From 4f70e6d37b9b0dd2f7b1458a761037b5397e989e Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Thu, 3 Aug 2023 01:20:39 -0400 Subject: [PATCH 01/16] Manually add sdkman init script launcher to end of .bashrc Part of eclipse/che#22411 Signed-off-by: Andrew Obuchowicz --- universal/ubi8/Dockerfile | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index d6ff5db9..368ee0fb 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -20,7 +20,7 @@ LABEL io.openshift.expose-services="" USER 10001 # Java -RUN curl -fsSL "https://get.sdkman.io" | bash \ +RUN curl -fsSL "https://get.sdkman.io/?rcupdate=false" | bash \ && bash -c ". /home/user/.sdkman/bin/sdkman-init.sh \ && sed -i "s/sdkman_auto_answer=false/sdkman_auto_answer=true/g" /home/user/.sdkman/etc/config \ && sed -i "s/sdkman_auto_env=false/sdkman_auto_env=true/g" /home/user/.sdkman/etc/config \ @@ -414,6 +414,12 @@ cd - rm -rf "${TEMP_DIR}" EOF + +# Add sdkman's init script launcher to the end of the .bashrc since we are not adding it on sdkman install +# NOTE: all modifications to the .bashrc must happen BEFORE this step in order for sdkman to function correctly +RUN echo 'export SDKMAN_DIR="/home/user/.sdkman"' >> /home/user/.bashrc +RUN echo '[[ -s "/home/user/.sdkman/bin/sdkman-init.sh" ]] && source "/home/user/.sdkman/bin/sdkman-init.sh"' >> /home/user/.bashrc + # Set permissions on /etc/passwd and /home to allow arbitrary users to write RUN chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home From 48da97d4612123197a573477743c6698523c162b Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Thu, 3 Aug 2023 01:22:05 -0400 Subject: [PATCH 02/16] Use bash-completion package for bash completions All bash-completions located in /usr/share/bash-completion/completions/ are now enabled by default. oc and git completions were already being stored in /usr/share/bash-completion/completions/ which is why they are no longer being explicitly sourced in the .bashrc. Signed-off-by: Andrew Obuchowicz --- universal/ubi8/Dockerfile | 23 ++++++++++++----------- 1 file changed, 12 insertions(+), 11 deletions(-) diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index 368ee0fb..dea3dc32 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -170,17 +170,12 @@ ENV KAMEL_VERSION 1.11.0 RUN curl -L https://github.com/apache/camel-k/releases/download/v${KAMEL_VERSION}/camel-k-client-${KAMEL_VERSION}-linux-64bit.tar.gz | tar -C /usr/local/bin -xz \ && chmod +x /usr/local/bin/kamel -# git completion -RUN echo "source /usr/share/bash-completion/completions/git" >> /home/user/.bashrc - # Cloud -# oc client and completion +# oc client ENV OC_VERSION=4.6 RUN curl -L https://mirror.openshift.com/pub/openshift-v4/clients/oc/${OC_VERSION}/linux/oc.tar.gz | tar -C /usr/local/bin -xz \ - && chmod +x /usr/local/bin/oc \ - && oc completion bash > /usr/share/bash-completion/completions/oc \ - && echo "source /usr/share/bash-completion/completions/oc" >> /home/user/.bashrc + && chmod +x /usr/local/bin/oc ## podman buildah skopeo RUN dnf -y module enable container-tools:rhel8 && \ @@ -238,10 +233,6 @@ curl -sSL -o ~/.kubectl_aliases https://raw.githubusercontent.com/ahmetb/kubectl echo '[ -f ~/.kubectl_aliases ] && source ~/.kubectl_aliases' >> /home/user/.bashrc EOF -# kubectl completion -RUN kubectl completion bash > /usr/share/bash-completion/completions/kubectl \ - && echo "source /usr/share/bash-completion/completions/kubectl" >> /home/user/.bashrc - ## shellcheck RUN <> /home/user/.bashrc +oc completion bash > /usr/share/bash-completion/completions/oc +kubectl completion bash > /usr/share/bash-completion/completions/kubectl +EOF # Add sdkman's init script launcher to the end of the .bashrc since we are not adding it on sdkman install # NOTE: all modifications to the .bashrc must happen BEFORE this step in order for sdkman to function correctly From bcff88678ec4d7a18a804fdb070f09087b4e08cf Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Thu, 3 Aug 2023 13:43:18 -0400 Subject: [PATCH 03/16] Manually add nvm bash completion Signed-off-by: Andrew Obuchowicz --- universal/ubi8/Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index dea3dc32..0c2544f3 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -67,7 +67,10 @@ ENV NODEJS_20_VERSION=20.7.0 # note that 18.18.0 is the latest but 18.16.1 is the supported version downstream and in ubi8 ENV NODEJS_18_VERSION=18.16.1 ENV NODEJS_DEFAULT_VERSION=${NODEJS_18_VERSION} -RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | bash && source /home/user/.bashrc && \ +RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | PROFILE=/dev/null bash +RUN echo 'export NVM_DIR="$HOME/.nvm"' >> /home/user/.bashrc \ + && echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> /home/user/.bashrc +RUN source /home/user/.bashrc && \ nvm install v${NODEJS_20_VERSION} && \ nvm install v${NODEJS_18_VERSION} && \ nvm alias default v${NODEJS_DEFAULT_VERSION} && nvm use v${NODEJS_DEFAULT_VERSION} && \ @@ -414,6 +417,7 @@ RUN <> /home/user/.bashrc oc completion bash > /usr/share/bash-completion/completions/oc kubectl completion bash > /usr/share/bash-completion/completions/kubectl +cat ${NVM_DIR}/bash_completion > /usr/share/bash-completion/completions/nvm EOF # Add sdkman's init script launcher to the end of the .bashrc since we are not adding it on sdkman install From 0b3a58d2143c089d45658b2bd003a47e12ea9a26 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Wed, 16 Aug 2023 11:25:27 -0400 Subject: [PATCH 04/16] Move tools & configs from /home/user/ to /home/tooling/ Fix eclipse/che#22412 When persistUserHome is enabled in the Che Cluster CR, the PVC will be mounted to /home/user/, overwriting all tools and configuration present in the UDI /home/user/ directory. To prevent this overwriting, all tools and configurations should be located in /home/tooling/. To ensure existing workflows still function correctly, symbolic links should be created to point from /home/tooling/ -> /home/user/. GNU stow is used to manage these symbolic links. with the --no-folding option enabled, to recreate the directory tree, ensuring all configuration directories exist in /home/user/ and can be written to. Signed-off-by: Andrew Obuchowicz --- universal/ubi8/Dockerfile | 91 ++++++++++++++++++++++-------------- universal/ubi8/entrypoint.sh | 6 +++ 2 files changed, 61 insertions(+), 36 deletions(-) diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index 0c2544f3..cbefa802 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -19,11 +19,19 @@ LABEL io.openshift.expose-services="" USER 10001 +# We install everything to /home/tooling/ as /home/user/ may get overriden, see github.com/eclipse/che/issues/22412 +RUN mkdir -p /home/tooling/ +ENV HOME=/home/tooling + +RUN cp /home/user/.bashrc /home/tooling/.bashrc +# /home/user/.bashrc will be replaced with the a symlink from /home/tooling/.bashrc +RUN rm /home/user/.bashrc + # Java RUN curl -fsSL "https://get.sdkman.io/?rcupdate=false" | bash \ - && bash -c ". /home/user/.sdkman/bin/sdkman-init.sh \ - && sed -i "s/sdkman_auto_answer=false/sdkman_auto_answer=true/g" /home/user/.sdkman/etc/config \ - && sed -i "s/sdkman_auto_env=false/sdkman_auto_env=true/g" /home/user/.sdkman/etc/config \ + && bash -c ". /home/tooling/.sdkman/bin/sdkman-init.sh \ + && sed -i "s/sdkman_auto_answer=false/sdkman_auto_answer=true/g" /home/tooling/.sdkman/etc/config \ + && sed -i "s/sdkman_auto_env=false/sdkman_auto_env=true/g" /home/tooling/.sdkman/etc/config \ && sdk install java 8.0.332-tem \ && sdk install java 11.0.15-tem \ && sdk install java 17.0.3-tem \ @@ -34,53 +42,55 @@ RUN curl -fsSL "https://get.sdkman.io/?rcupdate=false" | bash \ && sdk install jbang \ && sdk flush archives \ && sdk flush temp" \ - && chgrp -R 0 /home/user && chmod -R g=u /home/user + && chgrp -R 0 /home/tooling && chmod -R g=u /home/tooling # sdk home java -ENV JAVA_HOME_8=/home/user/.sdkman/candidates/java/8.0.332-tem -ENV JAVA_HOME_11=/home/user/.sdkman/candidates/java/11.0.15-tem -ENV JAVA_HOME_17=/home/user/.sdkman/candidates/java/17.0.3-tem +ENV JAVA_HOME_8=/home/tooling/.sdkman/candidates/java/8.0.332-tem +ENV JAVA_HOME_11=/home/tooling/.sdkman/candidates/java/11.0.15-tem +ENV JAVA_HOME_17=/home/tooling/.sdkman/candidates/java/17.0.3-tem -# Java-related environment variables are described and set by /home/user/.bashrc +# Java-related environment variables are described and set by /home/tooling/.bashrc # To make Java working for dash and other shells, it needs to initialize them in the Dockerfile. ENV SDKMAN_CANDIDATES_API="https://api.sdkman.io/2" -ENV SDKMAN_CANDIDATES_DIR="/home/user/.sdkman/candidates" -ENV SDKMAN_DIR="/home/user/.sdkman" +ENV SDKMAN_CANDIDATES_DIR="/home/tooling/.sdkman/candidates" +ENV SDKMAN_DIR="/home/tooling/.sdkman" ENV SDKMAN_PLATFORM="linuxx64" ENV SDKMAN_VERSION="5.13.0" -ENV GRADLE_HOME="/home/user/.sdkman/candidates/gradle/current" -ENV JAVA_HOME="/home/user/.sdkman/candidates/java/current" -ENV MAVEN_HOME="/home/user/.sdkman/candidates/maven/current" +ENV GRADLE_HOME="/home/tooling/.sdkman/candidates/gradle/current" +ENV JAVA_HOME="/home/tooling/.sdkman/candidates/java/current" +ENV MAVEN_HOME="/home/tooling/.sdkman/candidates/maven/current" -ENV GRAALVM_HOME=/home/user/.sdkman/candidates/java/22.1.0.0.r17-mandrel +ENV GRAALVM_HOME=/home/tooling/.sdkman/candidates/java/22.1.0.0.r17-mandrel -ENV PATH="/home/user/.krew/bin:$PATH" -ENV PATH="/home/user/.sdkman/candidates/maven/current/bin:$PATH" -ENV PATH="/home/user/.sdkman/candidates/java/current/bin:$PATH" -ENV PATH="/home/user/.sdkman/candidates/gradle/current/bin:$PATH" -ENV PATH="/home/user/.local/share/coursier/bin:$PATH" +ENV PATH="/home/tooling/.krew/bin:$PATH" +ENV PATH="/home/tooling/.sdkman/candidates/maven/current/bin:$PATH" +ENV PATH="/home/tooling/.sdkman/candidates/java/current/bin:$PATH" +ENV PATH="/home/tooling/.sdkman/candidates/gradle/current/bin:$PATH" +ENV PATH="/home/tooling/.local/share/coursier/bin:$PATH" # NodeJS -ENV NVM_DIR="/home/user/.nvm" +RUN mkdir -p /home/tooling/.nvm/ +ENV NVM_DIR="/home/tooling/.nvm" ENV NODEJS_20_VERSION=20.7.0 # note that 18.18.0 is the latest but 18.16.1 is the supported version downstream and in ubi8 ENV NODEJS_18_VERSION=18.16.1 ENV NODEJS_DEFAULT_VERSION=${NODEJS_18_VERSION} RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | PROFILE=/dev/null