From 0436568575e1bda40bd295c15e04b5cb03b75b02 Mon Sep 17 00:00:00 2001 From: Andrew Brown Date: Mon, 18 Mar 2024 13:57:42 -0700 Subject: [PATCH] Thread UID/GID through Docker When running Git commands inside this Docker container (i.e., commands that the `version.py` script needs for determining version information), the Docker build would run into issues like: ``` fatal: detected dubious ownership in repository at '/workspace' To add an exception for this directory, call: git config --global --add safe.directory /workspace ``` This is due to an extra Git check that detects that the Docker user is not the same one who owns the `.git` directory of this project. After looking into this, the best solution the internet has to offer is to thread the current user's UID and GID through the Docker image (i.e., the new `builder` user) and then `docker run --user ...`. This both avoids the Git check but also seems to be considered a best practice in some circles (?). --- Dockerfile | 32 +++++++++++++++++++++----------- docker_build.sh | 15 +++++++++++++-- 2 files changed, 34 insertions(+), 13 deletions(-) diff --git a/Dockerfile b/Dockerfile index 558c1b2..9a864e6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,18 +3,23 @@ # Here we choose Bionic 18.04. FROM ubuntu:bionic +# We want to use the same UID/GID of the external user to avoid permission +# issues. See the user setup at the end of the file. +ARG UID=1000 +ARG GID=1000 + RUN apt-get update \ - && apt-get install -y --no-install-recommends \ - ccache \ - curl \ - ca-certificates \ - build-essential \ - clang \ - python3 \ - git \ - ninja-build \ - && apt-get clean \ - && rm -rf /var/lib/apt/lists/* + && apt-get install -y --no-install-recommends \ + ccache \ + curl \ + ca-certificates \ + build-essential \ + clang \ + python3 \ + git \ + ninja-build \ + && apt-get clean \ + && rm -rf /var/lib/apt/lists/* RUN curl -sSLO https://github.com/Kitware/CMake/releases/download/v3.25.1/cmake-3.25.1-linux-x86_64.tar.gz \ && tar xf cmake-3.25.1-linux-x86_64.tar.gz \ @@ -22,3 +27,8 @@ RUN curl -sSLO https://github.com/Kitware/CMake/releases/download/v3.25.1/cmake- && mkdir -p /opt \ && mv cmake-3.25.1-linux-x86_64 /opt/cmake ENV PATH /opt/cmake/bin:$PATH + +RUN groupadd -g ${GID} builder && \ + useradd --create-home --uid ${UID} --gid ${GID} builder +USER builder +WORKDIR /workspace diff --git a/docker_build.sh b/docker_build.sh index 3884527..050862f 100755 --- a/docker_build.sh +++ b/docker_build.sh @@ -1,7 +1,18 @@ #!/bin/sh set -ex + echo "Building the docker image" -docker build -t wasi-sdk-builder:latest . +docker build \ + --build-arg UID=$(id -u) --build-arg GID=$(id -g) \ + -t wasi-sdk-builder:latest . + echo "Building the package in docker image" mkdir -p ~/.ccache -docker run --rm -v "$PWD":/workspace -v ~/.ccache:/root/.ccache -e NINJA_FLAGS=-v --workdir /workspace --tmpfs /tmp:exec wasi-sdk-builder:latest make package LLVM_CMAKE_FLAGS=-DLLVM_CCACHE_BUILD=ON +docker run --rm \ + --user $(id -u):$(id -g) \ + -v "$PWD":/workspace:Z \ + -v ~/.ccache:/home/builder/.ccache:Z \ + -e NINJA_FLAGS=-v \ + --tmpfs /tmp:exec \ + wasi-sdk-builder:latest \ + make package LLVM_CMAKE_FLAGS=-DLLVM_CCACHE_BUILD=ON