diff --git a/integration_tests/dockerfiles/Dockerfile_test_user_run b/integration_tests/dockerfiles/Dockerfile_test_user_run new file mode 100644 index 000000000..a71fb535e --- /dev/null +++ b/integration_tests/dockerfiles/Dockerfile_test_user_run @@ -0,0 +1,19 @@ +# Copyright 2018 Google, Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/google-appengine/debian9 +RUN useradd testuser +RUN groupadd testgroup +USER testuser:testgroup +RUN echo "hey" > /tmp/foo diff --git a/integration_tests/dockerfiles/test_user.yaml b/integration_tests/dockerfiles/test_user.yaml new file mode 100644 index 000000000..9a4bed1dc --- /dev/null +++ b/integration_tests/dockerfiles/test_user.yaml @@ -0,0 +1,15 @@ +schemaVersion: '2.0.0' +commandTests: +- name: 'whoami' + command: 'whoami' + expectedOutput: ['testuser'] + excludedOutput: ['root'] +- name: 'file owner' + command: 'ls' + args: ['-l', '/tmp/foo'] + expectedOutput: ['.*testuser.*', '.*testgroup.*'] + excludedOutput: ['.*root.*'] +fileContentTests: +- name: "/tmp/foo" + path: "/tmp/foo" + expectedContent: ["hey"] diff --git a/integration_tests/integration_test_yaml.go b/integration_tests/integration_test_yaml.go index 0954fb00c..9e7a19077 100644 --- a/integration_tests/integration_test_yaml.go +++ b/integration_tests/integration_test_yaml.go @@ -87,6 +87,13 @@ var structureTests = []struct { dockerBuildContext: "/workspace/integration_tests/dockerfiles/", structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_metadata.yaml", }, + { + description: "test user command", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_user_run", + repo: "test-user", + dockerBuildContext: "/workspace/integration_tests/dockerfiles/", + structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_user.yaml", + }, } type step struct { diff --git a/pkg/commands/commands.go b/pkg/commands/commands.go index 24c21cb56..0376d225a 100644 --- a/pkg/commands/commands.go +++ b/pkg/commands/commands.go @@ -52,6 +52,8 @@ func GetCommand(cmd instructions.Command, buildcontext string) (DockerCommand, e return &EntrypointCommand{cmd: c}, nil case *instructions.LabelCommand: return &LabelCommand{cmd: c}, nil + case *instructions.UserCommand: + return &UserCommand{cmd: c}, nil } return nil, errors.Errorf("%s is not a supported command", cmd.Name()) } diff --git a/pkg/commands/expose.go b/pkg/commands/expose.go index fa12ec110..fc9d6fe75 100644 --- a/pkg/commands/expose.go +++ b/pkg/commands/expose.go @@ -30,6 +30,7 @@ type ExposeCommand struct { } func (r *ExposeCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: EXPOSE") // Grab the currently exposed ports existingPorts := config.ExposedPorts // Add any new ones in diff --git a/pkg/commands/label.go b/pkg/commands/label.go index 3cf8896db..81b9bab56 100644 --- a/pkg/commands/label.go +++ b/pkg/commands/label.go @@ -29,6 +29,7 @@ type LabelCommand struct { } func (r *LabelCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: LABEL") return updateLabels(r.cmd.Labels, config) } diff --git a/pkg/commands/run.go b/pkg/commands/run.go index b6aa2b19c..6be8f33fe 100644 --- a/pkg/commands/run.go +++ b/pkg/commands/run.go @@ -22,7 +22,9 @@ import ( "github.com/sirupsen/logrus" "os" "os/exec" + "strconv" "strings" + "syscall" ) type RunCommand struct { @@ -46,6 +48,26 @@ func (r *RunCommand) ExecuteCommand(config *manifest.Schema2Config) error { cmd := exec.Command(newCommand[0], newCommand[1:]...) cmd.Dir = config.WorkingDir cmd.Stdout = os.Stdout + // If specified, run the command as a specific user + if config.User != "" { + userAndGroup := strings.Split(config.User, ":") + // uid and gid need to be uint32 + uid64, err := strconv.ParseUint(userAndGroup[0], 10, 32) + if err != nil { + return err + } + uid := uint32(uid64) + var gid uint32 + if len(userAndGroup) > 1 { + gid64, err := strconv.ParseUint(userAndGroup[1], 10, 32) + if err != nil { + return err + } + gid = uint32(gid64) + } + cmd.SysProcAttr = &syscall.SysProcAttr{} + cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uid, Gid: gid} + } return cmd.Run() } diff --git a/pkg/commands/user.go b/pkg/commands/user.go new file mode 100644 index 000000000..d2e4cff61 --- /dev/null +++ b/pkg/commands/user.go @@ -0,0 +1,95 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commands + +import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/pkg/util" + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "github.com/sirupsen/logrus" + "os/user" + "strings" +) + +type UserCommand struct { + cmd *instructions.UserCommand +} + +func (r *UserCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: USER") + u := r.cmd.User + userAndGroup := strings.Split(u, ":") + userStr, err := util.ResolveEnvironmentReplacement(userAndGroup[0], config.Env, false) + if err != nil { + return err + } + var groupStr string + if len(userAndGroup) > 1 { + groupStr, err = util.ResolveEnvironmentReplacement(userAndGroup[1], config.Env, false) + if err != nil { + return err + } + } + + // Lookup by username + userObj, err := user.Lookup(userStr) + if err != nil { + if _, ok := err.(user.UnknownUserError); ok { + // Lookup by id + userObj, err = user.LookupId(userStr) + if err != nil { + return err + } + } else { + return err + } + } + + // Same dance with groups + var group *user.Group + if groupStr != "" { + group, err = user.LookupGroup(groupStr) + if err != nil { + if _, ok := err.(user.UnknownGroupError); ok { + group, err = user.LookupGroupId(groupStr) + if err != nil { + return err + } + } else { + return err + } + } + } + + uid := userObj.Uid + if group != nil { + uid = uid + ":" + group.Gid + } + + logrus.Infof("Setting user to %s", uid) + config.User = uid + return nil +} + +func (r *UserCommand) FilesToSnapshot() []string { + return []string{} +} + +func (r *UserCommand) CreatedBy() string { + s := []string{r.cmd.Name(), r.cmd.User} + return strings.Join(s, " ") +} diff --git a/pkg/commands/user_test.go b/pkg/commands/user_test.go new file mode 100644 index 000000000..c1ebe0ab2 --- /dev/null +++ b/pkg/commands/user_test.go @@ -0,0 +1,98 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package commands + +import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/testutil" + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "testing" +) + +var userTests = []struct { + user string + expectedUid string + shouldError bool +}{ + { + user: "root", + expectedUid: "0", + shouldError: false, + }, + { + user: "0", + expectedUid: "0", + shouldError: false, + }, + { + user: "fakeUser", + expectedUid: "", + shouldError: true, + }, + { + user: "root:root", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "0:root", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "root:0", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "0:0", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "root:fakeGroup", + expectedUid: "", + shouldError: true, + }, + { + user: "$envuser", + expectedUid: "0", + shouldError: false, + }, + { + user: "root:$envgroup", + expectedUid: "0:0", + shouldError: false, + }, +} + +func TestUpdateUser(t *testing.T) { + for _, test := range userTests { + cfg := &manifest.Schema2Config{ + Env: []string{ + "envuser=root", + "envgroup=root", + }, + } + cmd := UserCommand{ + &instructions.UserCommand{ + User: test.user, + }, + } + err := cmd.ExecuteCommand(cfg) + testutil.CheckErrorAndDeepEqual(t, test.shouldError, err, test.expectedUid, cfg.User) + } +}