From 197bc16b4ca86e10c3c28be32e1629f061e125ec Mon Sep 17 00:00:00 2001 From: Veetaha Date: Thu, 30 Jul 2020 14:32:55 +0300 Subject: [PATCH] Run the builds as a non-root user Co-authored-by: medwards <7339+medwards@users.noreply.github.com> --- Dockerfile | 2 +- Makefile | 7 ++++--- README.md | 35 ++++++++++++++++++++++++----------- build.sh | 7 +++++-- tests/test.sh | 22 +++++++++++++--------- 5 files changed, 47 insertions(+), 26 deletions(-) diff --git a/Dockerfile b/Dockerfile index 4250857..3cd0736 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM lambci/lambda:build-provided ARG RUST_VERSION=stable RUN yum install -y jq RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs \ - | sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION + | CARGO_HOME=/cargo RUSTUP_HOME=/rustup sh -s -- -y --profile minimal --default-toolchain $RUST_VERSION ADD build.sh /usr/local/bin/ VOLUME ["/code"] WORKDIR /code diff --git a/Makefile b/Makefile index 4f86bdd..28e7f7b 100644 --- a/Makefile +++ b/Makefile @@ -16,8 +16,9 @@ test: build debug: build @docker run --rm -it \ + -u $(id -u):$(id -g) \ -v ${PWD}:/code \ - -v ${HOME}/.cargo/registry:/root/.cargo/registry \ - -v ${HOME}/.cargo/git:/root/.cargo/git \ + -v ${HOME}/.cargo/registry:/cargo/registry \ + -v ${HOME}/.cargo/git:/cargo/git \ --entrypoint=/bin/bash \ - $(REPO) \ No newline at end of file + $(REPO) diff --git a/README.md b/README.md index 597ccee..a2c2dfe 100644 --- a/README.md +++ b/README.md @@ -41,22 +41,33 @@ A typical docker run might look like the following. ```sh $ docker run --rm \ + -u $(id -u):$(id -g) \ -v ${PWD}:/code \ - -v ${HOME}/.cargo/registry:/root/.cargo/registry \ - -v ${HOME}/.cargo/git:/root/.cargo/git \ + -v ${HOME}/.cargo/registry:/cargo/registry \ + -v ${HOME}/.cargo/git:/cargo/git \ softprops/lambda-rust ``` -> 💡 The -v (volume mount) flags for `/root/.cargo/{registry,git}` are optional but when supplied, provides a much faster turn around when doing iterative development +> 💡 The -v (volume mount) flags for `/cargo/{registry,git}` are optional but when supplied, provides a much faster turn around when doing iterative development + +Note that `-u $(id -u):$(id -g)` argument is crucial for the container to produce artifacts +owned by the current host user, otherwise you won't be able to `rm -rf target/lambda` +or run `cargo update`, because the container will write artifacts owned by `root` docker user +to `target/lambda` and `./cargo/{registry,git}` dirs which will break your dev and/or ci environment. + +You should also ensure that you do have `${HOME}/.cargo/{registry,git}` dirs created +on your host machine, otherwise docker will create them automatically and assign `root` user +as an owner for these dirs which is unfortunate... If you are using Windows, the command above may need to be modified to include a `BIN` environment variable set to the name of the binary to be build and packaged -```sh +```diff $ docker run --rm \ - -e BIN={your-binary-name} \ + -u $(id -u):$(id -g) \ ++ -e BIN={your-binary-name} \ -v ${PWD}:/code \ - -v ${HOME}/.cargo/registry:/root/.cargo/registry \ - -v ${HOME}/.cargo/git:/root/.cargo/git \ + -v ${HOME}/.cargo/registry:/cargo/registry \ + -v ${HOME}/.cargo/git:/cargo/git \ softprops/lambda-rust ``` @@ -65,10 +76,11 @@ This can be especially useful when using path dependencies for local crates. ```sh $ docker run --rm \ + -u $(id -u):$(id -g) \ -v ${PWD}/lambdas/mylambda:/code/lambdas/mylambda \ -v ${PWD}/libs/mylib:/code/libs/mylib \ - -v ${HOME}/.cargo/registry:/root/.cargo/registry \ - -v ${HOME}/.cargo/git:/root/.cargo/git \ + -v ${HOME}/.cargo/registry:/cargo/registry \ + -v ${HOME}/.cargo/git:/cargo/git \ -w /code/lambdas/mylambda \ softprops/lambda-rust ``` @@ -102,11 +114,12 @@ You can then invoke this bootstap executable with the lambda-ci docker