ci: Run the jobs as an unprivileged non-root user
Docker/oci and thus gitlab-runner, default to a root user inside the namespace, even if its an unprivileged one. This can cause issues and let permission bugs sneak in, as we are functionally root when running the build. Switch the build jobs to run with our new "containeruser" so we avoid much of it. Our user is still in the wheel/sudo group but that's fine as long we don't elevate the privileges unintentionally. Noticeably for the time being, we will need to chown the CI_PROJECT_DIR checkout as the gitlab runner might try to reuse pre-existing and cached volumes of the project checkout. Additionally we need to change the ccache path, so we will avoid the existing cache owned by "root". Close https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2433 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8763>
This commit is contained in:
parent
fafd2bc844
commit
d4b7066060
@ -1,10 +1,9 @@
|
||||
include:
|
||||
- project: 'freedesktop/ci-templates'
|
||||
ref: "3826695f80807d8a4d999f6b6efb3d405d708db9"
|
||||
file: '/templates/fedora.yml'
|
||||
- project: 'freedesktop/ci-templates'
|
||||
ref: "3826695f80807d8a4d999f6b6efb3d405d708db9"
|
||||
file: '/templates/debian.yml'
|
||||
ref: "1a1fb9ebb233afded69c3dbde51fc58e6d706509"
|
||||
file:
|
||||
- '/templates/debian.yml'
|
||||
- '/templates/fedora.yml'
|
||||
###
|
||||
# IMPORTANT
|
||||
# These are the version tags for the docker images the CI runs against.
|
||||
@ -140,7 +139,8 @@ trigger:
|
||||
|
||||
.fedora image:
|
||||
variables:
|
||||
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache/'
|
||||
FDO_USER: 'containeruser'
|
||||
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_fedora_containeruser/'
|
||||
FDO_DISTRIBUTION_VERSION: '40'
|
||||
FDO_REPO_SUFFIX: "$FEDORA_AMD64_SUFFIX"
|
||||
FDO_DISTRIBUTION_TAG: "$FEDORA_TAG-$GST_UPSTREAM_BRANCH"
|
||||
@ -148,6 +148,7 @@ trigger:
|
||||
|
||||
.fedora fluster image:
|
||||
variables:
|
||||
FDO_USER: 'containeruser'
|
||||
CCACHE_DIR: !reference [".fedora image", "variables", CCACHE_DIR]
|
||||
FDO_DISTRIBUTION_VERSION: !reference [".fedora image", "variables", FDO_DISTRIBUTION_VERSION]
|
||||
FDO_REPO_SUFFIX: !reference [".fedora image", "variables", FDO_REPO_SUFFIX]
|
||||
@ -193,7 +194,8 @@ fedora amd64 toolbox:
|
||||
|
||||
.debian image:
|
||||
variables:
|
||||
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_debian/'
|
||||
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_debian_containeruser/'
|
||||
FDO_USER: 'containeruser'
|
||||
FDO_BASE_IMAGE: "quay.io/toolbx-images/debian-toolbox:12"
|
||||
FDO_DISTRIBUTION_VERSION: '12'
|
||||
FDO_REPO_SUFFIX: "$DEBIAN_AMD64_SUFFIX"
|
||||
@ -294,8 +296,8 @@ pre-commit checks:
|
||||
GIT_DEPTH: 100
|
||||
PRE_COMMIT_HOME: '/cache/${CI_PROJECT_NAMESPACE}/pre-commit'
|
||||
RUSTUP_HOME: '/usr/local/rustup'
|
||||
before_script:
|
||||
git config --global --add safe.directory $CI_PROJECT_DIR
|
||||
before_script:
|
||||
- git config --global --add safe.directory $CI_PROJECT_DIR
|
||||
script:
|
||||
- export PATH="/usr/local/cargo/bin:$PATH"
|
||||
- echo $CI_MERGE_REQUEST_DIFF_BASE_SHA
|
||||
|
@ -5,11 +5,11 @@ variables:
