Page MenuHomeDevCentral

Build Arcanist Docker images by user
ClosedPublic

Authored by dereckson on Sep 28 2020, 23:58.
Tags
None
Referenced Files
F3802318: D2342.id5900.diff
Fri, Nov 29, 09:40
F3802313: D2342.id5899.diff
Fri, Nov 29, 09:38
F3802290: D2342.id5897.diff
Fri, Nov 29, 09:28
F3801710: D2342.diff
Fri, Nov 29, 06:30
Unknown Object (File)
Thu, Nov 28, 00:06
Unknown Object (File)
Wed, Nov 27, 20:37
Unknown Object (File)
Wed, Nov 27, 20:37
Unknown Object (File)
Wed, Nov 27, 20:37
Subscribers
None

Details

Summary

On Docker development server, arc shell offers a Debian userland
with Arcanist and Git to interact with Phabricator repositories,
commit, merge, etc.

This is intended to ease the test and maintenance of the Docker images
repositories directly on a Docker development server.

Currently, those containers run as root. Regardless if it's acceptable
or not from a security point of view, this method has a major usability
drawback when the Git index is manipulated, as it populates files owned
by root, requiring afterwards a chown.

This change offers to run the container under the own user id. This user
must exist in the image to avoid issues with SSH client and should exist
to avoid the "I have no name!" prompt. As such, a custom build is needed.

The custom image uses the set (UID, GID) as image tag. The GID ensures
minimal friction when creating directories or working with group permissions.

Test Plan
  • Build on Dwellers
  • arc shell created and used nasqueron/arcanist:5001-5001 image
  • SSH works
  • arc shell doesn't try to build the image a second time

Diff Detail

Repository
rOPS Nasqueron Operations
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

dereckson created this revision.

UID is readonly on current Debian sh implementation

This revision is now accepted and ready to land.Sep 29 2020, 01:05
This revision was landed with ongoing or failed builds.Sep 29 2020, 01:06
This revision was automatically updated to reflect the committed changes.

Output test with echo before 'docker run' commands

First run
$ arc shell
🔨 Building user-specific image nasqueron/arcanist:5001-5001 for dereckson
Sending build context to Docker daemon  2.048kB
Step 1/2 : FROM nasqueron/arcanist
 ---> 6e4174e6e254
Step 2/2 : RUN groupadd -r dereckson -g 5001 && mkdir /home/dereckson && useradd -u 5001 -r -g dereckson -d /home/dereckson -s /bin/bash
dereckson && chown -R dereckson:dereckson /home/dereckson
 ---> Running in a1e36597c0f8
Removing intermediate container a1e36597c0f8
 ---> c4205037320b
Successfully built c4205037320b
Successfully tagged nasqueron/arcanist:5001-5001
docker run -it --rm --user 5001:5001 -v /home/dereckson/.arc:/opt/config -v /home/dereckson/dev/docker/php-cli:/opt/workspace -v /home/dereckson/.arc/ssh:/home/dereckson/.ssh nasqueron/arcanist:5001-5001 bash
Second run
$ arc shell
docker run -it --rm --user 5001:5001 -v /home/dereckson/.arc:/opt/config -v /home/dereckson/dev/docker/php-cli:/opt/workspace -v /home/dereckson/.arc/ssh:/home/dereckson/.ssh nasqueron/arcanist:5001-5001 bash