ci: Run the jobs as an unprivileged non-root user

Docker/oci and thus gitlab-runner, default to a root user inside the namespace, even if its an unprivileged one. This can cause issues and let permission bugs sneak in, as we are functionally root when running the build. Switch the build jobs to run with our new "containeruser" so we avoid much of it. Our user is still in the wheel/sudo group but that's fine as long we don't elevate the privileges unintentionally. Noticeably for the time being, we will need to chown the CI_PROJECT_DIR checkout as the gitlab runner might try to reuse pre-existing and cached volumes of the project checkout. Additionally we need to change the ccache path, so we will avoid the existing cache owned by "root". Close https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2433 Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8763>
2025-03-31 14:07:22 +03:00 · 2025-03-31 14:07:22 +03:00 · d4b7066060
commit d4b7066060
parent fafd2bc844
13 changed files with 115 additions and 77 deletions
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@ -1,10 +1,9 @@
 include:
  - project: 'freedesktop/ci-templates'
-    ref: "3826695f80807d8a4d999f6b6efb3d405d708db9"
-    file: '/templates/fedora.yml'
-  - project: 'freedesktop/ci-templates'
-    ref: "3826695f80807d8a4d999f6b6efb3d405d708db9"
-    file: '/templates/debian.yml'
+    ref: "1a1fb9ebb233afded69c3dbde51fc58e6d706509"
+    file:
+      - '/templates/debian.yml'
+      - '/templates/fedora.yml'
  ###
  # IMPORTANT
  # These are the version tags for the docker images the CI runs against.
@ -140,7 +139,8 @@ trigger:

 .fedora image:
  variables:
-    CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache/'
+    FDO_USER: 'containeruser'
+    CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_fedora_containeruser/'
    FDO_DISTRIBUTION_VERSION: '40'
    FDO_REPO_SUFFIX: "$FEDORA_AMD64_SUFFIX"
    FDO_DISTRIBUTION_TAG: "$FEDORA_TAG-$GST_UPSTREAM_BRANCH"
@ -148,6 +148,7 @@ trigger:

 .fedora fluster image:
  variables:
+    FDO_USER: 'containeruser'
    CCACHE_DIR: !reference [".fedora image", "variables", CCACHE_DIR]
    FDO_DISTRIBUTION_VERSION: !reference [".fedora image", "variables", FDO_DISTRIBUTION_VERSION]
    FDO_REPO_SUFFIX: !reference [".fedora image", "variables", FDO_REPO_SUFFIX]
@ -193,7 +194,8 @@ fedora amd64 toolbox:

 .debian image:
  variables:
-    CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_debian/'
+    CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_debian_containeruser/'
+    FDO_USER: 'containeruser'
    FDO_BASE_IMAGE: "quay.io/toolbx-images/debian-toolbox:12"
    FDO_DISTRIBUTION_VERSION: '12'
    FDO_REPO_SUFFIX: "$DEBIAN_AMD64_SUFFIX"
@ -294,8 +296,8 @@ pre-commit checks:
    GIT_DEPTH: 100
    PRE_COMMIT_HOME: '/cache/${CI_PROJECT_NAMESPACE}/pre-commit'
    RUSTUP_HOME: '/usr/local/rustup'
-    before_script:
-      git config --global --add safe.directory $CI_PROJECT_DIR
+  before_script:
+    - git config --global --add safe.directory $CI_PROJECT_DIR
  script:
    - export PATH="/usr/local/cargo/bin:$PATH"
    - echo $CI_MERGE_REQUEST_DIFF_BASE_SHA
--- a/.gitlab-image-tags.yml
+++ b/.gitlab-image-tags.yml
@ -5,11 +5,11 @@ variables:
  # If you are hacking on them or need a them to rebuild, its enough
  # to change any part of the string of the image you want.
  ###
-  FEDORA_TAG:  '2025-06-30.0'
+  FEDORA_TAG:  '2025-07-01.0'