|
||||
# If you are hacking on them or need a them to rebuild, its enough
|
||||
# to change any part of the string of the image you want.
|
||||
###
|
||||
FEDORA_TAG: '2025-06-30.0'
|
||||
FEDORA_TAG: '2025-07-01.0'
|
||||
|
||||
DEBIAN_TAG: '2025-06-30.0'
|
||||
DEBIAN_TAG: '2025-07-01.0'
|
||||
|
||||
CHECKS_TAG: '2025-02-04.0'
|
||||
CHECKS_TAG: '2025-05-24.0'
|
||||
|
||||
ABI_CHECK_TAG: '2025-06-26.0'
|
||||
|
||||
|
@ -2,12 +2,13 @@
|
||||
|
||||
set -eux
|
||||
|
||||
apt update -y && apt full-upgrade -y
|
||||
apt install -y $(<./ci/docker/debian/deps.txt)
|
||||
sudo apt update -y && sudo apt full-upgrade -y
|
||||
sudo apt install -y $(<./ci/docker/debian/deps.txt)
|
||||
|
||||
apt remove -y rustc cargo
|
||||
# These get pulled by other deps
|
||||
sudo apt remove -y rustc cargo
|
||||
|
||||
bash ./ci/scripts/create-pip-config.sh
|
||||
pip3 install --break-system-packages meson==1.7.2 hotdoc python-gitlab tomli junitparser
|
||||
sudo bash ./ci/scripts/create-pip-config.sh
|
||||
sudo pip3 install --break-system-packages meson==1.7.2 hotdoc python-gitlab tomli junitparser
|
||||
|
||||
apt clean all
|
||||
sudo apt clean all
|
||||
|
@ -2,19 +2,21 @@
|
||||
|
||||
set -eux
|
||||
|
||||
apt update && apt install -y sudo passwd
|
||||
bash ./ci/scripts/create-container-user.sh
|
||||
bash ./ci/scripts/create-ci-identifier.sh
|
||||
|
||||
bash ./ci/docker/debian/install-deps.sh
|
||||
|
||||
bash ./ci/scripts/install-rust.sh
|
||||
sudo -u containeruser bash ./ci/docker/debian/install-deps.sh
|
||||
sudo -u containeruser bash ./ci/scripts/install-rust.sh
|
||||
|
||||
# Configure git for various usage
|
||||
git config --global user.email "gstreamer@gstreamer.net"
|
||||
git config --global user.name "Gstbuild Runner"
|
||||
sudo -u containeruser git config --global user.email "gstreamer@gstreamer.net"
|
||||
sudo -u containeruser git config --global user.name "Gstbuild Runner"
