From 4ce203bb838eaacf64680cd1ce837044eb060664 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Sun, 17 Sep 2023 23:37:47 -0400 Subject: [PATCH] WIP: ensure podman wrapper works from /home/tooling/ Signed-off-by: Andrew Obuchowicz --- base/ubi8/Dockerfile | 2 +- universal/ubi8/Dockerfile | 10 ++++++---- universal/ubi8/entrypoint.sh | 20 ++++++++++---------- 3 files changed, 17 insertions(+), 15 deletions(-) diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index 54fb31a0..657dfe00 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -111,7 +111,7 @@ RUN \ chmod -R g=u /etc/passwd /etc/group /home && \ chmod +x /entrypoint.sh && \ # Create symbolic links from /home/tooling/ -> /home/user/ - stow . -t /home/user/ -d /home/tooling/ --no-folding && \ + stow . -t /home/user/ -d /home/tooling/ && \ # .viminfo cannot be a symbolic link for security reasons, so copy it to /home/user/ cp /home/tooling/.viminfo /home/user/.viminfo diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index 1270cad9..d1aa64c2 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -1,7 +1,8 @@ # syntax=docker/dockerfile:1.3-labs # updateBaseImages.sh can't operate on SHA-based tags as they're not date-based or semver-sequential, and therefore cannot be ordered -FROM quay.io/devfile/base-developer-image:ubi8-latest +#FROM quay.io/devfile/base-developer-image:ubi8-latest +FROM docker.io/library/udi-base LABEL maintainer="Red Hat, Inc." LABEL com.redhat.component="devfile-universal-container" @@ -86,9 +87,10 @@ ENV KUBECONFIG=/home/tooling/.kube/config USER 0 # Define user directory for binaries -RUN mkdir -p /home/user/.local/bin && \ +RUN mkdir -p /home/tooling/.local/bin && \ chgrp -R 0 /home && chmod -R g=u /home ENV PATH="/home/user/.local/bin:$PATH" +ENV PATH="/home/tooling/.local/bin:$PATH" # Required packages for AWT RUN dnf install -y libXext libXrender libXtst libXi @@ -467,12 +469,12 @@ EOF RUN echo 'export SDKMAN_DIR="/home/tooling/.sdkman"' >> /home/tooling/.bashrc RUN echo '[[ -s "$SDKMAN_DIR/bin/sdkman-init.sh" ]] && source "$SDKMAN_DIR/bin/sdkman-init.sh"' >> /home/tooling/.bashrc -# Set permissions on /etc/passwd and /home to allow arbitrary users to write -RUN chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home # Create symbolic links from /home/tooling/ -> /home/user/ RUN stow . -t /home/user/ -d /home/tooling/ --no-folding +# Set permissions on /etc/passwd and /home to allow arbitrary users to write +RUN chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home # cleanup dnf cache RUN dnf -y clean all --enablerepo='*' diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index 6f79e663..f2a6ee01 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -1,13 +1,5 @@ #!/bin/bash -# /home/user/ will be mounted to by a PVC if persistUserHome is enabled -if mountpoint -q /home/user/; then - # Create symbolic links from /home/tooling/ -> /home/user/ - stow . -t /home/user/ -d /home/tooling/ --no-folding - # A symbolic link for .viminfo is not created for security reasons, so manually copy it - cp /home/tooling/.viminfo /home/user/.viminfo -fi - # Kubedock if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then echo @@ -34,7 +26,7 @@ if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then echo "Replacing podman with podman-wrapper..." - ln -f -s /usr/bin/podman.wrapper /home/user/.local/bin/podman + ln -f -s /usr/bin/podman.wrapper /home/tooling/.local/bin/podman export TESTCONTAINERS_RYUK_DISABLED="true" export TESTCONTAINERS_CHECKS_DISABLE="true" @@ -46,7 +38,15 @@ else echo "Kubedock is disabled. It can be enabled with the env variable \"KUBEDOCK_ENABLED=true\"" echo "set in the workspace Devfile or in a Kubernetes ConfigMap in the developer namespace." echo - ln -f -s /usr/bin/podman.orig /home/user/.local/bin/podman + ln -f -s /usr/bin/podman.orig /home/tooling/.local/bin/podman +fi + +# /home/user/ will be mounted to by a PVC if persistUserHome is enabled +if mountpoint -q /home/user/; then + # Create symbolic links from /home/tooling/ -> /home/user/ + stow . -t /home/user/ -d /home/tooling/ --no-folding + # Vim does not permit .viminfo to be a symbolic link for security reasons, so manually copy it + cp /home/tooling/.viminfo /home/user/.viminfo fi exec "$@"