-  DEBIAN_TAG:  '2025-06-30.0'
+  DEBIAN_TAG:  '2025-07-01.0'

-  CHECKS_TAG: '2025-02-04.0'
+  CHECKS_TAG: '2025-05-24.0'

  ABI_CHECK_TAG: '2025-06-26.0'

--- a/ci/docker/debian/install-deps.sh
+++ b/ci/docker/debian/install-deps.sh
@ -2,12 +2,13 @@

 set -eux

-apt update -y && apt full-upgrade -y
-apt install -y $(<./ci/docker/debian/deps.txt)
+sudo apt update -y && sudo apt full-upgrade -y
+sudo apt install -y $(<./ci/docker/debian/deps.txt)

-apt remove -y rustc cargo
+# These get pulled by other deps
+sudo apt remove -y rustc cargo

-bash ./ci/scripts/create-pip-config.sh
-pip3 install --break-system-packages meson==1.7.2 hotdoc python-gitlab tomli junitparser
+sudo bash ./ci/scripts/create-pip-config.sh
+sudo pip3 install --break-system-packages meson==1.7.2 hotdoc python-gitlab tomli junitparser

-apt clean all
+sudo apt clean all
--- a/ci/docker/debian/prepare.sh
+++ b/ci/docker/debian/prepare.sh
@ -2,19 +2,21 @@

 set -eux

+apt update && apt install -y sudo passwd
+bash ./ci/scripts/create-container-user.sh
 bash ./ci/scripts/create-ci-identifier.sh

-bash ./ci/docker/debian/install-deps.sh
-
-bash ./ci/scripts/install-rust.sh
+sudo -u containeruser bash ./ci/docker/debian/install-deps.sh
+sudo -u containeruser bash ./ci/scripts/install-rust.sh

 # Configure git for various usage
-git config --global user.email "gstreamer@gstreamer.net"
-git config --global user.name "Gstbuild Runner"
+sudo -u containeruser git config --global user.email "gstreamer@gstreamer.net"
+sudo -u containeruser git config --global user.name "Gstbuild Runner"
+# /tmp/clone is where ci-templates cbuild clones the checkout
+sudo -u containeruser git config --global --add safe.directory /tmp/clone

-bash ./ci/scripts/create-container-user.sh
-
-bash ./ci/scripts/create-subprojects-cache.sh
+sudo -u containeruser bash ./ci/scripts/create-subprojects-cache.sh

 # leftover caches
-rm -rf /root/.cache /root/.npm
+sudo rm -rf /root/
+sudo rm -rf /home/containeruser/.cache /home/containeruser/.npm
--- a/ci/docker/fedora/install-deps.sh
+++ b/ci/docker/fedora/install-deps.sh
@ -4,33 +4,33 @@ set -eux

 # Fedora base image disable installing documentation files. See https://pagure.io/atomic-wg/issue/308
 # We need them to cleanly build our doc.
-sed -i '/tsflags=nodocs/d' /etc/dnf/dnf.conf
-dnf -y swap coreutils-single coreutils-full
-dnf -y swap glibc-minimal-langpack glibc-all-langpacks
+sudo sed -i '/tsflags=nodocs/d' /etc/dnf/dnf.conf
+sudo dnf -y swap coreutils-single coreutils-full
+sudo dnf -y swap glibc-minimal-langpack glibc-all-langpacks

 # Add rpm fusion repositories in order to access all of the gst plugins
-dnf install -y \
+sudo dnf install -y \
  "https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm" \
  "https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"

 # Enable the debuginfo repos so -debug packages are kept in sync
-dnf install -y dnf-plugins-core
-dnf config-manager --set-enabled '*-debuginfo'
+sudo dnf install -y dnf-plugins-core
+sudo dnf config-manager --set-enabled '*-debuginfo'

-dnf upgrade -y && dnf distro-sync -y
+sudo dnf upgrade -y && sudo dnf distro-sync -y