|
||||
# /tmp/clone is where ci-templates cbuild clones the checkout
|
||||
sudo -u containeruser git config --global --add safe.directory /tmp/clone
|
||||
|
||||
bash ./ci/scripts/create-container-user.sh
|
||||
|
||||
bash ./ci/scripts/create-subprojects-cache.sh
|
||||
sudo -u containeruser bash ./ci/scripts/create-subprojects-cache.sh
|
||||
|
||||
# leftover caches
|
||||
rm -rf /root/.cache /root/.npm
|
||||
sudo rm -rf /root/
|
||||
sudo rm -rf /home/containeruser/.cache /home/containeruser/.npm
|
||||
|
@ -4,33 +4,33 @@ set -eux
|
||||
|
||||
# Fedora base image disable installing documentation files. See https://pagure.io/atomic-wg/issue/308
|
||||
# We need them to cleanly build our doc.
|
||||
sed -i '/tsflags=nodocs/d' /etc/dnf/dnf.conf
|
||||
dnf -y swap coreutils-single coreutils-full
|
||||
dnf -y swap glibc-minimal-langpack glibc-all-langpacks
|
||||
sudo sed -i '/tsflags=nodocs/d' /etc/dnf/dnf.conf
|
||||
sudo dnf -y swap coreutils-single coreutils-full
|
||||
sudo dnf -y swap glibc-minimal-langpack glibc-all-langpacks
|
||||
|
||||
# Add rpm fusion repositories in order to access all of the gst plugins
|
||||
dnf install -y \
|
||||
sudo dnf install -y \
|
||||
"https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm" \
|
||||
"https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
|
||||
|
||||
# Enable the debuginfo repos so -debug packages are kept in sync
|
||||
dnf install -y dnf-plugins-core
|
||||
dnf config-manager --set-enabled '*-debuginfo'
|
||||
sudo dnf install -y dnf-plugins-core
|
||||
sudo dnf config-manager --set-enabled '*-debuginfo'
|
||||
|
||||
dnf upgrade -y && dnf distro-sync -y
|
||||
sudo dnf upgrade -y && sudo dnf distro-sync -y
|
||||
|
||||
# Install the dependencies of gstreamer
|
||||
dnf install --setopt=install_weak_deps=false -y $(<./ci/docker/fedora/deps.txt)
|
||||
sudo dnf install --setopt=install_weak_deps=false -y $(<./ci/docker/fedora/deps.txt)
|
||||
|
||||
# Install devhelp files for hotdoc
|
||||
dnf install -y glib2-doc gdk-pixbuf2-devel gtk3-devel-docs gtk4-devel-docs libsoup-doc
|
||||
sudo dnf install -y glib2-doc gdk-pixbuf2-devel gtk3-devel-docs gtk4-devel-docs libsoup-doc
|
||||
|
||||
# Make sure we don't end up installing these from some transient dependency
|
||||
dnf remove -y "gstreamer1*-devel" rust cargo meson 'fdk-aac-free*'
|
||||
sudo dnf remove -y "gstreamer1*-devel" rust cargo meson 'fdk-aac-free*'
|
||||
|
||||
bash ./ci/scripts/create-pip-config.sh
|
||||
pip3 install meson==1.7.2 python-gitlab tomli junitparser bs4
|
||||
pip3 install git+https://github.com/hotdoc/hotdoc.git@8c1cc997f5bc16e068710a8a8121f79ac25cbcce
|
||||
sudo bash ./ci/scripts/create-pip-config.sh
|
||||
sudo pip3 install meson==1.7.2 python-gitlab tomli junitparser bs4
|
||||
sudo pip3 install git+https://github.com/hotdoc/hotdoc.git@8c1cc997f5bc16e068710a8a8121f79ac25cbcce
|
||||
|
||||
# Install most debug symbols, except the big ones from things we use
|
||||
debug_packages=$(rpm -qa | grep -v -i \
|
||||
@ -97,9 +97,9 @@ debug_packages=$(rpm -qa | grep -v -i \
|
||||
-e xerces \
|
||||
-e xorg \
|
||||
)
|
||||
dnf debuginfo-install -y --best --allowerasing --skip-broken $debug_packages
|
||||
sudo dnf debuginfo-install -y --best --allowerasing --skip-broken $debug_packages
|
||||
|
||||
echo "Removing DNF cache"
|
||||
dnf clean all
|
||||
sudo dnf clean all
|
||||
|
||||
rm -rf /var/cache/dnf /var/log/dnf*
|
||||
sudo rm -rf /var/cache/dnf /var/log/dnf*
|
||||
|
@ -2,19 +2,21 @@
|
||||
|
||||
set -eux
|
||||
|
||||
dnf update && dnf install -y sudo shadow-utils
|
||||
bash ./ci/scripts/create-ci-identifier.sh
|
||||
|
||||
bash ./ci/docker/fedora/install-deps.sh
|
||||
|
||||
# Configure git for various usage
|
||||
git config --global user.email "gstreamer@gstreamer.net"
|
||||
git config --global user.name "Gstbuild Runner"
