From bc78e2b83887eef53d55a8726b9a30bf78bf5014 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 11:53:31 -0700 Subject: [PATCH 1/5] adding USER command --- .../dockerfiles/Dockerfile_test_user_run | 19 +++++ integration_tests/dockerfiles/test_user.yaml | 15 ++++ integration_tests/integration_test_yaml.go | 7 ++ pkg/commands/expose.go | 1 + pkg/commands/label.go | 1 + pkg/commands/run.go | 22 +++++ pkg/commands/user.go | 79 ++++++++++++++++++ pkg/commands/user_test.go | 83 +++++++++++++++++++ 8 files changed, 227 insertions(+) create mode 100644 integration_tests/dockerfiles/Dockerfile_test_user_run create mode 100644 integration_tests/dockerfiles/test_user.yaml create mode 100644 pkg/commands/user.go create mode 100644 pkg/commands/user_test.go diff --git a/integration_tests/dockerfiles/Dockerfile_test_user_run b/integration_tests/dockerfiles/Dockerfile_test_user_run new file mode 100644 index 000000000..2c58a6b7a --- /dev/null +++ b/integration_tests/dockerfiles/Dockerfile_test_user_run @@ -0,0 +1,19 @@ +# Copyright 2018 Google, Inc. All rights reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +FROM gcr.io/google-appengine/debian9 +RUN useradd testuser +RUN groupadd testgroup +USER testuser:testgroup +RUN echo "hey" > /etc/foo diff --git a/integration_tests/dockerfiles/test_user.yaml b/integration_tests/dockerfiles/test_user.yaml new file mode 100644 index 000000000..9a4bed1dc --- /dev/null +++ b/integration_tests/dockerfiles/test_user.yaml @@ -0,0 +1,15 @@ +schemaVersion: '2.0.0' +commandTests: +- name: 'whoami' + command: 'whoami' + expectedOutput: ['testuser'] + excludedOutput: ['root'] +- name: 'file owner' + command: 'ls' + args: ['-l', '/tmp/foo'] + expectedOutput: ['.*testuser.*', '.*testgroup.*'] + excludedOutput: ['.*root.*'] +fileContentTests: +- name: "/tmp/foo" + path: "/tmp/foo" + expectedContent: ["hey"] diff --git a/integration_tests/integration_test_yaml.go b/integration_tests/integration_test_yaml.go index 3129456ff..36c53d84d 100644 --- a/integration_tests/integration_test_yaml.go +++ b/integration_tests/integration_test_yaml.go @@ -80,6 +80,13 @@ var structureTests = []struct { dockerBuildContext: "/workspace/integration_tests/dockerfiles/", structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_metadata.yaml", }, + { + description: "test user command", + dockerfilePath: "/workspace/integration_tests/dockerfiles/Dockerfile_test_user_run", + repo: "test-user", + dockerBuildContext: "/workspace/integration_tests/dockerfiles/", + structureTestYamlPath: "/workspace/integration_tests/dockerfiles/test_user.yaml", + }, } type step struct { diff --git a/pkg/commands/expose.go b/pkg/commands/expose.go index fa12ec110..fc9d6fe75 100644 --- a/pkg/commands/expose.go +++ b/pkg/commands/expose.go @@ -30,6 +30,7 @@ type ExposeCommand struct { } func (r *ExposeCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: EXPOSE") // Grab the currently exposed ports existingPorts := config.ExposedPorts // Add any new ones in diff --git a/pkg/commands/label.go b/pkg/commands/label.go index 3cf8896db..81b9bab56 100644 --- a/pkg/commands/label.go +++ b/pkg/commands/label.go @@ -29,6 +29,7 @@ type LabelCommand struct { } func (r *LabelCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: LABEL") return updateLabels(r.cmd.Labels, config) } diff --git a/pkg/commands/run.go b/pkg/commands/run.go index b08cf8800..b7e59bae8 100644 --- a/pkg/commands/run.go +++ b/pkg/commands/run.go @@ -22,7 +22,9 @@ import ( "github.com/sirupsen/logrus" "os" "os/exec" + "strconv" "strings" + "syscall" ) type RunCommand struct { @@ -45,6 +47,26 @@ func (r *RunCommand) ExecuteCommand(config *manifest.Schema2Config) error { cmd := exec.Command(newCommand[0], newCommand[1:]...) cmd.Stdout = os.Stdout + // If