Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Makefile: Fix potential uid/gid collision by using setpriv #821

Merged
merged 1 commit into from
Nov 29, 2022
Merged

Makefile: Fix potential uid/gid collision by using setpriv #821

merged 1 commit into from
Nov 29, 2022

Conversation

gandro
Copy link
Member

@gandro gandro commented Nov 29, 2022

The release build should run with the same numeric user and group id as the caller of the Makefile. This solves two problems:

  1. The generated artefacts should be owned by the user who invoked the Makefile
  2. go build -buildvcs=true (the default since Go 1.18) invokes git, and git requires that the .git folder is owned by the user invoking it.

Previously, we achieved this by creating a new user and group inside the container with the wanted uid/gid. The problem with that approach is it fails if the uid/gid is already taken (such as e.g. gid 123, which seems to be used by the GitHub runner as of recently). Therefore, instead of trying to create a new user, this commit now uses setpriv from util-linux to force the make process (and all its children) to run as the RELEASE_{UID/GID}. This ensures that both git can access the .git directory owned by the host user, and that the host user can access the generated artifacts. One limitation of setpriv is that it runs the child process without an accessible $HOME directory, which go build needs for the GOCACHE. To solve this for now, we point it to a temporary directory. In the future, we could consider using a GOCACHE owned by the host, to allow cache-reuse across builds.

This fixes an issue where the GitHub release workflow fails with addgroup: gid '123' in use

@gandro
Makefile: Fix potential uid/gid collision by using setpriv
d84a363 
The release build should run with the same numeric user and group id as
the caller of the Makefile. This solves two problems:

 1. The generated artefacts should be owned by the user who invoked the
    Makefile
 2. `go build -buildvcs=true` (the default since Go 1.18) invokes git,
    and git requires that the .git folder is owned by the user invoking
    it.

Previously, we achieved this by creating a new user and group inside the
container with the wanted uid/gid. The problem with that approach is it
fails if the uid/gid is already taken (such as e.g. gid 123, which seems
to be used by the GitHub runner as of recently). Therefore, instead of
trying to create a new user, this commit now uses `setpriv` from
util-linux to force the `make` process (and all its children) to run as
the RELEASE_{UID/GID}. This ensures that both `git` can access the
`.git` directory owned by the host user, and that the host user can
access the generated artifacts. One limitation of `setpriv` is that it
runs the child process without an accessible `$HOME` directory, which
`go build` needs for the GOCACHE. To solve this for now, we point it to
a temporary directory. In the future, we could consider using a GOCACHE
owned by the host, to allow cache-reuse across builds.

Signed-off-by: Sebastian Wicki <sebastian@isovalent.com>
@gandro gandro added 🤖 area/CI Impacts the testing / continuous integration testing of the project. release-note/ci This PR makes changes to the CI. labels Nov 29, 2022
@gandro gandro requested a review from a team as a code owner November 29, 2022 15:05
@gandro gandro requested review from michi-covalent, kaworu and tklauser and removed request for a team November 29, 2022 15:05
@gandro gandro merged commit 69822cd into master Nov 29, 2022
@gandro gandro deleted the pr/gandro/fix-docker-uid-conflict branch November 29, 2022 16:00
@gandro gandro mentioned this pull request Nov 29, 2022
Merged
This was referenced Nov 29, 2022
Merged
Merged
@kaworu
Copy link
Member

kaworu commented Nov 29, 2022

Nice workaround, TIL about setpriv thanks @gandro for tackling this 🙏

@kkourt kkourt mentioned this pull request Dec 9, 2022
Merged
@kaworu kaworu mentioned this pull request Jan 3, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@michi-covalent michi-covalent michi-covalent approved these changes

@rolinh rolinh rolinh approved these changes

@kaworu kaworu Awaiting requested review from kaworu

@tklauser tklauser Awaiting requested review from tklauser

Assignees
No one assigned
Labels
🤖 area/CI Impacts the testing / continuous integration testing of the project. release-note/ci This PR makes changes to the CI.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@gandro @kaworu @rolinh @michi-covalent