|
||||
|
||||
bash ./ci/scripts/install-rust.sh
|
||||
|
||||
bash ./ci/scripts/create-container-user.sh
|
||||
|
||||
bash ./ci/scripts/create-subprojects-cache.sh
|
||||
sudo -u containeruser bash ./ci/docker/fedora/install-deps.sh
|
||||
sudo -u containeruser bash ./ci/scripts/install-rust.sh
|
||||
|
||||
# Configure git for various usage
|
||||
sudo -u containeruser git config --global user.email "gstreamer@gstreamer.net"
|
||||
sudo -u containeruser git config --global user.name "Gstbuild Runner"
|
||||
# /tmp/clone is where ci-templates cbuild clones the checkout
|
||||
sudo -u containeruser git config --global --add safe.directory /tmp/clone
|
||||
|
||||
sudo -u containeruser bash ./ci/scripts/create-subprojects-cache.sh
|
||||
|
||||
# leftover caches
|
||||
rm -rf /root/.cache /root/.npm
|
||||
sudo rm -rf /root/
|
||||
sudo rm -rf /home/containeruser/.cache /home/containeruser/.npm
|
||||
|
@ -5,16 +5,21 @@ set -eux
|
||||
sudo dnf install -y bc
|
||||
|
||||
# Install virtme-ng
|
||||
pushd /tmp/
|
||||
git clone https://github.com/arighi/virtme-ng.git
|
||||
pushd virtme-ng
|
||||
git fetch --tags
|
||||
git checkout v1.8
|
||||
./setup.py install --prefix=/usr
|
||||
sudo ./setup.py install --prefix=/usr
|
||||
popd
|
||||
popd
|
||||
|
||||
# Install fluster
|
||||
pushd /opt/
|
||||
git clone https://github.com/fluendo/fluster.git
|
||||
sudo mkdir ./fluster
|
||||
sudo chown containeruser:containeruser ./fluster/
|
||||
|
||||
git clone https://github.com/fluendo/fluster.git ./fluster
|
||||
pushd fluster
|
||||
git checkout 303a6edfda1701c8bc351909fb1173a0958810c2
|
||||
./fluster.py download
|
||||
|
@ -55,6 +55,8 @@ if [ -d linux ]; then
|
||||
git fetch --depth=1 $REPO $BRANCH_OR_TAG
|
||||
git checkout FETCH_HEAD
|
||||
else
|
||||
sudo mkdir ./linux
|
||||
sudo chown containeruser:containeruser ./linux
|
||||
git clone --depth=1 --branch=$BRANCH_OR_TAG $REPO linux
|
||||
pushd linux
|
||||
fi
|
||||
@ -90,7 +92,9 @@ make -j8 WERROR=0
|
||||
popd
|
||||
|
||||
TARGET_DIR="$(dirname "$IMAGE")"
|
||||
mkdir -p "$TARGET_DIR"
|
||||
sudo mkdir -p "$TARGET_DIR"
|
||||
sudo chown containeruser:containeruser --recursive "$TARGET_DIR"
|
||||
|
||||
mv linux/arch/$SUBARCH/boot/bzImage "$IMAGE"
|
||||
mv linux/.config $TARGET_DIR/.config
|
||||
rm -rf linux
|
||||
sudo rm -rf linux
|
||||
|
@ -95,12 +95,12 @@ build_container() {
|
||||
# glib2
|
||||
# )
|
||||
|
||||
buildah run $build_cntr dnf install -y "${extra_packages[@]}"
|
||||
buildah run $build_cntr dnf install -y "${our_extra_packages[@]}"
|
||||
buildah run $build_cntr sudo dnf install -y "${extra_packages[@]}"
|
||||
buildah run $build_cntr sudo dnf install -y "${our_extra_packages[@]}"
|
||||
# buildah run $build_cntr dnf debuginfo-install -y "${debug_packages[@]}"
|
||||
|
||||
buildah run $build_cntr dnf clean all
|
||||
buildah run $build_cntr rm -rf /var/lib/cache/dnf
|
||||
buildah run $build_cntr sudo dnf clean all
|
||||
buildah run $build_cntr sudo rm -rf /var/lib/cache/dnf
|
||||
|
||||
buildah config \
|
||||
--env RUSTUP_HOME="/usr/local/rustup" \
|
||||
@ -108,15 +108,10 @@ build_container() {
|
||||
--env PATH="$PATH:/usr/local/cargo/bin/" \
|
||||
$build_cntr
|
||||
|
||||
# Install rust-analyzer so it can be used with IDEs and devcontainer
|
||||
buildah run $build_cntr rustup component add rust-analyzer rust-src
|
||||
|
||||
# Remove the hardcoded HOME env var that ci-templates adds
|
||||
# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2433#note_2243222
|
||||
# Also add the OCI labels that toolbox expects, to advertize that image is compatible
|
||||
# Additionally add a non-root default user
|
||||
# Also add the OCI labels that toolbox expects, to advertize that the image is compatible
|
||||
buildah config --env HOME- \
|
||||
--user containeruser \
|
||||