bash -RUN echo 'export NVM_DIR="$HOME/.nvm"' >> /home/user/.bashrc \ - && echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> /home/user/.bashrc -RUN source /home/user/.bashrc && \ +RUN echo 'export NVM_DIR="$HOME/.nvm"' >> /home/tooling/.bashrc \ + && echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> /home/tooling/.bashrc +RUN source /home/tooling/.bashrc && \ nvm install v${NODEJS_20_VERSION} && \ nvm install v${NODEJS_18_VERSION} && \ nvm alias default v${NODEJS_DEFAULT_VERSION} && nvm use v${NODEJS_DEFAULT_VERSION} && \ npm install --global yarn@v1.22.17 &&\ - chgrp -R 0 /home/user && chmod -R g=u /home/user + chgrp -R 0 /home/tooling && chmod -R g=u /home/tooling ENV PATH=$NVM_DIR/versions/node/v${NODEJS_DEFAULT_VERSION}/bin:$PATH ENV NODEJS_HOME_20=$NVM_DIR/versions/node/v${NODEJS_20_VERSION} ENV NODEJS_HOME_18=$NVM_DIR/versions/node/v${NODEJS_18_VERSION} # kube +# The Che User Dashboard creates the kube config in /home/user/ and not /home/tooling/ ENV KUBECONFIG=/home/user/.kube/config USER 0 @@ -112,11 +122,11 @@ RUN curl -fLo mill https://raw.githubusercontent.com/lefou/millw/main/millw && \ RUN dnf -y install llvm-toolset gcc gcc-c++ clang clang-libs clang-tools-extra gdb # Go 1.18+ - installed to /usr/bin/go -# gopls 0.10+ - installed to /home/user/go/bin/gopls and /home/user/go/pkg/mod/ +# gopls 0.10+ - installed to /home/tooling/go/bin/gopls and /home/tooling/go/pkg/mod/ RUN dnf install -y go-toolset && \ GO111MODULE=on go install -v golang.org/x/tools/gopls@latest && \ - chgrp -R 0 /home/user && chmod -R g=u /home/user -ENV GOBIN="/home/user/go/bin/" + chgrp -R 0 /home/tooling && chmod -R g=u /home/tooling +ENV GOBIN="/home/tooling/go/bin/" ENV PATH="$GOBIN:$PATH" # Python @@ -159,14 +169,14 @@ ENV DOTNET_RPM_VERSION=6.0 RUN dnf install -y dotnet-hostfxr-${DOTNET_RPM_VERSION} dotnet-runtime-${DOTNET_RPM_VERSION} dotnet-sdk-${DOTNET_RPM_VERSION} # rust -ENV CARGO_HOME=/home/user/.cargo \ - RUSTUP_HOME=/home/user/.rustup \ - PATH=/home/user/.cargo/bin:${PATH} +ENV CARGO_HOME=/home/tooling/.cargo \ + RUSTUP_HOME=/home/tooling/.rustup \ + PATH=/home/tooling/.cargo/bin:${PATH} RUN curl --proto '=https' --tlsv1.2 -sSfo rustup https://sh.rustup.rs && \ chmod +x rustup && \ mv rustup /usr/bin/ && \ rustup -y --no-modify-path --profile minimal -c rust-src -c rust-analysis -c rls && \ - chgrp -R 0 /home/user && chmod -R g=u /home/user + chgrp -R 0 /home/tooling && chmod -R g=u /home/tooling # camel-k ENV KAMEL_VERSION 1.11.0 @@ -233,7 +243,7 @@ EOF2 dnf install -y kubectl curl -sSL -o ~/.kubectl_aliases https://raw.githubusercontent.com/ahmetb/kubectl-alias/master/.kubectl_aliases -echo '[ -f ~/.kubectl_aliases ] && source ~/.kubectl_aliases' >> /home/user/.bashrc +echo '[ -f ~/.kubectl_aliases ] && source ~/.kubectl_aliases' >> /home/tooling/.bashrc EOF ## shellcheck @@ -273,7 +283,7 @@ sha256sum -c "${KREW_TGZ}.sha256" 2>&1 | grep OK tar -zxvf "${KREW_TGZ}" ./"krew-${KREW_ARCH}" install krew -echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> /home/user/.bashrc +echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> /home/tooling/.bashrc export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" # kubens and kubectx kubectl krew install ns @@ -414,7 +424,7 @@ RUN dnf -y install bash-completion \ && rm -rf /var/cache/yum RUN <> /home/user/.bashrc +echo "source /etc/profile.d/bash_completion.sh" >> /home/tooling/.bashrc oc completion bash > /usr/share/bash-completion/completions/oc kubectl completion bash > /usr/share/bash-completion/completions/kubectl cat ${NVM_DIR}/bash_completion > /usr/share/bash-completion/completions/nvm @@ -422,15 +432,24 @@ EOF # Add sdkman's init script launcher to the end of the .bashrc since we are not adding it on sdkman install # NOTE: all modifications to the .bashrc must happen BEFORE this step in order for sdkman to function correctly -RUN echo 'export SDKMAN_DIR="/home/user/.sdkman"' >> /home/user/.bashrc -RUN echo '[[ -s "/home/user/.sdkman/bin/sdkman-init.sh" ]] && source "/home/user/.sdkman/bin/sdkman-init.sh"' >> /home/user/.bashrc +RUN echo 'export SDKMAN_DIR="/home/tooling/.sdkman"' >> /home/tooling/.bashrc +RUN echo '[[ -s "$SDKMAN_DIR/bin/sdkman-init.sh" ]] && source "$SDKMAN_DIR/bin/sdkman-init.sh"' >> /home/tooling/.bashrc # Set permissions on /etc/passwd and /home to allow arbitrary users to write RUN chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home +# Create symbolic links from /home/tooling/ -> /home/user/ +RUN dnf -y install stow \ + && dnf clean all \ + && rm -rf /var/cache/yum \ + && stow . -t /home/user/ -d /home/tooling/ --no-folding + + # cleanup dnf cache RUN dnf -y clean all --enablerepo='*' COPY --chown=0:0 entrypoint.sh / USER 10001 + +ENV HOME=/home/user diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index fc24dd7f..f035fa65 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -1,5 +1,11 @@ #!