ci: Run the jobs as an unprivileged non-root user

Docker/oci and thus gitlab-runner, default to a root
user inside the namespace, even if its an unprivileged
one.

This can cause issues and let permission bugs sneak in,
as we are functionally root when running the build.

Switch the build jobs to run with our new "containeruser"
so we avoid much of it.

Our user is still in the wheel/sudo group but that's fine
as long we don't elevate the privileges unintentionally.

Noticeably for the time being, we will need to chown the
CI_PROJECT_DIR checkout as the gitlab runner might try
to reuse pre-existing and cached volumes of the project
checkout.

Additionally we need to change the ccache path, so we
will avoid the existing cache owned by "root".

Close https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2433

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8763>
This commit is contained in:
Jordan Petridis 2025-03-31 14:07:22 +03:00 committed by GStreamer Marge Bot
parent fafd2bc844
commit d4b7066060
13 changed files with 115 additions and 77 deletions

View File

@ -1,10 +1,9 @@
include:
- project: 'freedesktop/ci-templates'
ref: "3826695f80807d8a4d999f6b6efb3d405d708db9"
file: '/templates/fedora.yml'
- project: 'freedesktop/ci-templates'
ref: "3826695f80807d8a4d999f6b6efb3d405d708db9"
file: '/templates/debian.yml'
ref: "1a1fb9ebb233afded69c3dbde51fc58e6d706509"
file:
- '/templates/debian.yml'
- '/templates/fedora.yml'
###
# IMPORTANT
# These are the version tags for the docker images the CI runs against.
@ -140,7 +139,8 @@ trigger:
.fedora image:
variables:
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache/'
FDO_USER: 'containeruser'
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_fedora_containeruser/'
FDO_DISTRIBUTION_VERSION: '40'
FDO_REPO_SUFFIX: "$FEDORA_AMD64_SUFFIX"
FDO_DISTRIBUTION_TAG: "$FEDORA_TAG-$GST_UPSTREAM_BRANCH"
@ -148,6 +148,7 @@ trigger:
.fedora fluster image:
variables:
FDO_USER: 'containeruser'
CCACHE_DIR: !reference [".fedora image", "variables", CCACHE_DIR]
FDO_DISTRIBUTION_VERSION: !reference [".fedora image", "variables", FDO_DISTRIBUTION_VERSION]
FDO_REPO_SUFFIX: !reference [".fedora image", "variables", FDO_REPO_SUFFIX]
@ -193,7 +194,8 @@ fedora amd64 toolbox:
.debian image:
variables:
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_debian/'
CCACHE_DIR: '/cache/gstreamer/gstreamer/ccache_debian_containeruser/'
FDO_USER: 'containeruser'
FDO_BASE_IMAGE: "quay.io/toolbx-images/debian-toolbox:12"
FDO_DISTRIBUTION_VERSION: '12'
FDO_REPO_SUFFIX: "$DEBIAN_AMD64_SUFFIX"
@ -294,8 +296,8 @@ pre-commit checks:
GIT_DEPTH: 100
PRE_COMMIT_HOME: '/cache/${CI_PROJECT_NAMESPACE}/pre-commit'
RUSTUP_HOME: '/usr/local/rustup'
before_script:
git config --global --add safe.directory $CI_PROJECT_DIR
before_script:
- git config --global --add safe.directory $CI_PROJECT_DIR
script:
- export PATH="/usr/local/cargo/bin:$PATH"
- echo $CI_MERGE_REQUEST_DIFF_BASE_SHA

View File

@ -5,11 +5,11 @@ variables:
# If you are hacking on them or need a them to rebuild, its enough
# to change any part of the string of the image you want.
###
FEDORA_TAG: '2025-06-30.0'
FEDORA_TAG: '2025-07-01.0'
DEBIAN_TAG: '2025-06-30.0'
DEBIAN_TAG: '2025-07-01.0'
CHECKS_TAG: '2025-02-04.0'
CHECKS_TAG: '2025-05-24.0'
ABI_CHECK_TAG: '2025-06-26.0'

