Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use setpriv instead of gosu #402

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 1 commit
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
86 changes: 4 additions & 82 deletions Dockerfile.template
Original file line number Diff line number Diff line change
Expand Up @@ -22,99 +22,21 @@ RUN set -eux; \
apk add --no-cache \
# add tzdata for https://github.com/docker-library/redis/issues/138
tzdata \
# add setpriv for step down from root.
jrwren marked this conversation as resolved.
Show resolved Hide resolved
setpriv \
;
{{ ) else ( -}}
RUN set -eux; \
apt-get update; \
apt-get install -y --no-install-recommends \
# add tzdata explicitly for https://github.com/docker-library/redis/issues/138 (see also https://bugs.debian.org/837060 and related)
tzdata \
# add util-linux for setpriv for step down from root.
util-linux \
jrwren marked this conversation as resolved.
Show resolved Hide resolved
; \
rm -rf /var/lib/apt/lists/*
{{ ) end -}}

# grab gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
ENV GOSU_VERSION {{ .gosu.version }}
RUN set -eux; \
{{ if env.variant == "alpine" then ( -}}
apk add --no-cache --virtual .gosu-fetch gnupg; \
arch="$(apk --print-arch)"; \
{{ ) else ( -}}
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
apt-get install -y --no-install-recommends ca-certificates gnupg wget; \
rm -rf /var/lib/apt/lists/*; \
arch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
{{ ) end -}}
case "$arch" in \
{{
[
.gosu.arches
| to_entries[]
| (
if env.variant == "alpine" then
{
# https://dl-cdn.alpinelinux.org/alpine/edge/main/
# https://dl-cdn.alpinelinux.org/alpine/latest-stable/main/
amd64: "x86_64",
arm32v6: "armhf",
arm32v7: "armv7",
arm64v8: "aarch64",
i386: "x86",
ppc64le: "ppc64le",
riscv64: "riscv64",
s390x: "s390x",
}
else
{
# https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/data/cputable
# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
# http://deb.debian.org/debian/dists/unstable/main/
# http://deb.debian.org/debian/dists/stable/main/
# https://deb.debian.org/debian-ports/dists/unstable/main/
amd64: "amd64",
arm32v5: "armel",
arm32v7: "armhf",
arm64v8: "arm64",
i386: "i386",
mips64le: "mips64el",
ppc64le: "ppc64el",
riscv64: "riscv64",
s390x: "s390x",
}
end
)[.key] as $arch
| select($arch)
| .value
| (
-}}
{{ $arch | @sh }}) url={{ .url | @sh }}; sha256={{ .sha256 | @sh }} ;; \
{{
)
] | add
-}}
*) echo >&2 "error: unsupported gosu architecture: '$arch'"; exit 1 ;; \
esac; \
wget -O /usr/local/bin/gosu.asc "$url.asc"; \
wget -O /usr/local/bin/gosu "$url"; \
echo "$sha256 */usr/local/bin/gosu" | sha256sum -c -; \
export GNUPGHOME="$(mktemp -d)"; \
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
gpgconf --kill all; \
rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
{{ if env.variant == "alpine" then ( -}}
apk del --no-network .gosu-fetch; \
{{ ) else ( -}}
apt-mark auto '.*' > /dev/null; \
[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
{{ ) end -}}
chmod +x /usr/local/bin/gosu; \
gosu --version; \
gosu nobody true

ENV REDIS_VERSION {{ .version }}
ENV REDIS_DOWNLOAD_URL {{ .url }}
ENV REDIS_DOWNLOAD_SHA {{ .sha256 // error("no sha256 for \(.version) (\(env.version))") }}
Expand Down
3 changes: 2 additions & 1 deletion docker-entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,8 @@ fi
# allow the container to be started with `--user`
if [ "$1" = 'redis-server' -a "$(id -u)" = '0' ]; then
find . \! -user redis -exec chown redis '{}' +
exec gosu redis "$0" "$@"
# setpriv is builtin in busybox so invoke as /usr/bin/setpriv
exec /usr/bin/setpriv --reuid=redis -- "$0" "$@"
jrwren marked this conversation as resolved.
Show resolved Hide resolved
fi

# set an appropriate umask (if one isn't set already)
Expand Down
4 changes: 2 additions & 2 deletions generate-stackbrew-library.sh
Original file line number Diff line number Diff line change
Expand Up @@ -110,15 +110,15 @@ for version; do
suiteAliases=( "${suiteAliases[@]//latest-/}" )
variantAliases+=( "${suiteAliases[@]}" )

# calculate the intersection of parent image arches and gosu arches
# calculate the intersection of parent image arches
arches="$(jq -r --arg arches "$arches" '
(
$arches
| gsub("^[[:space:]]+|[[:space:]]+$"; "")
| split("[[:space:]]+"; "")
) as $parentArches
| .[env.version]
| $parentArches - ($parentArches - (.gosu.arches | keys))
| $parentArches
| join(", ")
' versions.json)"
jrwren marked this conversation as resolved.
Show resolved Hide resolved

Expand Down
66 changes: 0 additions & 66 deletions versions.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,71 +16,6 @@ debian="$(
[ "$(wc -l <<<"$debian")" = 1 ]
export debian

gosus="$(
git ls-remote --tags https://github.com/tianon/gosu.git \
| cut -d/ -f3- \
| cut -d^ -f1 \
| grep -E '^[0-9]+' \
| sort -urV
)"
gosu=
for possible in $gosus; do
urlBase="https://github.com/tianon/gosu/releases/download/$possible"
if shas="$(wget -qO- "$urlBase/SHA256SUMS")" && [ -n "$shas" ]; then
gosu="$(jq <<<"$shas" -csR --arg version "$possible" --arg urlBase "$urlBase" '{
version: $version,
arches: (
rtrimstr("\n")
| split("\n")
| map(
# this capture will naturally ignore the ".asc" file checksums
capture(
[
"^(?<sha256>[0-9a-f]{64})",
"( | [*])",
"(?<file>",
"gosu-",
"(?<dpkgArch>[^_. -]+)",
")$"
] | join("")
)
| {
(
# convert dpkg arch into bashbrew arch
{
# https://salsa.debian.org/dpkg-team/dpkg/-/blob/main/data/cputable
# https://wiki.debian.org/ArchitectureSpecificsMemo#Architecture_baselines
# http://deb.debian.org/debian/dists/unstable/main/
# http://deb.debian.org/debian/dists/stable/main/
# https://deb.debian.org/debian-ports/dists/unstable/main/
amd64: "amd64",
armel: "arm32v5",
armhf: "arm32v6", # https://github.com/tianon/gosu/blob/2dada3bb5dfbc1e7162a29907691b6f45995d54e/Dockerfile#L52-L53
arm64: "arm64v8",
i386: "i386",
mips64el: "mips64le",
ppc64el: "ppc64le",
riscv64: "riscv64",
s390x: "s390x",
}[.dpkgArch] // empty
): {
url: ($urlBase + "/" + .file),
sha256: .sha256,
},
}
)
| add
| if has("arm32v6") and (has("arm32v7") | not) then
.arm32v7 = .arm32v6
else . end
),
}')"
break
fi
done
[ -n "$gosu" ]
export gosu

cd "$(dirname "$(readlink -f "$BASH_SOURCE")")"

versions=( "$@" )
Expand Down Expand Up @@ -147,7 +82,6 @@ for version in "${versions[@]}"; do
.[env.version] = ($doc + {
debian: { version: env.debian },
alpine: { version: env.alpine },
gosu: (env.gosu | fromjson),
})
')"
done
Expand Down