/bin/bash +# /home/user/ will be mounted to by a PVC if persistUserHome is enabled +if mountpoint -q /home/user/; then + # Create symbolic links from /home/tooling/ -> /home/user/ + stow . -t /home/user/ -d /home/tooling/ --no-folding +fi + # Kubedock if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then echo From 7225e21fc75a4f24c2aea05044c53c2bf8a26849 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Wed, 30 Aug 2023 16:55:43 -0400 Subject: [PATCH 05/16] Move tools & configs to /home/tooling/ in UBI8 base image Signed-off-by: Andrew Obuchowicz --- base/ubi8/Dockerfile | 19 ++++++++++++++----- universal/ubi8/Dockerfile | 10 +--------- 2 files changed, 15 insertions(+), 14 deletions(-) diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index 62a1087b..080dbbda 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -19,10 +19,13 @@ LABEL io.openshift.expose-services="" USER 0 +ENV HOME=/home/tooling +RUN mkdir -p /home/tooling/ + RUN dnf install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm && \ dnf update -y && \ dnf install -y bash curl diffutils git git-lfs iproute jq less lsof man nano procps p7zip p7zip-plugins \ - perl-Digest-SHA net-tools openssh-clients rsync socat sudo time vim wget zip && \ + perl-Digest-SHA net-tools openssh-clients rsync socat sudo time vim wget zip stow && \ dnf clean all ## gh-cli @@ -92,16 +95,22 @@ COPY --chown=0:0 entrypoint.sh / RUN \ # add user and configure it useradd -u 10001 -G wheel,root -d /home/user --shell /bin/bash -m user && \ + # useradd will give us our default .bashrc + cp /home/user/.bashrc /home/tooling/.bashrc && \ + # /home/user/.bashrc will be replaced with the a symlink from /home/tooling/.bashrc + rm /home/user/.bashrc && \ # Setup $PS1 for a consistent and reasonable prompt - echo "export PS1='\W \`git branch --show-current 2>/dev/null | sed -r -e \"s@^(.+)@\(\1\) @\"\`$ '" >> /home/user/.bashrc && \ + echo "export PS1='\W \`git branch --show-current 2>/dev/null | sed -r -e \"s@^(.+)@\(\1\) @\"\`$ '" >> ${HOME}/.bashrc && \ # Copy the global git configuration to user config as global /etc/gitconfig # file may be overwritten by a mounted file at runtime - cp /etc/gitconfig /home/user/.gitconfig && \ - chown 10001 /home/user/.gitconfig && \ + cp /etc/gitconfig ${HOME}/.gitconfig && \ + chown -R 10001 ${HOME}/ && \ # Set permissions on /etc/passwd and /home to allow arbitrary users to write chgrp -R 0 /home && \ chmod -R g=u /etc/passwd /etc/group /home && \ - chmod +x /entrypoint.sh + chmod +x /entrypoint.sh && \ + # Create symbolic links from /home/tooling/ -> /home/user/ + stow . -t /home/user/ -d /home/tooling/ --no-folding USER 10001 ENV HOME=/home/user diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index cbefa802..50ecad33 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -20,13 +20,8 @@ LABEL io.openshift.expose-services="" USER 10001 # We install everything to /home/tooling/ as /home/user/ may get overriden, see github.com/eclipse/che/issues/22412 -RUN mkdir -p /home/tooling/ ENV HOME=/home/tooling -RUN cp /home/user/.bashrc /home/tooling/.bashrc -# /home/user/.bashrc will be replaced with the a symlink from /home/tooling/.bashrc -RUN rm /home/user/.bashrc - # Java RUN curl -fsSL "https://get.sdkman.io/?rcupdate=false" | bash \ && bash -c ". /home/tooling/.sdkman/bin/sdkman-init.sh \ @@ -439,10 +434,7 @@ RUN echo '[[ -s "$SDKMAN_DIR/bin/sdkman-init.sh" ]] && source "$SDKMAN_DIR/bin/s RUN chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home # Create symbolic links from /home/tooling/ -> /home/user/ -RUN dnf -y install stow \ - && dnf clean all \ - && rm -rf /var/cache/yum \ - && stow . -t /home/user/ -d /home/tooling/ --no-folding +RUN stow . -t /home/user/ -d /home/tooling/ --no-folding # cleanup dnf cache From a9669fa1903e1ca37f4b02e871025fd791eb5e56 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Wed, 13 Sep 2023 22:10:46 -0400 Subject: [PATCH 06/16] Don't stow .viminfo The .viminfo cannot be a symbolic link for security reasons. Thus it is ignored by stow and manually copied from /home/tooling/ to /home/user/ instead. Signed-off-by: Andrew Obuchowicz --- base/ubi8/.stow-local-ignore | 2 ++ base/ubi8/Dockerfile | 5 ++++- universal/ubi8/entrypoint.sh | 2 ++ 3 files changed, 8 insertions(+), 1 deletion(-) create mode 100644 base/ubi8/.stow-local-ignore diff --git a/base/ubi8/.stow-local-ignore b/base/ubi8/.stow-local-ignore new file mode 100644 index 00000000..1cceb80d --- /dev/null +++ b/base/ubi8/.stow-local-ignore @@ -0,0 +1,2 @@ +# .viminfo cannot be a symlink for security reasons +\.viminfo diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index 080dbbda..8ed69f76 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -92,6 +92,7 @@ RUN \ rm -rf "${TEMP_DIR}" COPY --chown=0:0 entrypoint.sh / +COPY --chown=0:0 .stow-local-ignore /home/tooling/ RUN \ # add user and configure it useradd -u 10001 -G wheel,root -d /home/user --shell /bin/bash -m user && \ @@ -110,7 +111,9 @@ RUN \ chmod -R g=u /etc/passwd /etc/group /home && \ chmod +x /entrypoint.sh && \ # Create symbolic links from /home/tooling/ -> /home/user/ - stow . -t /home/user/ -d /home/tooling/ --no-folding + stow . -t /home/user/ -d /home/tooling/ --no-folding && \ + # .viminfo cannot be a symbolic link for security reasons, so copy it to /home/user/ + cp /home/tooling/.viminfo /home/user/.viminfo USER 10001 ENV HOME=/home/user diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index f035fa65..6f79e663 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -4,6 +4,8 @@ if mountpoint -q /home/user/; then # Create symbolic links from /home/tooling/ -> /home/user/ stow . -t /home/user/ -d /home/tooling/ --no-folding + # A symbolic link for .viminfo is not created for security reasons, so manually copy it + cp /home/tooling/.viminfo /home/user/.viminfo fi # Kubedock From 0d3e7669c19f123d89ff67658712828536b33b11 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Sun, 17 Sep 2023 23:37:47 -0400 Subject: [PATCH 07/16] Ensure podman wrapper works from /home/tooling/ Signed-off-by: Andrew Obuchowicz --- base/ubi8/Dockerfile | 2 +- universal/ubi8/Dockerfile | 8 ++++---- universal/ubi8/entrypoint.sh | 24 ++++++++++++------------ 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index 8ed69f76..a7bb2eb2 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -111,7 +111,7 @@ RUN \ chmod -R g=u /etc/passwd /etc/group /home && \ chmod +x /entrypoint.sh && \ # Create symbolic links from /home/tooling/ -> /home/user/ - stow . -t /home/user/ -d /home/tooling/ --no-folding && \ + stow . -t /home/user/ -d /home/tooling/ && \ # .viminfo cannot be a symbolic link for security reasons, so copy it to /home/user/ cp /home/tooling/.viminfo /home/user/.viminfo diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index 50ecad33..1701ad60 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -85,15 +85,15 @@ ENV NODEJS_HOME_20=$NVM_DIR/versions/node/v${NODEJS_20_VERSION} ENV NODEJS_HOME_18=$NVM_DIR/versions/node/v${NODEJS_18_VERSION} # kube -# The Che User Dashboard creates the kube config in /home/user/ and not /home/tooling/ ENV KUBECONFIG=/home/user/.kube/config USER 0 # Define user directory for binaries -RUN mkdir -p /home/user/.local/bin && \ +RUN mkdir -p /home/tooling/.local/bin && \ chgrp -R 0 /home && chmod -R g=u /home ENV PATH="/home/user/.local/bin:$PATH" +ENV PATH="/home/tooling/.local/bin:$PATH" # Required packages for AWT RUN dnf install -y libXext libXrender libXtst libXi @@ -430,12 +430,12 @@ EOF RUN echo 'export SDKMAN_DIR="/home/tooling/.sdkman"' >> /home/tooling/.bashrc RUN echo '[[ -s "$SDKMAN_DIR/bin/sdkman-init.sh" ]] && source "$SDKMAN_DIR/bin/sdkman-init.sh"' >> /home/tooling/.bashrc -# Set permissions on /etc/passwd and /home to allow arbitrary users to write -RUN chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home # Create symbolic links from /home/tooling/ -> /home/user/ RUN stow . -t /home/user/ -d /home/tooling/ --no-folding +# Set permissions on /etc/passwd and /home to allow arbitrary users to write +RUN chgrp -R 0 /home && chmod -R g=u /etc/passwd /etc/group /home # cleanup dnf cache RUN dnf -y clean all --enablerepo='*' diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index 6f79e663..0098512b 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -1,20 +1,12 @@ #!/bin/bash -# /home/user/ will be mounted to by a PVC if persistUserHome is enabled -if mountpoint -q /home/user/; then - # Create symbolic links from /home/tooling/ -> /home/user/ - stow . -t /home/user/ -d /home/tooling/ --no-folding - # A symbolic link for .viminfo is not created for security reasons, so manually copy it - cp /home/tooling/.viminfo /home/user/.viminfo -fi - # Kubedock if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then echo echo "Kubedock is enabled (env variable KUBEDOCK_ENABLED is set to true)." SECONDS=0 - until [ -f /home/user/.kube/config ]; do + until [ -f $KUBECONFIG ]; do if (( SECONDS > 10 )); then echo "Giving up..." exit 1 @@ -24,7 +16,7 @@ if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then done echo "Kubeconfig found." - KUBEDOCK_PARAMS=${KUBEDOCK_PARAMS:-"--reverse-proxy"} + KUBEDOCK_PARAMS=${KUBEDOCK_PARAMS:-"--reverse-proxy --kubeconfig $KUBECONFIG"} echo "Starting kubedock with params \"${KUBEDOCK_PARAMS}\"..." @@ -34,7 +26,7 @@ if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then echo "Replacing podman with podman-wrapper..." - ln -f -s /usr/bin/podman.wrapper /home/user/.local/bin/podman + ln -f -s /usr/bin/podman.wrapper /home/tooling/.local/bin/podman export TESTCONTAINERS_RYUK_DISABLED="true" export TESTCONTAINERS_CHECKS_DISABLE="true" @@ -46,7 +38,15 @@ else echo "Kubedock is disabled. It can be enabled with the env variable \"KUBEDOCK_ENABLED=true\"" echo "set in the workspace Devfile or in a Kubernetes ConfigMap in the developer namespace." echo - ln -f -s /usr/bin/podman.orig /home/user/.local/bin/podman + ln -f -s /usr/bin/podman.orig /home/tooling/.local/bin/podman +fi + +# /home/user/ will be mounted to by a PVC if persistUserHome is enabled +if mountpoint -q /home/user/; then + # Create symbolic links from /home/tooling/ -> /home/user/ + stow . -t /home/user/ -d /home/tooling/ --no-folding + # Vim does not permit .viminfo to be a symbolic link for security reasons, so manually copy it + cp /home/tooling/.viminfo /home/user/.viminfo fi exec "$@" From 7ac79710c16454500116b51c37e3bdffc30e66de Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Wed, 20 Sep 2023 00:03:27 -0400 Subject: [PATCH 08/16] Don't modify ~/.bashrc, use /etc/profile.d/ instead Signed-off-by: Andrew Obuchowicz --- base/ubi8/Dockerfile | 10 ++++------ universal/ubi8/Dockerfile | 29 +++++++++++++++++------------ 2 files changed, 21 insertions(+), 18 deletions(-) diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index a7bb2eb2..32c96b6a 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -96,14 +96,12 @@ COPY --chown=0:0 .stow-local-ignore /home/tooling/ RUN \ # add user and configure it useradd -u 10001 -G wheel,root -d /home/user --shell /bin/bash -m user && \ - # useradd will give us our default .bashrc - cp /home/user/.bashrc /home/tooling/.bashrc && \ - # /home/user/.bashrc will be replaced with the a symlink from /home/tooling/.bashrc - rm /home/user/.bashrc && \ # Setup $PS1 for a consistent and reasonable prompt - echo "export PS1='\W \`git branch --show-current 2>/dev/null | sed -r -e \"s@^(.+)@\(\1\) @\"\`$ '" >> ${HOME}/.bashrc && \ + touch /etc/profile.d/udi_prompt.sh && \ + chown 10001 /etc/profile.d/udi_prompt.sh && \ + echo "export PS1='\W \`git branch --show-current 2>/dev/null | sed -r -e \"s@^(.+)@\(\1\) @\"\`$ '" >> /etc/profile.d/udi_prompt.sh && \ # Copy the global git configuration to user config as global /etc/gitconfig - # file may be overwritten by a mounted file at runtime + # file may be overwritten by a mounted file at runtime cp /etc/gitconfig ${HOME}/.gitconfig && \ chown -R 10001 ${HOME}/ && \ # Set permissions on /etc/passwd and /home to allow arbitrary users to write diff --git a/universal/ubi8/Dockerfile b/universal/ubi8/Dockerfile index 1701ad60..bb1d6648 100644 --- a/universal/ubi8/Dockerfile +++ b/universal/ubi8/Dockerfile @@ -17,6 +17,12 @@ LABEL description="Image with developers tools. Languages SDK and runtimes inclu LABEL io.k8s.display-name="devfile-developer-universal" LABEL io.openshift.expose-services="" +USER 0 + +# $PROFILE_EXT contains all additions made to the bash environment +ENV PROFILE_EXT=/etc/profile.d/udi_environment.sh +RUN touch ${PROFILE_EXT} & chown 10001 ${PROFILE_EXT} + USER 10001 # We install everything to /home/tooling/ as /home/user/ may get overriden, see github.com/eclipse/che/issues/22412 @@ -44,7 +50,7 @@ ENV JAVA_HOME_8=/home/tooling/.sdkman/candidates/java/8.0.332-tem ENV JAVA_HOME_11=/home/tooling/.sdkman/candidates/java/11.0.15-tem ENV JAVA_HOME_17=/home/tooling/.sdkman/candidates/java/17.0.3-tem -# Java-related environment variables are described and set by /home/tooling/.bashrc +# Java-related environment variables are described and set by ${PROFILE_EXT}, which will be loaded by ~/.bashrc # To make Java working for dash and other shells, it needs to initialize them in the Dockerfile. ENV SDKMAN_CANDIDATES_API="https://api.sdkman.io/2" ENV SDKMAN_CANDIDATES_DIR="/home/tooling/.sdkman/candidates" @@ -72,9 +78,9 @@ ENV NODEJS_20_VERSION=20.7.0 ENV NODEJS_18_VERSION=18.16.1 ENV NODEJS_DEFAULT_VERSION=${NODEJS_18_VERSION} RUN curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.5/install.sh | PROFILE=/dev/null bash -RUN echo 'export NVM_DIR="$HOME/.nvm"' >> /home/tooling/.bashrc \ - && echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> /home/tooling/.bashrc -RUN source /home/tooling/.bashrc && \ +RUN echo 'export NVM_DIR="$HOME/.nvm"' >> ${PROFILE_EXT} \ + && echo '[ -s "$NVM_DIR/nvm.sh" ] && \. "$NVM_DIR/nvm.sh"' >> ${PROFILE_EXT} +RUN source /home/user/.bashrc && \ nvm install v${NODEJS_20_VERSION} && \ nvm install v${NODEJS_18_VERSION} && \ nvm alias default v${NODEJS_DEFAULT_VERSION} && nvm use v${NODEJS_DEFAULT_VERSION} && \ @@ -190,7 +196,7 @@ RUN dnf -y module enable container-tools:rhel8 && \ dnf -y update && \ dnf -y reinstall shadow-utils && \ dnf -y install podman buildah skopeo fuse-overlayfs -RUN echo 'alias docker=podman' >> /home/user/.bashrc +RUN echo 'alias docker=podman' >> ${PROFILE_EXT} # Set up environment variables to note that this is # not starting with usernamespace and default to @@ -238,7 +244,7 @@ EOF2 dnf install -y kubectl curl -sSL -o ~/.kubectl_aliases https://raw.githubusercontent.com/ahmetb/kubectl-alias/master/.kubectl_aliases -echo '[ -f ~/.kubectl_aliases ] && source ~/.kubectl_aliases' >> /home/tooling/.bashrc +echo '[ -f ~/.kubectl_aliases ] && source ~/.kubectl_aliases' >> ${PROFILE_EXT} EOF ## shellcheck @@ -278,7 +284,7 @@ sha256sum -c "${KREW_TGZ}.sha256" 2>&1 | grep OK tar -zxvf "${KREW_TGZ}" ./"krew-${KREW_ARCH}" install krew -echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> /home/tooling/.bashrc +echo 'export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH"' >> ${PROFILE_EXT} export PATH="${KREW_ROOT:-$HOME/.krew}/bin:$PATH" # kubens and kubectx kubectl krew install ns @@ -419,16 +425,15 @@ RUN dnf -y install bash-completion \ && rm -rf /var/cache/yum RUN <> /home/tooling/.bashrc oc completion bash > /usr/share/bash-completion/completions/oc kubectl completion bash > /usr/share/bash-completion/completions/kubectl cat ${NVM_DIR}/bash_completion > /usr/share/bash-completion/completions/nvm EOF -# Add sdkman's init script launcher to the end of the .bashrc since we are not adding it on sdkman install -# NOTE: all modifications to the .bashrc must happen BEFORE this step in order for sdkman to function correctly -RUN