View File

@ -2,12 +2,13 @@
set -eux
apt update -y && apt full-upgrade -y
apt install -y $(<./ci/docker/debian/deps.txt)
sudo apt update -y && sudo apt full-upgrade -y
sudo apt install -y $(<./ci/docker/debian/deps.txt)
apt remove -y rustc cargo
# These get pulled by other deps
sudo apt remove -y rustc cargo
bash ./ci/scripts/create-pip-config.sh
pip3 install --break-system-packages meson==1.7.2 hotdoc python-gitlab tomli junitparser
sudo bash ./ci/scripts/create-pip-config.sh
sudo pip3 install --break-system-packages meson==1.7.2 hotdoc python-gitlab tomli junitparser
apt clean all
sudo apt clean all

View File

@ -2,19 +2,21 @@
set -eux
apt update && apt install -y sudo passwd
bash ./ci/scripts/create-container-user.sh
bash ./ci/scripts/create-ci-identifier.sh
bash ./ci/docker/debian/install-deps.sh
bash ./ci/scripts/install-rust.sh
sudo -u containeruser bash ./ci/docker/debian/install-deps.sh
sudo -u containeruser bash ./ci/scripts/install-rust.sh
# Configure git for various usage
git config --global user.email "gstreamer@gstreamer.net"
git config --global user.name "Gstbuild Runner"
sudo -u containeruser git config --global user.email "gstreamer@gstreamer.net"
sudo -u containeruser git config --global user.name "Gstbuild Runner"
# /tmp/clone is where ci-templates cbuild clones the checkout
sudo -u containeruser git config --global --add safe.directory /tmp/clone
bash ./ci/scripts/create-container-user.sh
bash ./ci/scripts/create-subprojects-cache.sh
sudo -u containeruser bash ./ci/scripts/create-subprojects-cache.sh
# leftover caches
rm -rf /root/.cache /root/.npm
sudo rm -rf /root/
sudo rm -rf /home/containeruser/.cache /home/containeruser/.npm

View File

@ -4,33 +4,33 @@ set -eux
# Fedora base image disable installing documentation files. See https://pagure.io/atomic-wg/issue/308
# We need them to cleanly build our doc.
sed -i '/tsflags=nodocs/d' /etc/dnf/dnf.conf
dnf -y swap coreutils-single coreutils-full
dnf -y swap glibc-minimal-langpack glibc-all-langpacks
sudo sed -i '/tsflags=nodocs/d' /etc/dnf/dnf.conf
sudo dnf -y swap coreutils-single coreutils-full
sudo dnf -y swap glibc-minimal-langpack glibc-all-langpacks
# Add rpm fusion repositories in order to access all of the gst plugins
dnf install -y \
sudo dnf install -y \
"https://mirrors.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm" \
"https://mirrors.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm"
# Enable the debuginfo repos so -debug packages are kept in sync
dnf install -y dnf-plugins-core
dnf config-manager --set-enabled '*-debuginfo'
sudo dnf install -y dnf-plugins-core
sudo dnf config-manager --set-enabled '*-debuginfo'
dnf upgrade -y && dnf distro-sync -y
sudo dnf upgrade -y && sudo dnf distro-sync -y
# Install the dependencies of gstreamer
dnf install --setopt=install_weak_deps=false -y $(<./ci/docker/fedora/deps.txt)
sudo dnf install --setopt=install_weak_deps=false -y $(<./ci/docker/fedora/deps.txt)
# Install devhelp files for hotdoc
dnf install -y glib2-doc gdk-pixbuf2-devel gtk3-devel-docs gtk4-devel-docs libsoup-doc
sudo dnf install -y glib2-doc gdk-pixbuf2-devel gtk3-devel-docs gtk4-devel-docs libsoup-doc
# Make sure we don't end up installing these from some transient dependency
dnf remove -y "gstreamer1*-devel" rust cargo meson 'fdk-aac-free*'
sudo dnf remove -y "gstreamer1*-devel" rust cargo meson 'fdk-aac-free*'
bash ./ci/scripts/create-pip-config.sh
pip3 install meson==1.7.2 python-gitlab tomli junitparser bs4
pip3 install git+https://github.com/hotdoc/hotdoc.git@8c1cc997f5bc16e068710a8a8121f79ac25cbcce
sudo bash ./ci/scripts/create-pip-config.sh
sudo pip3 install meson==1.7.2 python-gitlab tomli junitparser bs4
sudo pip3 install git+https://github.com/hotdoc/hotdoc.git@8c1cc997f5bc16e068710a8a8121f79ac25cbcce
# Install most debug symbols, except the big ones from things we use
debug_packages=$(rpm -qa | grep -v -i \
@ -97,9 +97,9 @@ debug_packages=$(rpm -qa | grep -v -i \
-e xerces \
-e xorg \
)
dnf debuginfo-install -y --best --allowerasing --skip-broken $debug_packages
sudo dnf debuginfo-install -y --best --allowerasing --skip-broken $debug_packages
echo "Removing DNF cache"
dnf clean all
sudo dnf clean all
rm -rf /var/cache/dnf /var/log/dnf*
sudo rm -rf /var/cache/dnf /var/log/dnf*