 # Install the dependencies of gstreamer
-dnf install --setopt=install_weak_deps=false -y $(<./ci/docker/fedora/deps.txt)
+sudo dnf install --setopt=install_weak_deps=false -y $(<./ci/docker/fedora/deps.txt)

 # Install devhelp files for hotdoc
-dnf install -y glib2-doc gdk-pixbuf2-devel gtk3-devel-docs gtk4-devel-docs libsoup-doc
+sudo dnf install -y glib2-doc gdk-pixbuf2-devel gtk3-devel-docs gtk4-devel-docs libsoup-doc

 # Make sure we don't end up installing these from some transient dependency
-dnf remove -y "gstreamer1*-devel" rust cargo meson 'fdk-aac-free*'
+sudo dnf remove -y "gstreamer1*-devel" rust cargo meson 'fdk-aac-free*'

-bash ./ci/scripts/create-pip-config.sh
-pip3 install meson==1.7.2 python-gitlab tomli junitparser bs4
-pip3 install git+https://github.com/hotdoc/hotdoc.git@8c1cc997f5bc16e068710a8a8121f79ac25cbcce
+sudo bash ./ci/scripts/create-pip-config.sh
+sudo pip3 install meson==1.7.2 python-gitlab tomli junitparser bs4
+sudo pip3 install git+https://github.com/hotdoc/hotdoc.git@8c1cc997f5bc16e068710a8a8121f79ac25cbcce

 # Install most debug symbols, except the big ones from things we use
 debug_packages=$(rpm -qa | grep -v -i \
@ -97,9 +97,9 @@ debug_packages=$(rpm -qa | grep -v -i \
    -e xerces \
    -e xorg \
 )
-dnf debuginfo-install -y --best --allowerasing --skip-broken $debug_packages
+sudo dnf debuginfo-install -y --best --allowerasing --skip-broken $debug_packages

 echo "Removing DNF cache"
-dnf clean all
+sudo dnf clean all

-rm -rf /var/cache/dnf /var/log/dnf*
+sudo rm -rf /var/cache/dnf /var/log/dnf*
--- a/ci/docker/fedora/prepare.sh
+++ b/ci/docker/fedora/prepare.sh
@ -2,19 +2,21 @@

 set -eux

+dnf update && dnf install -y sudo shadow-utils
 bash ./ci/scripts/create-ci-identifier.sh
-
-bash ./ci/docker/fedora/install-deps.sh
-
-# Configure git for various usage
-git config --global user.email "gstreamer@gstreamer.net"
-git config --global user.name "Gstbuild Runner"
-
-bash ./ci/scripts/install-rust.sh
-
 bash ./ci/scripts/create-container-user.sh

-bash ./ci/scripts/create-subprojects-cache.sh
+sudo -u containeruser bash ./ci/docker/fedora/install-deps.sh
+sudo -u containeruser bash ./ci/scripts/install-rust.sh
+
+# Configure git for various usage
+sudo -u containeruser git config --global user.email "gstreamer@gstreamer.net"
+sudo -u containeruser git config --global user.name "Gstbuild Runner"
+# /tmp/clone is where ci-templates cbuild clones the checkout
+sudo -u containeruser git config --global --add safe.directory /tmp/clone
+
+sudo -u containeruser bash ./ci/scripts/create-subprojects-cache.sh

 # leftover caches
-rm -rf /root/.cache /root/.npm
+sudo rm -rf /root/
+sudo rm -rf /home/containeruser/.cache /home/containeruser/.npm
--- a/ci/docker/fedora/virtme-fluster-setup.sh
+++ b/ci/docker/fedora/virtme-fluster-setup.sh
@ -5,16 +5,21 @@ set -eux
 sudo dnf install -y bc

 # Install virtme-ng
+pushd /tmp/
 git clone https://github.com/arighi/virtme-ng.git
 pushd virtme-ng
 git fetch --tags
 git checkout v1.8
-./setup.py install --prefix=/usr
+sudo ./setup.py install --prefix=/usr
+popd
 popd

