Fix buildah image, clean up base dockerfile

Signed-off-by: Tim Etchells <[email protected]>

Author: tetchel

base/Dockerfile

@@ -8,11 +8,12 @@ RUN dnf -y upgrade --security && \
 
 # The UID env var should be used in child dockerfiles.
 ENV UID=1000
-# ENV GID=0
-ENV USERNAME="build"
+ENV GID=0
+ENV USERNAME="runner"
 
 # Create our user and their home directory
 RUN useradd -m $USERNAME -u $UID
+# This is to mimic the OpenShift behaviour of adding the dynamic user to group 0.
 RUN usermod -G 0 $USERNAME
 ENV HOME /home/${USERNAME}
 WORKDIR /home/${USERNAME}
@@ -25,7 +26,7 @@ ENV RUNNER_WORKDIR /home/${USERNAME}/_work
 ENV RUNNER_LABELS ""
 
 # Allow group 0 to modify these /etc/ files since on openshift, the dynamically-assigned user is always part of group 0.
-# Also see uid.sh
+# Also see ./uid.sh for the usage of these permissions.
 RUN chmod g+w /etc/passwd && \
     touch /etc/sub{g,u}id && \
     chmod -v ug+rw /etc/sub{g,u}id
@@ -34,14 +35,13 @@ COPY --chown=${USERNAME}:0 get-runner-release.sh ./
 RUN ./get-runner-release.sh
 RUN ./bin/installdependencies.sh
 
-# Set permissions so that we can allow the openshift-generated container user to access home and /etc/passwd.
+# Set permissions so that we can allow the openshift-generated container user to access home.
 # https://docs.openshift.com/container-platform/3.3/creating_images/guidelines.html#openshift-container-platform-specific-guidelines
 RUN chown -R ${USERNAME}:0 /home/${USERNAME}/ && \
     chgrp -R 0 /home/${USERNAME}/ && \
     chmod -R g=u /home/${USERNAME}/
 
 COPY --chown=${USERNAME}:0 entrypoint.sh uid.sh ./
-# RUN chmod -v ug+x *.sh
 
 USER $UID
 

base/uid.sh

@@ -21,7 +21,6 @@ if ! whoami &> /dev/null; then
     tail -n 1 /etc/passwd
   else
     echo "No write permission to /etc/passwd!" 1>&2
-    exit 1
   fi
 else
   echo "User already has passwd entry"
@@ -31,18 +30,16 @@ echo "whoami=$(whoami)"
 echo "groups=$(groups 2>/dev/null)"
 
 set +x
-#if ! grep $username /etc/subuid &> /dev/null; then
-  echo "Creating sub{u,g}id entries for $username"
-  subuids_start=$(expr $uid + 1000)
-  subgids_start=$(expr $gid + 1000)
-
-  no_subids=50000
-
-  echo "${username}:${subuids_start}:${no_subids}" | tee /etc/subuid
-  echo "${username}:${subgids_start}:${no_subids}" | tee /etc/subgid
-#else
-#  echo "subuid entry already exists for $username"
-#fi
+echo "Creating sub{u,g}id entries for $username"
+subuids_start=$(expr $uid + 1000)
+subgids_start=$(expr $gid + 1000)
+
+# Do not allocate too many.
+# https://github.com/containers/buildah/issues/3053
+no_subids=50000
+
+echo "${username}:${subuids_start}:${no_subids}" | tee /etc/subuid
+echo "${username}:${subgids_start}:${no_subids}" | tee /etc/subgid
 
 # set -x
 # tail -n +1 /etc/sub{u,g}id

buildah/Dockerfile

@@ -3,39 +3,27 @@ FROM $BASE_IMG AS buildah-runner
 
 USER root
 
-# Some complex config is required to allow buildah to run in a nonprivileged container.
 # https://github.com/containers/buildah/blob/master/docs/tutorials/05-openshift-rootless-bud.md
 # https://github.com/containers/buildah/blob/master/contrib/buildahimage/stable/Dockerfile
 # https://github.com/containers/buildah/issues/1011
+# https://github.com/containers/buildah/issues/3053
 
-RUN dnf -y install shadow-utils xz slirp4netns buildah podman fuse-overlayfs --exclude container-selinux && \
+RUN dnf -y install  xz slirp4netns buildah podman fuse-overlayfs --exclude container-selinux && \
+    dnf -y reinstall shadow-utils && \
     dnf clean all
 
 ENV BUILDAH_ISOLATION=chroot
 
 ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahimage/stable/containers.conf /etc/containers/
 
-# ADD https://raw.githubusercontent.com/containers/buildah/master/contrib/buildahimage/stable/containers.conf /etc/containers/
 RUN chgrp -R 0 /etc/containers/ && \
     chmod -R a+r /etc/containers/ && \
     chmod -R g+w /etc/containers/
-    # echo "user.max_user_namespaces=65536" > /etc/sysctl.d/userns.conf && \
-    # prevents errors from failing to log using systemd https://github.com/containers/podman/issues/4325#issuecomment-570650857
-    # See https://github.com/containers/common/blob/master/docs/containers.conf.5.md for valid configurations
-    # printf '[engine]\nevents_logger = "file"\n' >> /etc/containers/containers.conf
-    # printf 'events_logger = "file"\n' >> /etc/containers/containers.conf
-
-# Adjust storage.conf to enable Fuse storage.
-RUN chmod 644 /etc/containers/containers.conf; sed -i -e 's|^#mount_program|mount_program|g' -e '/additionalimage.*/a "/var/lib/shared",' -e 's|^mountopt[[:space:]]*=.*$|mountopt = "nodev,fsync=0"|g' /etc/containers/storage.conf
-RUN mkdir -p /var/lib/shared/overlay-images /var/lib/shared/overlay-layers /var/lib/shared/vfs-images /var/lib/shared/vfs-layers; touch /var/lib/shared/overlay-images/images.lock; touch /var/lib/shared/overlay-layers/layers.lock; touch /var/lib/shared/vfs-images/images.lock; touch /var/lib/shared/vfs-layers/layers.lock
 
 # Use VFS since fuse does not work
 # https://github.com/containers/buildah/blob/master/vendor/github.com/containers/storage/storage.conf
 RUN mkdir -vp /home/${USERNAME}/.config/containers && \
     printf '[storage]\ndriver = "vfs"\n' > /home/${USERNAME}/.config/containers/storage.conf && \
     chown -Rv ${USERNAME} /home/${USERNAME}/.config/
 
-RUN printf "${USERNAME}:2000:50000\n" > /etc/subuid
-RUN printf "${USERNAME}:2000:50000\n" > /etc/subgid
-
 USER $UID