD}/lambdas/mylambda:/code/lambdas/mylambda \
     -v ${PWD}/libs/mylib:/code/libs/mylib \
-    -v ${HOME}/.cargo/registry:/root/.cargo/registry \
-    -v ${HOME}/.cargo/git:/root/.cargo/git \
+    -v ${HOME}/.cargo/registry:/cargo/registry \
+    -v ${HOME}/.cargo/git:/cargo/git \
     -w /code/lambdas/mylambda \
     softprops/lambda-rust
 ```
@@ -102,11 +114,12 @@ You can then invoke this bootstap executable with the lambda-ci docker image for
 # Build your function skipping the zip creation step
 # You may pass `-e PROFILE=dev` to build using dev profile, but here we use `release`
 docker run \
+    -u $(id -u):$(id -g) \
     -e PACKAGE=false \
     -e BIN={your-binary-name} \
     -v ${PWD}:/code \
-    -v ${HOME}/.cargo/registry:/root/.cargo/registry \
-    -v ${HOME}/.cargo/git:/root/.cargo/git \
+    -v ${HOME}/.cargo/registry:/cargo/registry \
+    -v ${HOME}/.cargo/git:/cargo/git \
     softprops/lambda-rust
 
 # start a one-off docker container replicating the "provided" lambda runtime

diff --git a/build.sh b/build.sh
@@ -12,6 +12,9 @@ mkdir -p target/lambda
 export PROFILE=${PROFILE:-release}
 export PACKAGE=${PACKAGE:-true}
 export DEBUGINFO=${DEBUGINFO}
+export CARGO_HOME="/cargo"
+export RUSTUP_HOME="/rustup"
+
 # cargo uses different names for target
 # of its build profiles
 if [[ "${PROFILE}" == "release" ]]; then
@@ -32,7 +35,7 @@ export CARGO_TARGET_DIR=$PWD/target/lambda
     fi
 
     # source cargo
-    . $HOME/.cargo/env
+    . $CARGO_HOME/env
 
     CARGO_BIN_ARG="" && [[ -n "$BIN" ]] && CARGO_BIN_ARG="--bin ${BIN}"
 
@@ -77,7 +80,7 @@ function package() {
 
 cd "${CARGO_TARGET_DIR}/${TARGET_PROFILE}"
 (
-    . $HOME/.cargo/env
+    . $CARGO_HOME/env
     if [ -z "$BIN" ]; then
         IFS=$'\n'
         for executable in $(cargo metadata --no-deps --format-version=1 | jq -r '.packages[] | .targets[] | select(.kind[] | contains("bin")) | .name'); do

diff --git a/tests/test.sh b/tests/test.sh
@@ -12,10 +12,11 @@ source "${HERE}"/bashtest.sh
 package_bin() {
     rm -rf target/lambda/release > /dev/null 2>&1
     docker run --rm \
+    -u $(id -u):$(id -g) \
     -e BIN="$1" \
     -v "${PWD}":/code \
-    -v "${HOME}"/.cargo/registry:/root/.cargo/registry \
-    -v "${HOME}"/.cargo/git:/root/.cargo/git \
+    -v "${HOME}"/.cargo/registry:/cargo/registry \
+    -v "${HOME}"/.cargo/git:/cargo/git \
     ${IMAGE} && \
     ls target/lambda/release/"${1}".zip > /dev/null 2>&1 &&
     ls target/lambda/release/output/"${1}"/bootstrap 2>&1 &&
@@ -26,9 +27,10 @@ package_bin() {
 package_all() {
     rm -rf target/lambda/release > /dev/null 2>&1
     docker run --rm \
+    -u $(id -u):$(id -g) \
     -v "${PWD}":/code \
-    -v "${HOME}"/.cargo/registry:/root/.cargo/registry \
-    -v "${HOME}"/.cargo/git:/root/.cargo/git \
+    -v "${HOME}"/.cargo/registry:/cargo/registry \
+    -v "${HOME}"/.cargo/git:/cargo/git \
     ${IMAGE} && \
     ls target/lambda/release/"${1}".zip > /dev/null 2>&1 &&
     ls target/lambda/release/output/"${1}"/bootstrap 2>&1 &&
@@ -39,10 +41,11 @@ package_all() {
 compile_without_packaging() {
     rm -rf target/lambda/release > /dev/null 2>&1
     docker run --rm \
+    -u $(id -u):$(id -g) \
     -e PACKAGE=false \
     -v "${PWD}":/code \
-    -v "${HOME}"/.cargo/registry:/root/.cargo/registry \
-    -v "${HOME}"/.cargo/git:/root/.cargo/git \
+    -v "${HOME}"/.cargo/registry:/cargo/registry \
+    -v "${HOME}"/.cargo/git:/cargo/git \
     ${IMAGE} &&
     !(ls target/lambda/release/"${1}".zip > /dev/null 2>&1) &&
     ls target/lambda/release/output/"${1}"/bootstrap 2>&1 &&
@@ -53,10 +56,11 @@ compile_without_packaging() {
 package_all_dev_profile() {
     rm -rf target/lambda/debug > /dev/null 2>&1
     docker run --rm \
+    -u $(id -u):$(id -g) \
     -e PROFILE=dev \
     -v "${PWD}":/code \
-    -v "${HOME}"/.cargo/registry:/root/.cargo/registry \
-    -v "${HOME}"/.cargo/git:/root/.cargo/git \
+    -v "${HOME}"/.cargo/registry:/cargo/registry \
+    -v "${HOME}"/.cargo/git:/cargo/git \
     ${IMAGE} && \
     ls target/lambda/debug/"${1}".zip > /dev/null 2>&1 &&
     ls target/lambda/release/output/"${1}"/bootstrap 2>&1 &&
@@ -86,7 +90,7 @@ for project in test-func test-multi-func test-func-with-hooks; do
     rm -f output.log > /dev/null 2>&1
     rm -f test-out.log > /dev/null 2>&1
     rm -rf /tmp/lambda > /dev/null 2>&1
-    unzip -o  \
+    unzip -o \
         target/lambda/release/"${bin_name}".zip \
         -d /tmp/lambda > /dev/null 2>&1 && \
     docker run \