specified, run the command as a specific user + if config.User != "" { + userAndGroup := strings.Split(config.User, ":") + // uid and gid need to be uint32 + uid64, err := strconv.ParseUint(userAndGroup[0], 10, 32) + if err != nil { + return err + } + uid := uint32(uid64) + var gid uint32 + if len(userAndGroup) > 1 { + gid64, err := strconv.ParseUint(userAndGroup[1], 10, 32) + if err != nil { + return err + } + gid = uint32(gid64) + } + cmd.SysProcAttr = &syscall.SysProcAttr{} + cmd.SysProcAttr.Credential = &syscall.Credential{Uid: uid, Gid: gid} + } return cmd.Run() } diff --git a/pkg/commands/user.go b/pkg/commands/user.go new file mode 100644 index 000000000..b207eaf38 --- /dev/null +++ b/pkg/commands/user.go @@ -0,0 +1,79 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package commands + +import ( + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "github.com/sirupsen/logrus" + "os/user" + "strings" +) + +type UserCommand struct { + cmd *instructions.UserCommand +} + +func (r *UserCommand) ExecuteCommand(config *manifest.Schema2Config) error { + logrus.Info("cmd: USER") + u := r.cmd.User + userAndGroup := strings.Split(u, ":") + userStr := userAndGroup[0] + var groupStr string + if len(userAndGroup) > 1 { + groupStr = userAndGroup[1] + } + + // Lookup by username + userObj, err := user.Lookup(userStr) + if err != nil { + if _, ok := err.(user.UnknownUserError); ok { + // Lookup by id + userObj, err = user.LookupId(userStr) + if err != nil { + return err + } + } else { + return err + } + } + + // Same dance with groups + var group *user.Group + if groupStr != "" { + group, err = user.LookupGroup(groupStr) + if err != nil { + if _, ok := err.(user.UnknownGroupError); ok { + group, err = user.LookupGroupId(groupStr) + if err != nil { + return err + } + } else { + return err + } + } + } + + uid := userObj.Uid + if group != nil { + uid = uid + ":" + group.Gid + } + + logrus.Infof("Setting user to %s", uid) + config.User = uid + return nil +} diff --git a/pkg/commands/user_test.go b/pkg/commands/user_test.go new file mode 100644 index 000000000..fb5641939 --- /dev/null +++ b/pkg/commands/user_test.go @@ -0,0 +1,83 @@ +/* +Copyright 2018 Google LLC + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ +package commands + +import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/testutil" + "github.com/containers/image/manifest" + "github.com/docker/docker/builder/dockerfile/instructions" + "testing" +) + +var userTests = []struct { + user string + expectedUid string + shouldError bool +}{ + { + user: "root", + expectedUid: "0", + shouldError: false, + }, + { + user: "0", + expectedUid: "0", + shouldError: false, + }, + { + user: "fakeUser", + expectedUid: "", + shouldError: true, + }, + { + user: "root:root", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "0:root", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "root:0", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "0:0", + expectedUid: "0:0", + shouldError: false, + }, + { + user: "root:fakeGroup", + expectedUid: "", + shouldError: true, + }, +} + +func TestUpdateUser(t *testing.T) { + for _, test := range userTests { + cfg := &manifest.Schema2Config{} + cmd := UserCommand{ + &instructions.UserCommand{ + User: test.user, + }, + } + err := cmd.ExecuteCommand(cfg) + testutil.CheckErrorAndDeepEqual(t, test.shouldError, err, test.expectedUid, cfg.User) + } +} From b315cf104966cccdbab857b74e5c1f0bd7662fa6 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 11:54:51 -0700 Subject: [PATCH 2/5] adding user command to switch --- pkg/commands/commands.go | 2 ++ 1 file changed, 2 insertions(+) diff --git a/pkg/commands/commands.go b/pkg/commands/commands.go index 08fa3ceb1..0c4eef17d 100644 --- a/pkg/commands/commands.go +++ b/pkg/commands/commands.go @@ -50,6 +50,8 @@ func GetCommand(cmd instructions.Command, buildcontext string) (DockerCommand, e return &EntrypointCommand{cmd: c}, nil case *instructions.LabelCommand: return &LabelCommand{cmd: c}, nil + case *instructions.UserCommand: + return &UserCommand{cmd: c}, nil } return nil, errors.Errorf("%s is not a supported command", cmd.Name()) } From abc85905c0eadeae8dc5c4990ecd29fb51d1f4ac Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 12:54:00 -0700 Subject: [PATCH 3/5] adding necessary functions --- pkg/commands/user.go | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/pkg/commands/user.go b/pkg/commands/user.go index b207eaf38..ae5a9e4e9 100644 --- a/pkg/commands/user.go +++ b/pkg/commands/user.go @@ -77,3 +77,12 @@ func (r *UserCommand) ExecuteCommand(config *manifest.Schema2Config) error { config.User = uid return nil } + +func (r *UserCommand) FilesToSnapshot() []string { + return []string{} +} + +func (r *UserCommand) CreatedBy() string { + s := []string{r.cmd.Name(), r.cmd.User} + return strings.Join(s, " ") +} From 7ae8f35eb95a897e3990df9726cf32c785743291 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Thu, 29 Mar 2018 13:35:37 -0700 Subject: [PATCH 4/5] write to /tmp --- integration_tests/dockerfiles/Dockerfile_test_user_run | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/integration_tests/dockerfiles/Dockerfile_test_user_run b/integration_tests/dockerfiles/Dockerfile_test_user_run index 2c58a6b7a..a71fb535e 100644 --- a/integration_tests/dockerfiles/Dockerfile_test_user_run +++ b/integration_tests/dockerfiles/Dockerfile_test_user_run @@ -16,4 +16,4 @@ FROM gcr.io/google-appengine/debian9 RUN useradd testuser RUN groupadd testgroup USER testuser:testgroup -RUN echo "hey" > /etc/foo +RUN echo "hey" > /tmp/foo From da0231a4d1cd6d18181328d4fb1754692614d5c5 Mon Sep 17 00:00:00 2001 From: sharifelgamal Date: Fri, 30 Mar 2018 10:13:35 -0700 Subject: [PATCH 5/5] adding support of env variable replacement --- pkg/commands/user.go | 11 +++++++++-- pkg/commands/user_test.go | 17 ++++++++++++++++- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/pkg/commands/user.go b/pkg/commands/user.go index ae5a9e4e9..d2e4cff61 100644 --- a/pkg/commands/user.go +++ b/pkg/commands/user.go @@ -17,6 +17,7 @@ limitations under the License. package commands import ( + "github.com/GoogleCloudPlatform/k8s-container-builder/pkg/util" "github.com/containers/image/manifest" "github.com/docker/docker/builder/dockerfile/instructions" "github.com/sirupsen/logrus" @@ -32,10 +33,16 @@ func (r *UserCommand) ExecuteCommand(config *manifest.Schema2Config) error { logrus.Info("cmd: USER") u := r.cmd.User userAndGroup := strings.Split(u, ":") - userStr := userAndGroup[0] + userStr, err := util.ResolveEnvironmentReplacement(userAndGroup[0], config.Env, false) + if err != nil { + return err + } var groupStr string if len(userAndGroup) > 1 { - groupStr = userAndGroup[1] + groupStr, err = util.ResolveEnvironmentReplacement(userAndGroup[1], config.Env, false) + if err != nil { + return err + } } // Lookup by username diff --git a/pkg/commands/user_test.go b/pkg/commands/user_test.go index fb5641939..c1ebe0ab2 100644 --- a/pkg/commands/user_test.go +++ b/pkg/commands/user_test.go @@ -67,11 +67,26 @@ var userTests = []struct { expectedUid: "", shouldError: true, }, + { + user: "$envuser", + expectedUid: "0", + shouldError: false, + }, + { + user: "root:$envgroup", + expectedUid: "0:0", + shouldError: false, + }, } func TestUpdateUser(t *testing.T) { for _, test := range userTests { - cfg := &manifest.Schema2Config{} + cfg := &manifest.Schema2Config{ + Env: []string{ + "envuser=root", + "envgroup=root", + }, + } cmd := UserCommand{ &instructions.UserCommand{ User: test.user,