View File

@ -2,19 +2,21 @@
set -eux
dnf update && dnf install -y sudo shadow-utils
bash ./ci/scripts/create-ci-identifier.sh
bash ./ci/docker/fedora/install-deps.sh
# Configure git for various usage
git config --global user.email "gstreamer@gstreamer.net"
git config --global user.name "Gstbuild Runner"
bash ./ci/scripts/install-rust.sh
bash ./ci/scripts/create-container-user.sh
bash ./ci/scripts/create-subprojects-cache.sh
sudo -u containeruser bash ./ci/docker/fedora/install-deps.sh
sudo -u containeruser bash ./ci/scripts/install-rust.sh
# Configure git for various usage
sudo -u containeruser git config --global user.email "gstreamer@gstreamer.net"
sudo -u containeruser git config --global user.name "Gstbuild Runner"
# /tmp/clone is where ci-templates cbuild clones the checkout
sudo -u containeruser git config --global --add safe.directory /tmp/clone
sudo -u containeruser bash ./ci/scripts/create-subprojects-cache.sh
# leftover caches
rm -rf /root/.cache /root/.npm
sudo rm -rf /root/
sudo rm -rf /home/containeruser/.cache /home/containeruser/.npm

View File

@ -5,16 +5,21 @@ set -eux
sudo dnf install -y bc
# Install virtme-ng
pushd /tmp/
git clone https://github.com/arighi/virtme-ng.git
pushd virtme-ng
git fetch --tags
git checkout v1.8
./setup.py install --prefix=/usr
sudo ./setup.py install --prefix=/usr
popd
popd
# Install fluster
pushd /opt/
git clone https://github.com/fluendo/fluster.git
sudo mkdir ./fluster
sudo chown containeruser:containeruser ./fluster/
git clone https://github.com/fluendo/fluster.git ./fluster
pushd fluster
git checkout 303a6edfda1701c8bc351909fb1173a0958810c2
./fluster.py download

View File

@ -55,6 +55,8 @@ if [ -d linux ]; then
git fetch --depth=1 $REPO $BRANCH_OR_TAG
git checkout FETCH_HEAD
else
sudo mkdir ./linux
sudo chown containeruser:containeruser ./linux
git clone --depth=1 --branch=$BRANCH_OR_TAG $REPO linux
pushd linux
fi
@ -90,7 +92,9 @@ make -j8 WERROR=0
popd
TARGET_DIR="$(dirname "$IMAGE")"
mkdir -p "$TARGET_DIR"
sudo mkdir -p "$TARGET_DIR"
sudo chown containeruser:containeruser --recursive "$TARGET_DIR"
mv linux/arch/$SUBARCH/boot/bzImage "$IMAGE"
mv linux/.config $TARGET_DIR/.config
rm -rf linux
sudo rm -rf linux

View File

@ -95,12 +95,12 @@ build_container() {
# glib2
# )
buildah run $build_cntr dnf install -y "${extra_packages[@]}"
buildah run $build_cntr dnf install -y "${our_extra_packages[@]}"
buildah run $build_cntr sudo dnf install -y "${extra_packages[@]}"
buildah run $build_cntr sudo dnf install -y "${our_extra_packages[@]}"
# buildah run $build_cntr dnf debuginfo-install -y "${debug_packages[@]}"
buildah run $build_cntr dnf clean all
buildah run $build_cntr rm -rf /var/lib/cache/dnf
buildah run $build_cntr sudo dnf clean all
buildah run $build_cntr sudo rm -rf /var/lib/cache/dnf
buildah config \
--env RUSTUP_HOME="/usr/local/rustup" \
@ -108,15 +108,10 @@ build_container() {
--env PATH="$PATH:/usr/local/cargo/bin/" \
$build_cntr
# Install rust-analyzer so it can be used with IDEs and devcontainer
buildah run $build_cntr rustup component add rust-analyzer rust-src
# Remove the hardcoded HOME env var that ci-templates adds
# https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2433#note_2243222
# Also add the OCI labels that toolbox expects, to advertize that image is compatible
# Additionally add a non-root default user
# Also add the OCI labels that toolbox expects, to advertize that the image is compatible
buildah config --env HOME- \
--user containeruser \
--label com.github.containers.toolbox=true \
--label org.opencontainers.image.base.name=$BASE_CI_IMAGE \
$build_cntr