--label com.github.containers.toolbox=true \
|
||||
--label org.opencontainers.image.base.name=$BASE_CI_IMAGE \
|
||||
$build_cntr
|
||||
|
@ -4,13 +4,15 @@ set -eux
|
||||
|
||||
# Avoid the cache being owned by root
|
||||
# and make sure its readable to anyone
|
||||
chown containeruser:containeruser --recursive /var/cache/subprojects/
|
||||
chmod --recursive a+r /var/cache/subprojects/
|
||||
sudo mkdir -p /var/cache/subprojects/
|
||||
sudo chown containeruser:containeruser --recursive /var/cache/subprojects/
|
||||
sudo chmod --recursive a+r /var/cache/subprojects/
|
||||
|
||||
# Path where cbuild checks out the repo
|
||||
cd /tmp/clone/
|
||||
sudo chmod --recursive a+r /tmp/clone
|
||||
sudo chown containeruser:containeruser --recursive /tmp/clone
|
||||
# get gstreamer and make all subprojects available
|
||||
git submodule update --init --depth=1
|
||||
meson subprojects download
|
||||
./ci/scripts/handle-subprojects-cache.py --build --cache-dir /var/cache/subprojects/ /tmp/clone/subprojects/
|
||||
|
||||
|
@ -8,18 +8,20 @@ RUST_VERSION=1.88.0
|
||||
RUST_ARCH="x86_64-unknown-linux-gnu"
|
||||
|
||||
RUSTUP_URL=https://static.rust-lang.org/rustup/archive/$RUSTUP_VERSION/$RUST_ARCH/rustup-init
|
||||
curl -o rustup-init $RUSTUP_URL
|
||||
curl -o /tmp/rustup-init $RUSTUP_URL
|
||||
|
||||
export RUSTUP_HOME="/usr/local/rustup"
|
||||
export CARGO_HOME="/usr/local/cargo"
|
||||
export PATH="/usr/local/cargo/bin:$PATH"
|
||||
|
||||
chmod +x rustup-init;
|
||||
./rustup-init -y --no-modify-path --default-toolchain $RUST_VERSION;
|
||||
rm rustup-init;
|
||||
chmod +x /tmp/rustup-init;
|
||||
sudo --preserve-env=RUSTUP_HOME,CARGO_HOME,PATH /tmp/rustup-init -y --no-modify-path --default-toolchain $RUST_VERSION;
|
||||
rm /tmp/rustup-init;
|
||||
|
||||
# We are root while creating the directory, but we want it to
|
||||
# be accessible to all users
|
||||
chmod -R a+w $RUSTUP_HOME $CARGO_HOME
|
||||
sudo mkdir -p $RUSTUP_HOME $CARGO_HOME
|
||||
sudo chmod -R a+w $RUSTUP_HOME $CARGO_HOME
|
||||
|
||||
cargo install --locked cargo-c --version 0.10.14+cargo-0.89.0
|
||||
# We don't need them in the build image and they occupy
|
||||
|
@ -36,9 +36,32 @@ if [[ -e "$ci_image_info" ]]; then
|
||||
cargo cinstall --version
|
||||
fi
|
||||
|
||||
if [[ -e "$ci_image_info" ]]; then
|
||||
who="$(whoami)"
|
||||
# Assert we always use the epxected user in ci jobs
|
||||
if [[ $who != "containeruser" && -n "${CI:-}" ]]; then
|
||||
echo "Running as the wrong user in a CI job"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Chown the project directory to match the user we run against.
|
||||
# Sometimes, gitlab runners will reuse pre-existing checkouts from other jobs
|
||||
# which might not have been running as our contianeruser, and thus the files won't
|
||||
# have the expected owenership.
|
||||
# Always chown until we have cycled out all the cached volumes from the runners.
|
||||
if [[ -n "${CI:-}" ]]; then
|
||||
sudo chown containeruser:containeruser --recursive "${CI_PROJECT_DIR}"
|
||||
|
||||
# Make sure the directory exists
|
||||
sudo mkdir -p "${CCACHE_DIR}"
|
||||
sudo chown containeruser:containeruser --recursive "${CCACHE_DIR}"
|
||||
fi
|
||||
fi
|
||||
|
||||
# Only copy the cache over if the variable is set, which usually only happens on CI.
|
||||
if [ -n "$image_cache" ]; then
|
||||
date -R
|
||||
ci/scripts/handle-subprojects-cache.py --cache-dir "$image_cache" subprojects/
|
||||
date -R
|
||||
fi
|
||||
|
||||
|
@ -51,7 +51,7 @@ SCRIPT="\
|
||||
HALF_MEMORY="$(grep MemTotal /proc/meminfo | awk '{print $2}' | xargs -I {} echo "scale=0; 1+{}/1024^2/2" | bc)G"
|
||||
|
||||
echo Running tests in virtual machine ...
|
||||
virtme-run \
|
||||
sudo virtme-run \
|
||||
--memory=${HALF_MEMORY} \
|
||||
--rw \
|
||||
--pwd \
|
||||
|
Loading…
x
Reference in New Issue
Block a user