Don't include the uid/gid of the host user in the image

This way the image is usable by everybody, independantly of its ids.

With docker, we modify the builder user in the entrypoint to match the
uid:gid of the user launching the container, and then continue with
the builder user thanks to gosu.

With podman we use the `--userns` option to map the builder user to
the user on the system. I haven't found a way with podman to use the
same mechanism as in docker, and vis versa.

Signed-off-by: Gaëtan Lehmann <[email protected]>

Author: glehmann

src/xcp_ng_dev/build.sh

@@ -67,8 +67,6 @@ fi
 
 cd $(dirname "$0")
 
-CUSTOM_ARGS=()
-
 ALMA_VERSION=
 CENTOS_VERSION=
 case "$1" in
@@ -87,28 +85,8 @@ case "$1" in
         ;;
 esac
 
-CUSTOM_UID="$(id -u)"
-CUSTOM_GID="$(id -g)"
-
-if [ "${CUSTOM_UID}" -eq 0 ] || [ "${CUSTOM_GID}" -eq 0 ]; then
-  if [ -z "${SUDO_GID}" ] || [ -z "${SUDO_UID}" ] || [ -z "${SUDO_USER}" ] || \
-     [ -z "${SUDO_COMMAND}" ] || [ "${SUDO_GID}" -eq 0 ] || [ "${SUDO_UID}" -eq 0 ]; then
-    echo -e "[ERROR] This operation cannot be performed by the 'root' user directly:"
-    echo -e "\tplease use an unprivileged user (eventually with 'sudo')"
-    exit 1
-  fi
-  CUSTOM_UID="${SUDO_UID}"
-  CUSTOM_GID="${SUDO_GID}"
-fi
-
-# Support for seamless use of current host user
-# and Docker user "builder" inside the image
-CUSTOM_ARGS+=( "--build-arg" "CUSTOM_BUILDER_UID=${CUSTOM_UID}" )
-CUSTOM_ARGS+=( "--build-arg" "CUSTOM_BUILDER_GID=${CUSTOM_GID}" )
-
 "$RUNNER" build \
     --platform "$PLATFORM" \
-    "${CUSTOM_ARGS[@]}" \
     -t ghcr.io/xcp-ng/xcp-ng-build-env:${1} \
     --build-arg XCP_NG_BRANCH=${1} \
     --ulimit nofile=1024 \

src/xcp_ng_dev/cli.py

@@ -148,12 +148,18 @@ def container(args):
     branch = args.branch
     docker_arch = args.platform or ("linux/amd64/v2" if branch == "9.0" else "linux/amd64")
 
-    docker_args = [RUNNER, "run", "-i", "-t",
-                   "-u", "builder",
-                   "--platform", docker_arch,
-                   ]
+    docker_args = [RUNNER, "run", "-i", "-t", "--platform", docker_arch]
+
     if is_podman(RUNNER):
-        docker_args += ["--userns=keep-id", "--security-opt", "label=disable"]
+        # With podman we use the `--userns` option to map the builder user to
+        # the user on the system.
+        docker_args += [f"--userns=keep-id:uid=1000,gid=1000", "--security-opt", "label=disable"]
+    else:
+        # With docker, we modify the builder user in the entrypoint to match the
+        # uid:gid of the user launching the container, and then continue with
+        # the builder user thanks to gosu.
+        docker_args += ["-e", f'BUILDER_UID={os.getuid()}', "-e", f'BUILDER_GID={os.getgid()}']
+
     if args.rm:
         docker_args += ["--rm=true"]
 

src/xcp_ng_dev/files/Dockerfile-8.x

@@ -2,22 +2,19 @@ ARG     CENTOS_VERSION=7.5.1804
 
 FROM    centos:${CENTOS_VERSION}
 
-ARG     CUSTOM_BUILDER_UID=""
-ARG     CUSTOM_BUILDER_GID=""
-
 # Remove all repositories
 RUN     rm /etc/yum.repos.d/*
 
 # Add only the specific CentOS 7.5 repositories, because that's what XS used for the majority of packages
 ARG     CENTOS_VERSION
 COPY    files/CentOS-Vault.repo.in /etc/yum.repos.d/CentOS-Vault-7.5.repo
-RUN     sed -e "s/@CENTOS_VERSION@/${CENTOS_VERSION}/g" -i /etc/yum.repos.d/CentOS-Vault-7.5.repo
+RUN     sed -i -e "s/@CENTOS_VERSION@/${CENTOS_VERSION}/g" /etc/yum.repos.d/CentOS-Vault-7.5.repo
 
 # Add our repositories
 # Repository file depends on the target version of XCP-ng, and is pre-processed by build.sh
 ARG     XCP_NG_BRANCH=8.3
 COPY    files/xcp-ng.repo.8.x.in /etc/yum.repos.d/xcp-ng.repo
-RUN     sed -e "s/@XCP_NG_BRANCH@/${XCP_NG_BRANCH}/g" -i /etc/yum.repos.d/xcp-ng.repo
+RUN     sed -i -e "s/@XCP_NG_BRANCH@/${XCP_NG_BRANCH}/g" /etc/yum.repos.d/xcp-ng.repo
 