 # Install fluster
 pushd /opt/
-git clone https://github.com/fluendo/fluster.git
+sudo mkdir ./fluster
+sudo chown containeruser:containeruser ./fluster/
+
+git clone  https://github.com/fluendo/fluster.git ./fluster
 pushd fluster
 git checkout 303a6edfda1701c8bc351909fb1173a0958810c2
 ./fluster.py download
--- a/ci/scripts/build-linux.sh
+++ b/ci/scripts/build-linux.sh
@ -55,6 +55,8 @@ if [ -d linux ]; then
  git fetch --depth=1 $REPO $BRANCH_OR_TAG
  git checkout FETCH_HEAD
 else
+  sudo mkdir ./linux
+  sudo chown containeruser:containeruser ./linux
  git clone --depth=1 --branch=$BRANCH_OR_TAG $REPO linux
  pushd linux
 fi
@ -90,7 +92,9 @@ make -j8 WERROR=0
 popd

 TARGET_DIR="$(dirname "$IMAGE")"
-mkdir -p "$TARGET_DIR"
+sudo mkdir -p "$TARGET_DIR"
+sudo chown containeruser:containeruser --recursive "$TARGET_DIR"
+
 mv linux/arch/$SUBARCH/boot/bzImage "$IMAGE"
 mv linux/.config $TARGET_DIR/.config
-rm -rf linux
+sudo rm -rf linux
--- a/ci/scripts/build-toolbox-image.sh
+++ b/ci/scripts/build-toolbox-image.sh
@ -95,12 +95,12 @@ build_container() {
  #   glib2
  # )

-  buildah run $build_cntr dnf install -y "${extra_packages[@]}"
-  buildah run $build_cntr dnf install -y "${our_extra_packages[@]}"
+  buildah run $build_cntr sudo dnf install -y "${extra_packages[@]}"
+  buildah run $build_cntr sudo dnf install -y "${our_extra_packages[@]}"
  # buildah run $build_cntr dnf debuginfo-install -y "${debug_packages[@]}"

-  buildah run $build_cntr dnf clean all
-  buildah run $build_cntr rm -rf /var/lib/cache/dnf
+  buildah run $build_cntr sudo dnf clean all
+  buildah run $build_cntr sudo rm -rf /var/lib/cache/dnf

  buildah config \
    --env RUSTUP_HOME="/usr/local/rustup" \
@ -108,15 +108,10 @@ build_container() {
    --env PATH="$PATH:/usr/local/cargo/bin/" \
    $build_cntr

-  # Install rust-analyzer so it can be used with IDEs and devcontainer
-  buildah run $build_cntr rustup component add rust-analyzer rust-src
-
  # Remove the hardcoded HOME env var that ci-templates adds
  # https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2433#note_2243222
-  # Also add the OCI labels that toolbox expects, to advertize that image is compatible
-  # Additionally add a non-root default user
+  # Also add the OCI labels that toolbox expects, to advertize that the image is compatible
  buildah config --env HOME- \
-    --user containeruser \
    --label com.github.containers.toolbox=true \
    --label org.opencontainers.image.base.name=$BASE_CI_IMAGE \
    $build_cntr
--- a/ci/scripts/create-subprojects-cache.sh
+++ b/ci/scripts/create-subprojects-cache.sh
@ -4,13 +4,15 @@ set -eux

 # Avoid the cache being owned by root
 # and make sure its readable to anyone
-chown containeruser:containeruser --recursive /var/cache/subprojects/
-chmod --recursive a+r /var/cache/subprojects/
+sudo mkdir -p /var/cache/subprojects/
+sudo chown containeruser:containeruser --recursive /var/cache/subprojects/
+sudo chmod --recursive a+r /var/cache/subprojects/

