Thread UID/GID through Docker

When running Git commands inside this Docker container (i.e., commands that the `version.py` script needs for determining version information), the Docker build would run into issues like: ``` fatal: detected dubious ownership in repository at '/workspace' To add an exception for this directory, call: git config --global --add safe.directory /workspace ``` This is due to an extra Git check that detects that the Docker user is not the same one who owns the `.git` directory of this project. After looking into this, the best solution the internet has to offer is to thread the current user's UID and GID through the Docker image (i.e., the new `builder` user) and then `docker run --user ...`. This both avoids the Git check but also seems to be considered a best practice in some circles (?).
10 months ago · c376c9cfbd
parent 0409839729
commit c376c9cfbd
2 changed files with 34 additions and 13 deletions
--- a/32
+++ b/32
@ -3,18 +3,23 @@
 # Here we choose Bionic 18.04.
 FROM ubuntu:bionic

+# We want to use the same UID/GID of the external user to avoid permission
+# issues. See the user setup at the end of the file.
+ARG UID=1000
+ARG GID=1000
+
 RUN apt-get update \
- && apt-get install -y --no-install-recommends \
-        ccache \
-        curl \
-        ca-certificates \
-        build-essential \
-        clang \
-        python3 \
-        git \
-        ninja-build \
- && apt-get clean \
- && rm -rf /var/lib/apt/lists/*
+  && apt-get install -y --no-install-recommends \
+  ccache \
+  curl \
+  ca-certificates \
+  build-essential \
+  clang \
+  python3 \
+  git \
+  ninja-build \
+  && apt-get clean \
+  && rm -rf /var/lib/apt/lists/*

 RUN curl -sSLO https://github.com/Kitware/CMake/releases/download/v3.25.1/cmake-3.25.1-linux-x86_64.tar.gz \
  && tar xf cmake-3.25.1-linux-x86_64.tar.gz \
@ -22,3 +27,8 @@ RUN curl -sSLO https://github.com/Kitware/CMake/releases/download/v3.25.1/cmake-
  && mkdir -p /opt \
  && mv cmake-3.25.1-linux-x86_64 /opt/cmake
 ENV PATH /opt/cmake/bin:$PATH
+
+RUN groupadd -g ${GID} builder && \
+  useradd --create-home --uid ${UID} --gid ${GID} builder
+USER builder
+WORKDIR /workspace
--- a/docker_build.sh
+++ b/docker_build.sh
@ -1,7 +1,18 @@
 #!/bin/sh
 set -ex
+
 echo "Building the docker image"
-docker build -t wasi-sdk-builder:latest .
+docker build \
+    --build-arg UID=$(id -u) --build-arg GID=$(id -g) \
+    -t wasi-sdk-builder:latest .
+
 echo "Building the package in docker image"
 mkdir -p ~/.ccache
-docker run --rm -v "$PWD":/workspace -v ~/.ccache:/root/.ccache -e NINJA_FLAGS=-v --workdir /workspace --tmpfs /tmp:exec wasi-sdk-builder:latest make package LLVM_CMAKE_FLAGS=-DLLVM_CCACHE_BUILD=ON
+docker run --rm \
+    --user $(id -u):$(id -g) \
+    -v "$PWD":/workspace:Z \
+    -v ~/.ccache:/home/builder/.ccache:Z \
+    -e NINJA_FLAGS=-v \
+    --tmpfs /tmp:exec \
+    wasi-sdk-builder:latest \
+    make package LLVM_CMAKE_FLAGS=-DLLVM_CCACHE_BUILD=ON