 # Install GPG key
 RUN     curl -sSf https://xcp-ng.org/RPM-GPG-KEY-xcpng -o /etc/pki/rpm-gpg/RPM-GPG-KEY-xcpng
@@ -58,23 +55,18 @@ RUN     yum clean all
 # OCaml in XS may be older than in CentOS
 RUN     sed -i "/gpgkey/a exclude=ocaml*" /etc/yum.repos.d/Cent* /etc/yum.repos.d/epel*
 
-# Set up the builder user
-RUN     bash -c ' \
-            OPTS=(); \
-            if [ -n "${CUSTOM_BUILDER_UID}" ]; then \
-                OPTS+=("-u" "${CUSTOM_BUILDER_UID}"); \
-            fi; \
-            if [ -n "${CUSTOM_BUILDER_GID}" ]; then \
-                OPTS+=("-g" "${CUSTOM_BUILDER_GID}"); \
-                if ! getent group "${CUSTOM_BUILDER_GID}" >/dev/null; then \
-                    groupadd -g "${CUSTOM_BUILDER_GID}" builder; \
-                fi; \
-            fi; \
-            useradd "${OPTS[@]}" builder; \
-        ' \
+# create the builder user
+RUN     groupadd -g 1000 builder \
+        && useradd -u 1000 -g 1000 builder \
         && echo "builder:builder" | chpasswd \
         && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 RUN     mkdir -p /usr/local/bin
+RUN     curl -fsSL "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64" -o /usr/local/bin/gosu \
+        && chmod +x /usr/local/bin/gosu
 COPY    files/init-container.sh /usr/local/bin/init-container.sh
-COPY    files/rpmmacros /home/builder/.rpmmacros
+COPY    files/entrypoint.sh /usr/local/bin/entrypoint.sh
+COPY    --chown=builder:builder files/rpmmacros /home/builder/.rpmmacros
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["bash"]

src/xcp_ng_dev/files/Dockerfile-9.x

@@ -1,8 +1,5 @@
 FROM    ghcr.io/almalinux/10-base:10.0
 
-ARG     CUSTOM_BUILDER_UID=""
-ARG     CUSTOM_BUILDER_GID=""
-
 # Add our repositories
 # temporary bootstrap repository
 COPY    files/xcp-ng-8.99.repo /etc/yum.repos.d/xcp-ng.repo
@@ -55,25 +52,19 @@ RUN     dnf config-manager --enable crb
 # workaround sudo not working (e.g. in podman 4.9.3 in Ubuntu 24.04)
 RUN     chmod 0400 /etc/shadow
 
-# Set up the builder user
-RUN     bash -c ' \
-            OPTS=(); \
-            if [ -n "${CUSTOM_BUILDER_UID}" ]; then \
-                OPTS+=("-u" "${CUSTOM_BUILDER_UID}"); \
-            fi; \
-            if [ -n "${CUSTOM_BUILDER_GID}" ]; then \
-                OPTS+=("-g" "${CUSTOM_BUILDER_GID}"); \
-                if ! getent group "${CUSTOM_BUILDER_GID}" >/dev/null; then \
-                    groupadd -g "${CUSTOM_BUILDER_GID}" builder; \
-                fi; \
-            fi; \
-            useradd "${OPTS[@]}" builder; \
-        ' \
+# create the builder user
+RUN     groupadd -g 1000 builder \
+        && useradd -u 1000 -g 1000 builder \
         && echo "builder:builder" | chpasswd \
         && echo "builder ALL=(ALL:ALL) NOPASSWD: ALL" >> /etc/sudoers
 
 RUN     mkdir -p /usr/local/bin
+RUN     curl -fsSL "https://github.com/tianon/gosu/releases/download/1.17/gosu-amd64" -o /usr/local/bin/gosu \
+        && chmod +x /usr/local/bin/gosu
 COPY    files/init-container.sh /usr/local/bin/init-container.sh
-
+COPY    files/entrypoint.sh /usr/local/bin/entrypoint.sh
 # FIXME: check it we really need any of this
-# COPY    files/rpmmacros /home/builder/.rpmmacros
+# COPY    --chown=builder:builder files/rpmmacros /home/builder/.rpmmacros
+
+ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD ["bash"]

src/xcp_ng_dev/files/entrypoint.sh

@@ -0,0 +1,21 @@
+#!/usr/bin/env bash
+
+set -e
+if [ -n "${SCRIPT_DEBUG}" ]; then
+    set -x
+fi
+
+if [ "${BUILDER_UID}" ]; then
+    # BUILDER_UID is defined, update the builder ids, and continue with the builder user
+    if [ "${BUILDER_GID}" != "1000" ]; then
+        groupmod -g "${BUILDER_GID}" builder
+    fi
+    if [ "${BUILDER_UID}" != "1000" ]; then
+        usermod -u "${BUILDER_UID}" -g "${BUILDER_GID}" builder
+    fi
+    find ~builder -maxdepth 1 -type f | xargs chown builder:builder
+    exec /usr/local/bin/gosu builder "$@"
+else
+    # no BUILDER_ID, just continue as the current user
+    exec "$@"
+fi