echo 'export SDKMAN_DIR="/home/tooling/.sdkman"' >> /home/tooling/.bashrc -RUN echo '[[ -s "$SDKMAN_DIR/bin/sdkman-init.sh" ]] && source "$SDKMAN_DIR/bin/sdkman-init.sh"' >> /home/tooling/.bashrc +## Add sdkman's init script launcher to the end of ${PROFILE_EXT} since we are not adding it on sdkman install +## NOTE: all modifications to ${PROFILE_EXT} must happen BEFORE this step in order for sdkman to function correctly +RUN echo 'export SDKMAN_DIR="/home/tooling/.sdkman"' >> ${PROFILE_EXT} +RUN echo '[[ -s "$SDKMAN_DIR/bin/sdkman-init.sh" ]] && source "$SDKMAN_DIR/bin/sdkman-init.sh"' >> ${PROFILE_EXT} # Create symbolic links from /home/tooling/ -> /home/user/ From c88b6ac24ffeebae3a6f9f923f1faa20f8324d44 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Wed, 20 Sep 2023 00:42:23 -0400 Subject: [PATCH 09/16] Don't recursively chown files in $HOME of base image Signed-off-by: Andrew Obuchowicz --- base/ubi8/Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index 32c96b6a..ef9bf4cd 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -103,7 +103,7 @@ RUN \ # Copy the global git configuration to user config as global /etc/gitconfig # file may be overwritten by a mounted file at runtime cp /etc/gitconfig ${HOME}/.gitconfig && \ - chown -R 10001 ${HOME}/ && \ + chown 10001 ${HOME}/ ${HOME}/.viminfo ${HOME}/.gitconfig ${HOME}/.stow-local-ignore && \ # Set permissions on /etc/passwd and /home to allow arbitrary users to write chgrp -R 0 /home && \ chmod -R g=u /etc/passwd /etc/group /home && \ From 0a20adbf7c02e70f159d592028f299cd350bac5a Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Wed, 20 Sep 2023 17:18:00 -0400 Subject: [PATCH 10/16] Remove obsolete ~/.bashrc creation code from base image entrypoint Signed-off-by: Andrew Obuchowicz --- base/ubi8/entrypoint.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/base/ubi8/entrypoint.sh b/base/ubi8/entrypoint.sh index c3468c85..e4b5b55b 100644 --- a/base/ubi8/entrypoint.sh +++ b/base/ubi8/entrypoint.sh @@ -5,11 +5,6 @@ if [ ! -d "${HOME}" ]; then mkdir -p "${HOME}" fi -# Setup $PS1 for a consistent and reasonable prompt -if [ -w "${HOME}" ] && [ ! -f "${HOME}"/.bashrc ]; then - echo "PS1='[\u@\h \W]\$ '" > "${HOME}"/.bashrc -fi - # Add current (arbitrary) user to /etc/passwd and /etc/group if ! whoami &> /dev/null; then if [ -w /etc/passwd ]; then From 72f53074655fae7f03d06fae4c1b31b909052701 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Mon, 25 Sep 2023 15:11:39 -0400 Subject: [PATCH 11/16] Fix for multiple KUBEDOCK_PARAMS Signed-off-by: Andrew Obuchowicz --- universal/ubi8/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index 0098512b..bac848e0 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -20,7 +20,7 @@ if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then echo "Starting kubedock with params \"${KUBEDOCK_PARAMS}\"..." - kubedock server "${KUBEDOCK_PARAMS}" > /tmp/kubedock.log 2>&1 & + kubedock server ${KUBEDOCK_PARAMS} > /tmp/kubedock.log 2>&1 & echo "Done." From d3b7f2e1e0115bac5cc04f5f115e466a826fa1eb Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Tue, 26 Sep 2023 14:11:35 -0400 Subject: [PATCH 12/16] Don't fail entrypoint if kubeconfig could not be found Signed-off-by: Andrew Obuchowicz --- universal/ubi8/entrypoint.sh | 35 ++++++++++++++++++++--------------- 1 file changed, 20 insertions(+), 15 deletions(-) diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index bac848e0..9f3ea252 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -8,31 +8,36 @@ if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then SECONDS=0 until [ -f $KUBECONFIG ]; do if (( SECONDS > 10 )); then - echo "Giving up..." - exit 1 + break fi echo "Kubeconfig doesn't exist yet. Waiting..." sleep 1 done - echo "Kubeconfig found." - KUBEDOCK_PARAMS=${KUBEDOCK_PARAMS:-"--reverse-proxy --kubeconfig $KUBECONFIG"} + if [ -f $KUBECONFIG ]; then + echo "Kubeconfig found." - echo "Starting kubedock with params \"${KUBEDOCK_PARAMS}\"..." - - kubedock server ${KUBEDOCK_PARAMS} > /tmp/kubedock.log 2>&1 & - - echo "Done." + KUBEDOCK_PARAMS=${KUBEDOCK_PARAMS:-"--reverse-proxy --kubeconfig $KUBECONFIG"} - echo "Replacing podman with podman-wrapper..." + echo "Starting kubedock with params \"${KUBEDOCK_PARAMS}\"..." + + kubedock server ${KUBEDOCK_PARAMS} > /tmp/kubedock.log 2>&1 & + + echo "Done." - ln -f -s /usr/bin/podman.wrapper /home/tooling/.local/bin/podman + echo "Replacing podman with podman-wrapper..." - export TESTCONTAINERS_RYUK_DISABLED="true" - export TESTCONTAINERS_CHECKS_DISABLE="true" + ln -f -s /usr/bin/podman.wrapper /home/tooling/.local/bin/podman - echo "Done." - echo + export TESTCONTAINERS_RYUK_DISABLED="true" + export TESTCONTAINERS_CHECKS_DISABLE="true" + + echo "Done." + echo + else + echo "Could not find Kubeconfig at $KUBECONFIG" + echo "Giving up..." + fi else echo echo "Kubedock is disabled. It can be enabled with the env variable \"KUBEDOCK_ENABLED=true\"" From 741bffd320fb6d309a051a94e864505a9ee45f65 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Tue, 26 Sep 2023 14:14:47 -0400 Subject: [PATCH 13/16] Allow changing kubedock timeout duration with $KUBEDOCK_TIMEOUT Signed-off-by: Andrew Obuchowicz --- universal/ubi8/entrypoint.sh | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index 9f3ea252..d3091152 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -6,8 +6,9 @@ if [ "${KUBEDOCK_ENABLED:-false}" = "true" ]; then echo "Kubedock is enabled (env variable KUBEDOCK_ENABLED is set to true)." SECONDS=0 + KUBEDOCK_TIMEOUT=${KUBEDOCK_TIMEOUT:-10} until [ -f $KUBECONFIG ]; do - if (( SECONDS > 10 )); then + if (( SECONDS > KUBEDOCK_TIMEOUT )); then break fi echo "Kubeconfig doesn't exist yet. Waiting..." From 7bda30236b30d7bfbaf501e6212702be0f3309b4 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Thu, 28 Sep 2023 16:21:32 -0400 Subject: [PATCH 14/16] Log stow output when run in entrypoint Signed-off-by: Andrew Obuchowicz --- universal/ubi8/entrypoint.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index d3091152..220748c4 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -50,7 +50,7 @@ fi # /home/user/ will be mounted to by a PVC if persistUserHome is enabled if mountpoint -q /home/user/; then # Create symbolic links from /home/tooling/ -> /home/user/ - stow . -t /home/user/ -d /home/tooling/ --no-folding + stow . -t /home/user/ -d /home/tooling/ --no-folding -v 2 > /tmp/stow.log 2>&1 # Vim does not permit .viminfo to be a symbolic link for security reasons, so manually copy it cp /home/tooling/.viminfo /home/user/.viminfo fi From be7d9219cecfd954697cf4b987de9d0a7c6d5842 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Fri, 29 Sep 2023 12:34:17 -0400 Subject: [PATCH 15/16] Only execute stow the first time container is started Signed-off-by: Andrew Obuchowicz --- universal/ubi8/entrypoint.sh | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index 220748c4..7b050732 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -47,12 +47,22 @@ else ln -f -s /usr/bin/podman.orig /home/tooling/.local/bin/podman fi + +# Stow +## Required for https://github.com/eclipse/che/issues/22412 + # /home/user/ will be mounted to by a PVC if persistUserHome is enabled -if mountpoint -q /home/user/; then +mountpoint -q /home/user/; HOME_USER_MOUNTED=$? + +# This file will be created after stowing, to guard from executing stow everytime the container is started +STOW_COMPLETE=/home/user/.stow_completed + +if [ $HOME_USER_MOUNTED -eq 0 ] && [ ! -f $STOW_COMPLETE ]; then # Create symbolic links from /home/tooling/ -> /home/user/ stow . -t /home/user/ -d /home/tooling/ --no-folding -v 2 > /tmp/stow.log 2>&1 # Vim does not permit .viminfo to be a symbolic link for security reasons, so manually copy it cp /home/tooling/.viminfo /home/user/.viminfo + touch $STOW_COMPLETE fi exec "$@" From 18b26a72f7ef75ce20889a34d543b3e944729361 Mon Sep 17 00:00:00 2001 From: Andrew Obuchowicz Date: Mon, 2 Oct 2023 15:12:18 -0400 Subject: [PATCH 16/16] Ensure ~/.bashrc and ~/.bash_profile exist when persistUserHome enabled Signed-off-by: Andrew Obuchowicz --- base/ubi8/.stow-local-ignore | 5 +++++ base/ubi8/Dockerfile | 6 +++++- universal/ubi8/entrypoint.sh | 4 ++++ 3 files changed, 14 insertions(+), 1 deletion(-) diff --git a/base/ubi8/.stow-local-ignore b/base/ubi8/.stow-local-ignore index 1cceb80d..9a4d5ce2 100644 --- a/base/ubi8/.stow-local-ignore +++ b/base/ubi8/.stow-local-ignore @@ -1,2 +1,7 @@ # .viminfo cannot be a symlink for security reasons \.viminfo + +# We store bash related files in /home/tooling/ so they aren't overriden if persistUserHome is enabled +# but we don't want them to be symbolic links (or to cause stow conflicts). They will be copied to /home/user/ manually. +\.bashrc +\.bash_profile diff --git a/base/ubi8/Dockerfile b/base/ubi8/Dockerfile index ef9bf4cd..85c1b7c5 100644 --- a/base/ubi8/Dockerfile +++ b/base/ubi8/Dockerfile @@ -111,7 +111,11 @@ RUN \ # Create symbolic links from /home/tooling/ -> /home/user/ stow . -t /home/user/ -d /home/tooling/ && \ # .viminfo cannot be a symbolic link for security reasons, so copy it to /home/user/ - cp /home/tooling/.viminfo /home/user/.viminfo + cp /home/tooling/.viminfo /home/user/.viminfo && \ + # Bash-related files are backed up to /home/tooling/ incase they are deleted when persistUserHome is enabled. + cp /home/user/.bashrc /home/tooling/.bashrc && \ + cp /home/user/.bash_profile /home/tooling/.bash_profile && \ + chown 10001 /home/tooling/.bashrc /home/tooling/.bash_profile USER 10001 ENV HOME=/home/user diff --git a/universal/ubi8/entrypoint.sh b/universal/ubi8/entrypoint.sh index 7b050732..5a4a4e95 100755 --- a/universal/ubi8/entrypoint.sh +++ b/universal/ubi8/entrypoint.sh @@ -62,6 +62,10 @@ if [ $HOME_USER_MOUNTED -eq 0 ] && [ ! -f $STOW_COMPLETE ]; then stow . -t /home/user/ -d /home/tooling/ --no-folding -v 2 > /tmp/stow.log 2>&1 # Vim does not permit .viminfo to be a symbolic link for security reasons, so manually copy it cp /home/tooling/.viminfo /home/user/.viminfo + # We have to restore bash-related files back onto /home/user/ (since they will have been overwritten by the PVC) + # but we don't want them to be symbolic links (so that they persist on the PVC) + cp /home/tooling/.bashrc /home/user/.bashrc + cp /home/tooling/.bash_profile /home/user/.bash_profile touch $STOW_COMPLETE fi