image for # Build your function skipping the zip creation step # You may pass `-e PROFILE=dev` to build using dev profile, but here we use `release` docker run \ + -u $(id -u):$(id -g) \ -e PACKAGE=false \ -e BIN={your-binary-name} \ -v ${PWD}:/code \ - -v ${HOME}/.cargo/registry:/root/.cargo/registry \ - -v ${HOME}/.cargo/git:/root/.cargo/git \ + -v ${HOME}/.cargo/registry:/cargo/registry \ + -v ${HOME}/.cargo/git:/cargo/git \ softprops/lambda-rust # start a one-off docker container replicating the "provided" lambda runtime diff --git a/build.sh b/build.sh index eef3dc7..46e218f 100755 --- a/build.sh +++ b/build.sh @@ -12,6 +12,9 @@ mkdir -p target/lambda export PROFILE=${PROFILE:-release} export PACKAGE=${PACKAGE:-true} export DEBUGINFO=${DEBUGINFO} +export CARGO_HOME="/cargo" +export RUSTUP_HOME="/rustup" + # cargo uses different names for target # of its build profiles if [[ "${PROFILE}" == "release" ]]; then @@ -32,7 +35,7 @@ export CARGO_TARGET_DIR=$PWD/target/lambda fi # source cargo - . $HOME/.cargo/env + . $CARGO_HOME/env CARGO_BIN_ARG="" && [[ -n "$BIN" ]] && CARGO_BIN_ARG="--bin ${BIN}" @@ -77,7 +80,7 @@ function package() { cd "${CARGO_TARGET_DIR}/${TARGET_PROFILE}" ( - . $HOME/.cargo/env + . $CARGO_HOME/env if [ -z "$BIN" ]; then IFS=$'\n' for executable in $(cargo metadata --no-deps --format-version=1 | jq -r '.packages[] | .targets[] | select(.kind[] | contains("bin")) | .name'); do diff --git a/tests/test.sh b/tests/test.sh index 5f93671..97bd88d 100755 --- a/tests/test.sh +++ b/tests/test.sh @@ -12,10 +12,11 @@ source "${HERE}"/bashtest.sh package_bin() { rm -rf target/lambda/release > /dev/null 2>&1 docker run --rm \ + -u $(id -u):$(id -g) \ -e BIN="$1" \ -v "${PWD}":/code \ - -v "${HOME}"/.cargo/registry:/root/.cargo/registry \ - -v "${HOME}"/.cargo/git:/root/.cargo/git \ + -v "${HOME}"/.cargo/registry:/cargo/registry \ + -v "${HOME}"/.cargo/git:/cargo/git \ ${IMAGE} && \ ls target/lambda/release/"${1}".zip > /dev/null 2>&1 && ls target/lambda/release/output/"${1}"/bootstrap 2>&1 && @@ -26,9 +27,10 @@ package_bin() { package_all() { rm -rf target/lambda/release > /dev/null 2>&1 docker run --rm \ + -u $(id -u):$(id -g) \ -v "${PWD}":/code \ - -v "${HOME}"/.cargo/registry:/root/.cargo/registry \ - -v "${HOME}"/.cargo/git:/root/.cargo/git \ + -v "${HOME}"/.cargo/registry:/cargo/registry \ + -v "${HOME}"/.cargo/git:/cargo/git \ ${IMAGE} && \ ls target/lambda/release/"${1}".zip > /dev/null 2>&1 && ls target/lambda/release/output/"${1}"/bootstrap 2>&1 && @@ -39,10 +41,11 @@ package_all() { compile_without_packaging() { rm -rf target/lambda/release > /dev/null 2>&1 docker run --rm \ + -u $(id -u):$(id -g) \ -e PACKAGE=false \ -v "${PWD}":/code \ - -v "${HOME}"/.cargo/registry:/root/.cargo/registry \ - -v "${HOME}"/.cargo/git:/root/.cargo/git \ + -v "${HOME}"/.cargo/registry:/cargo/registry \ + -v "${HOME}"/.cargo/git:/cargo/git \ ${IMAGE} && !(ls target/lambda/release/"${1}".zip > /dev/null 2>&1) && ls target/lambda/release/output/"${1}"/bootstrap 2>&1 && @@ -53,10 +56,11 @@ compile_without_packaging() { package_all_dev_profile() { rm -rf target/lambda/debug > /dev/null 2>&1 docker run --rm \ + -u $(id -u):$(id -g) \ -e PROFILE=dev \ -v "${PWD}":/code \ - -v "${HOME}"/.cargo/registry:/root/.cargo/registry \ - -v "${HOME}"/.cargo/git:/root/.cargo/git \ + -v "${HOME}"/.cargo/registry:/cargo/registry \ + -v "${HOME}"/.cargo/git:/cargo/git \ ${IMAGE} && \ ls target/lambda/debug/"${1}".zip > /dev/null 2>&1 && ls target/lambda/release/output/"${1}"/bootstrap 2>&1 && @@ -86,7 +90,7 @@ for project in test-func test-multi-func test-func-with-hooks; do rm -f output.log > /dev/null 2>&1 rm -f test-out.log > /dev/null 2>&1 rm -rf /tmp/lambda > /dev/null 2>&1 - unzip -o \ + unzip -o \ target/lambda/release/"${bin_name}".zip \ -d /tmp/lambda > /dev/null 2>&1 && \ docker run \