 # Path where cbuild checks out the repo
 cd /tmp/clone/
+sudo chmod --recursive a+r /tmp/clone
+sudo chown containeruser:containeruser --recursive /tmp/clone
 # get gstreamer and make all subprojects available
 git submodule update --init --depth=1
 meson subprojects download
 ./ci/scripts/handle-subprojects-cache.py --build --cache-dir /var/cache/subprojects/ /tmp/clone/subprojects/
-
--- a/ci/scripts/install-rust.sh
+++ b/ci/scripts/install-rust.sh
@ -8,18 +8,20 @@ RUST_VERSION=1.88.0
 RUST_ARCH="x86_64-unknown-linux-gnu"

 RUSTUP_URL=https://static.rust-lang.org/rustup/archive/$RUSTUP_VERSION/$RUST_ARCH/rustup-init
-curl -o rustup-init $RUSTUP_URL
+curl -o /tmp/rustup-init $RUSTUP_URL

 export RUSTUP_HOME="/usr/local/rustup"
 export CARGO_HOME="/usr/local/cargo"
 export PATH="/usr/local/cargo/bin:$PATH"

-chmod +x rustup-init;
-./rustup-init -y --no-modify-path --default-toolchain $RUST_VERSION;
-rm rustup-init;
+chmod +x /tmp/rustup-init;
+sudo --preserve-env=RUSTUP_HOME,CARGO_HOME,PATH /tmp/rustup-init -y --no-modify-path --default-toolchain $RUST_VERSION;
+rm /tmp/rustup-init;
+
 # We are root while creating the directory, but we want it to
 # be accessible to all users
-chmod -R a+w $RUSTUP_HOME $CARGO_HOME
+sudo mkdir -p $RUSTUP_HOME $CARGO_HOME
+sudo chmod -R a+w $RUSTUP_HOME $CARGO_HOME

 cargo install --locked cargo-c --version 0.10.14+cargo-0.89.0
 # We don't need them in the build image and they occupy
--- a/ci/scripts/source_image_env.sh
+++ b/ci/scripts/source_image_env.sh
@ -36,9 +36,32 @@ if [[ -e "$ci_image_info" ]]; then
  cargo cinstall --version
 fi

+if [[ -e "$ci_image_info" ]]; then
+  who="$(whoami)"
+  # Assert we always use the epxected user in ci jobs
+  if [[ $who != "containeruser" && -n "${CI:-}" ]]; then
+    echo "Running as the wrong user in a CI job"
+    exit 1
+  fi
+
+  # Chown the project directory to match the user we run against.
+  # Sometimes, gitlab runners will reuse pre-existing checkouts from other jobs
+  # which might not have been running as our contianeruser, and thus the files won't
+  # have the expected owenership.
+  # Always chown until we have cycled out all the cached volumes from the runners.
+  if [[ -n "${CI:-}" ]]; then
+    sudo chown containeruser:containeruser --recursive "${CI_PROJECT_DIR}"
+
+    # Make sure the directory exists
+    sudo mkdir -p "${CCACHE_DIR}"
+    sudo chown containeruser:containeruser --recursive "${CCACHE_DIR}"
+  fi
+fi
+
 # Only copy the cache over if the variable is set, which usually only happens on CI.
 if [ -n "$image_cache" ]; then
  date -R
  ci/scripts/handle-subprojects-cache.py --cache-dir "$image_cache" subprojects/
  date -R
 fi
+
--- a/tests/virtme/virtme-run.sh
+++ b/tests/virtme/virtme-run.sh
@ -51,7 +51,7 @@ SCRIPT="\
 HALF_MEMORY="$(grep MemTotal /proc/meminfo | awk '{print $2}' | xargs -I {} echo "scale=0; 1+{}/1024^2/2" | bc)G"

 echo Running tests in virtual machine ...
-virtme-run \
+sudo virtme-run \
  --memory=${HALF_MEMORY} \
  --rw \
  --pwd \