Skip to content

Commit d60cfe5

Browse files
committed
create non-root users for containers
1 parent 9537e79 commit d60cfe5

6 files changed

Lines changed: 69 additions & 3 deletions

File tree

src/bci_build/package/__init__.py

Lines changed: 10 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,14 @@ def __str__(self) -> str:
7373
return self.name
7474

7575

76+
@enum.unique
77+
class ParseVersion(enum.StrEnum):
78+
MAJOR = enum.auto()
79+
MINOR = enum.auto()
80+
PATCH = enum.auto()
81+
PATCH_UPDATE = enum.auto()
82+
OFFSET = enum.auto()
83+
7684
@dataclass
7785
class StableUser:
7886
"""Data class that stores information about stable user and group
@@ -87,7 +95,8 @@ class StableUser:
8795
group_name: str
8896
# id of the group
8997
group_id: int
90-
98+
# boolean flag that checks if user needs to be created
99+
user_create: bool = False
91100

92101
def _build_tag_prefix(os_version: OsVersion) -> str:
93102
if os_version == OsVersion.TUMBLEWEED:

src/bci_build/package/git.py

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -4,6 +4,9 @@
44
from bci_build.os_version import ALL_NONBASE_OS_VERSIONS
55
from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
66
from bci_build.package import ApplicationStackContainer
7+
from bci_build.package import ParseVersion
8+
from bci_build.package import Replacement
9+
from bci_build.package import StableUser
710
from bci_build.package.helpers import generate_from_image_tag
811
from bci_build.package.helpers import generate_package_version_check
912
from bci_build.package.versions import format_version
@@ -42,10 +45,18 @@
4245
package_list=[
4346
"git-core",
4447
"openssh-clients",
48+
"shadow"
4549
],
4650
build_stage_custom_end=generate_package_version_check(
4751
"git-core", git_version, ParseVersion.MINOR, use_target=True
4852
),
53+
user_chown=StableUser(
54+
user_id=1000,
55+
user_name="git",
56+
group_id=1000,
57+
group_name="git",
58+
user_create=True
59+
),
4960
)
5061
for os_version in ALL_NONBASE_OS_VERSIONS
5162
]

src/bci_build/package/helm.py

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@
55
from bci_build.os_version import ALL_NONBASE_OS_VERSIONS
66
from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
77
from bci_build.package import ApplicationStackContainer
8+
from bci_build.package import ParseVersion
9+
from bci_build.package import Replacement
10+
from bci_build.package import StableUser
811
from bci_build.package.helpers import generate_from_image_tag
912
from bci_build.package.helpers import generate_package_version_check
1013
from bci_build.package.versions import format_version
@@ -36,7 +39,15 @@
3639
package_list=[
3740
"ca-certificates-mozilla",
3841
"helm",
42+
"shadow",
3943
],
44+
user_chown=StableUser(
45+
user_id=1000,
46+
user_name="helm",
47+
group_id=1000,
48+
group_name="helm",
49+
user_create=True
50+
),
4051
replacements_via_service=[
4152
Replacement(
4253
regex_in_build_description="%%helm_version%%",

src/bci_build/package/kubectl.py

Lines changed: 11 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,9 @@
55
from bci_build.os_version import CAN_BE_LATEST_OS_VERSION
66
from bci_build.os_version import OsVersion
77
from bci_build.package import ApplicationStackContainer
8+
from bci_build.package import ParseVersion
9+
from bci_build.package import Replacement
10+
from bci_build.package import StableUser
811
from bci_build.package.helpers import generate_from_image_tag
912
from bci_build.replacement import Replacement
1013
from bci_build.util import ParseVersion
@@ -61,7 +64,14 @@ def _get_kubectl_stability_tag(version: str, os_version: OsVersion) -> str | Non
6164
parse_version=ParseVersion.PATCH,
6265
)
6366
],
64-
package_list=[f"kubernetes{ver}-client"],
67+
package_list=[f"kubernetes{ver}-client", "shadow"],
68+
user_chown=StableUser(
69+
user_id=1000,
70+
user_name="kubectl",
71+
group_id=1000,
72+
group_name="kubectl",
73+
user_create=True
74+
),
6575
entrypoint=["kubectl"],
6676
license="Apache-2.0",
6777
support_level=SupportLevel.L3,

src/bci_build/package/samba.py

Lines changed: 19 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -9,6 +9,9 @@
99
from bci_build.package import DOCKERFILE_RUN
1010
from bci_build.package import ApplicationStackContainer
1111
from bci_build.package import OsVersion
12+
from bci_build.package import ParseVersion
13+
from bci_build.package import Replacement
14+
from bci_build.package import StableUser
1215
from bci_build.package.helpers import generate_from_image_tag
1316
from bci_build.package.helpers import generate_package_version_check
1417
from bci_build.package.versions import get_pkg_version
@@ -121,7 +124,15 @@
121124
license="GPL-3.0-or-later",
122125
package_list=[
123126
"samba-client",
127+
"shadow"
124128
],
129+
user_chown=StableUser(
130+
user_id=1000,
131+
user_name="smbc",
132+
group_id=1000,
133+
group_name="smbc",
134+
user_create=True
135+
),
125136
)
126137

127138
toolbox = ApplicationStackContainer(
@@ -149,9 +160,17 @@
149160
package_list=[
150161
"samba-client",
151162
"tdb-tools",
163+
"shadow",
152164
]
153165
# FIXME: unavailable on SLES
154166
+ (["samba-test"] if os_version.is_tumbleweed else []),
167+
user_chown=StableUser(
168+
user_id=1000,
169+
user_name="smbc",
170+
group_id=1000,
171+
group_name="smbc",
172+
user_create=True
173+
),
155174
)
156175

157176
SAMBA_SERVER_CONTAINERS.append(srv)

src/bci_build/templates.py

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -55,13 +55,19 @@
5555
{% endif -%} zypper -n {%- if image.from_target_image %} --installroot /target --gpg-auto-import-keys {%- endif %} install {% if image.no_recommends %}--no-recommends {% endif %}{{ image.packages }}{%- if image.packages_to_delete %}; \\
5656
zypper -n {%- if image.from_target_image %} --installroot /target {%- endif %} remove {{ image.packages_to_delete }}{%- endif %}
5757
{%- endif %}
58-
{%- if image.user_chown %}
58+
{%- if image.user_chown and not image.user_chown.user_create%}
5959
# changing user id and group id created by package installation to stable values
6060
{{ DOCKERFILE_RUN }} \\
6161
{% if image.from_target_image %}chroot /target {% endif %}chown -R --from={{ image.user_chown.user_name }}:{{ image.user_chown.group_name }} {{ image.user_chown.user_id }}:{{ image.user_chown.group_id }} /; \\
6262
groupmod {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} {{ image.user_chown.group_name }}; \\
6363
usermod {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} {{ image.user_chown.user_name }}
6464
{%- endif %}
65+
{%- if image.user_chown and image.user_chown.user_create%}
66+
# create the user and group with the given ids
67+
{{ DOCKERFILE_RUN }} \\
68+
groupadd {% if image.from_target_image %}-R /target {% endif %}-g {{ image.user_chown.group_id }} -r {{ image.user_chown.group_name }}; \\
69+
useradd {% if image.from_target_image %}-R /target {% endif %}-u {{ image.user_chown.user_id }} -g {{ image.user_chown.group_id }} -m -r -s /bin/bash {{ image.user_chown.user_name }}
70+
{%- endif %}
6571
{%- if image.build_stage_custom_end %}
6672
{{ image.build_stage_custom_end }}
6773
{%- endif %}

0 commit comments

Comments
 (0)