FaSTTUBe/GST-Tensordecoder-ov_ep
37
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
GST-Tensordecoder-ov_ep/ci/scripts/source_image_env.sh
Jordan Petridis d4b7066060 ci: Run the jobs as an unprivileged non-root user 
Docker/oci and thus gitlab-runner, default to a root
user inside the namespace, even if its an unprivileged
one.

This can cause issues and let permission bugs sneak in,
as we are functionally root when running the build.

Switch the build jobs to run with our new "containeruser"
so we avoid much of it.

Our user is still in the wheel/sudo group but that's fine
as long we don't elevate the privileges unintentionally.

Noticeably for the time being, we will need to chown the
CI_PROJECT_DIR checkout as the gitlab runner might try
to reuse pre-existing and cached volumes of the project
checkout.

Additionally we need to change the ccache path, so we
will avoid the existing cache owned by "root".

Close https://gitlab.freedesktop.org/gstreamer/gstreamer/-/issues/2433

Part-of: <https://gitlab.freedesktop.org/gstreamer/gstreamer/-/merge_requests/8763>
2025-07-02 12:18:01 +00:00

68 lines
1.8 KiB
Bash
Raw Blame History

#! /bin/bash
image_cache="${SUBPROJECTS_CACHE_DIR:-}"
ci_image_info="/.gstreamer-ci-linux-image";
# Print useful metadata at the start of the build
if [[ -e "/etc/os-release" ]]; then
cat /etc/os-release
fi
if [[ -e "$ci_image_info" && -n "${CI:-}" ]]; then
if [[ -z "$image_cache" ]]; then
echo "Running in CI but haven't defined SUBPROJECTS_CACHE_DIR"
exit 1
fi
fi
whoami
id -u
id -g
date && date -u
echo $SHELL
echo $PATH
# On the CI image we install the rust toolcahin under this path
# set the HOME and PATH variables and print the versions
# of what we have installed
if [[ -e "$ci_image_info" ]]; then
export RUSTUP_HOME="/usr/local/rustup"
export CARGO_HOME="/usr/local/cargo"
export PATH="/usr/local/cargo/bin:$PATH"
rustup --version
rustc --version
cargo --version
cargo cinstall --version
fi
if [[ -e "$ci_image_info" ]]; then
who="$(whoami)"
# Assert we always use the epxected user in ci jobs
if [[ $who != "containeruser" && -n "${CI:-}" ]]; then
echo "Running as the wrong user in a CI job"
exit 1
fi
# Chown the project directory to match the user we run against.
# Sometimes, gitlab runners will reuse pre-existing checkouts from other jobs
# which might not have been running as our contianeruser, and thus the files won't
# have the expected owenership.
# Always chown until we have cycled out all the cached volumes from the runners.
if [[ -n "${CI:-}" ]]; then
sudo chown containeruser:containeruser --recursive "${CI_PROJECT_DIR}"
# Make sure the directory exists
sudo mkdir -p "${CCACHE_DIR}"
sudo chown containeruser:containeruser --recursive "${CCACHE_DIR}"
fi
fi
# Only copy the cache over if the variable is set, which usually only happens on CI.
if [ -n "$image_cache" ]; then
date -R
ci/scripts/handle-subprojects-cache.py --cache-dir "$image_cache" subprojects/
date -R
fi
Reference in New Issue View Git Blame Copy Permalink