View File

@ -4,13 +4,15 @@ set -eux
# Avoid the cache being owned by root
# and make sure its readable to anyone
chown containeruser:containeruser --recursive /var/cache/subprojects/
chmod --recursive a+r /var/cache/subprojects/
sudo mkdir -p /var/cache/subprojects/
sudo chown containeruser:containeruser --recursive /var/cache/subprojects/
sudo chmod --recursive a+r /var/cache/subprojects/
# Path where cbuild checks out the repo
cd /tmp/clone/
sudo chmod --recursive a+r /tmp/clone
sudo chown containeruser:containeruser --recursive /tmp/clone
# get gstreamer and make all subprojects available
git submodule update --init --depth=1
meson subprojects download
./ci/scripts/handle-subprojects-cache.py --build --cache-dir /var/cache/subprojects/ /tmp/clone/subprojects/

View File

@ -8,18 +8,20 @@ RUST_VERSION=1.88.0
RUST_ARCH="x86_64-unknown-linux-gnu"
RUSTUP_URL=https://static.rust-lang.org/rustup/archive/$RUSTUP_VERSION/$RUST_ARCH/rustup-init
curl -o rustup-init $RUSTUP_URL
curl -o /tmp/rustup-init $RUSTUP_URL
export RUSTUP_HOME="/usr/local/rustup"
export CARGO_HOME="/usr/local/cargo"
export PATH="/usr/local/cargo/bin:$PATH"
chmod +x rustup-init;
./rustup-init -y --no-modify-path --default-toolchain $RUST_VERSION;
rm rustup-init;
chmod +x /tmp/rustup-init;
sudo --preserve-env=RUSTUP_HOME,CARGO_HOME,PATH /tmp/rustup-init -y --no-modify-path --default-toolchain $RUST_VERSION;
rm /tmp/rustup-init;
# We are root while creating the directory, but we want it to
# be accessible to all users
chmod -R a+w $RUSTUP_HOME $CARGO_HOME
sudo mkdir -p $RUSTUP_HOME $CARGO_HOME
sudo chmod -R a+w $RUSTUP_HOME $CARGO_HOME
cargo install --locked cargo-c --version 0.10.14+cargo-0.89.0
# We don't need them in the build image and they occupy

View File

@ -36,9 +36,32 @@ if [[ -e "$ci_image_info" ]]; then
cargo cinstall --version
fi
if [[ -e "$ci_image_info" ]]; then
who="$(whoami)"
# Assert we always use the epxected user in ci jobs
if [[ $who != "containeruser" && -n "${CI:-}" ]]; then
echo "Running as the wrong user in a CI job"
exit 1
fi
# Chown the project directory to match the user we run against.
# Sometimes, gitlab runners will reuse pre-existing checkouts from other jobs
# which might not have been running as our contianeruser, and thus the files won't
# have the expected owenership.
# Always chown until we have cycled out all the cached volumes from the runners.
if [[ -n "${CI:-}" ]]; then
sudo chown containeruser:containeruser --recursive "${CI_PROJECT_DIR}"
# Make sure the directory exists
sudo mkdir -p "${CCACHE_DIR}"
sudo chown containeruser:containeruser --recursive "${CCACHE_DIR}"
fi
fi
# Only copy the cache over if the variable is set, which usually only happens on CI.
if [ -n "$image_cache" ]; then
date -R
ci/scripts/handle-subprojects-cache.py --cache-dir "$image_cache" subprojects/
date -R
fi

View File

@ -51,7 +51,7 @@ SCRIPT="\
HALF_MEMORY="$(grep MemTotal /proc/meminfo | awk '{print $2}' | xargs -I {} echo "scale=0; 1+{}/1024^2/2" | bc)G"
echo Running tests in virtual machine ...
virtme-run \
sudo virtme-run \
--memory=${HALF_MEMORY} \
--rw \
--pwd \