diff --git a/Makefile b/Makefile index 4d379726837..fdb3c660650 100644 --- a/Makefile +++ b/Makefile @@ -6,7 +6,7 @@ CORE_IMAGES=./cmd/bash ./cmd/controller ./cmd/entrypoint ./cmd/gsutil ./cmd/kube CORE_IMAGES_WITH_GIT=./cmd/creds-init ./cmd/git-init # Install core images -install: +install: installuidwrapper go install $(CORE_IMAGES) $(CORE_IMAGES_WITH_GIT) .PHONY: install @@ -20,3 +20,8 @@ generate-dockerfiles: ./openshift/ci-operator/generate-dockerfiles.sh openshift/ci-operator/Dockerfile.in openshift/ci-operator/knative-images $(CORE_IMAGES) ./openshift/ci-operator/generate-dockerfiles.sh openshift/ci-operator/Dockerfile-git.in openshift/ci-operator/knative-images $(CORE_IMAGES_WITH_GIT) .PHONY: generate-dockerfiles + +# NOTE(chmou): Install uidwraper for launching some binaries with fixed uid +UIDWRAPPER_PATH=./openshift/ci-operator/uidwrapper +installuidwrapper: $(UIDWRAPPER_PATH) + install -m755 $(UIDWRAPPER_PATH) $(GOPATH)/bin/ diff --git a/openshift/ci-operator/Dockerfile-git.in b/openshift/ci-operator/Dockerfile-git.in index 34b9452f12a..df12a5de403 100644 --- a/openshift/ci-operator/Dockerfile-git.in +++ b/openshift/ci-operator/Dockerfile-git.in @@ -1,7 +1,19 @@ # Do not edit! This file was generated via Makefile FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base +# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand +# our local PATH. +ENV HOME=/ko-app PATH=DOLLAR{HOME}:DOLLAR{PATH} RUN yum install -y git openssh-client -ADD ${bin} /ko-app/${bin} +COPY ${bin} DOLLAR{HOME}/${bin}.orig +COPY uidwrapper DOLLAR{HOME}/${bin} + +RUN chgrp -R 0 DOLLAR{HOME} && \ + chmod -R g=u DOLLAR{HOME} /etc/passwd + ENTRYPOINT ["/ko-app/${bin}"] + +# Local Variables: +# mode: dockerfile +# End: diff --git a/openshift/ci-operator/generate-dockerfiles.sh b/openshift/ci-operator/generate-dockerfiles.sh index 8f2fbf22ccf..011f03b47ef 100755 --- a/openshift/ci-operator/generate-dockerfiles.sh +++ b/openshift/ci-operator/generate-dockerfiles.sh @@ -8,7 +8,7 @@ function generate_dockefiles() { for img in $@; do local image_base=$(basename $img) mkdir -p $target_dir/$image_base - bin=$image_base envsubst < $dockerfile_in > $target_dir/$image_base/Dockerfile + bin=$image_base envsubst < $dockerfile_in | sed 's/DOLLAR/$/g' > $target_dir/$image_base/Dockerfile done } diff --git a/openshift/ci-operator/knative-images/creds-init/Dockerfile b/openshift/ci-operator/knative-images/creds-init/Dockerfile index af6189d08ea..8732a3ad273 100644 --- a/openshift/ci-operator/knative-images/creds-init/Dockerfile +++ b/openshift/ci-operator/knative-images/creds-init/Dockerfile @@ -1,7 +1,19 @@ # Do not edit! This file was generated via Makefile FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base +# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand +# our local PATH. +ENV HOME=/ko-app PATH=${HOME}:${PATH} RUN yum install -y git openssh-client -ADD creds-init /ko-app/creds-init +COPY creds-init ${HOME}/creds-init.orig +COPY uidwrapper ${HOME}/creds-init + +RUN chgrp -R 0 ${HOME} && \ + chmod -R g=u ${HOME} /etc/passwd + ENTRYPOINT ["/ko-app/creds-init"] + +# Local Variables: +# mode: dockerfile +# End: diff --git a/openshift/ci-operator/knative-images/git-init/Dockerfile b/openshift/ci-operator/knative-images/git-init/Dockerfile index 975668cb99a..06fb59a3941 100644 --- a/openshift/ci-operator/knative-images/git-init/Dockerfile +++ b/openshift/ci-operator/knative-images/git-init/Dockerfile @@ -1,7 +1,19 @@ # Do not edit! This file was generated via Makefile FROM registry.svc.ci.openshift.org/openshift/origin-v4.0:base +# NOTE(chmou): We use dollar here so that envsubst don't get confused and expand +# our local PATH. +ENV HOME=/ko-app PATH=${HOME}:${PATH} RUN yum install -y git openssh-client -ADD git-init /ko-app/git-init +COPY git-init ${HOME}/git-init.orig +COPY uidwrapper ${HOME}/git-init + +RUN chgrp -R 0 ${HOME} && \ + chmod -R g=u ${HOME} /etc/passwd + ENTRYPOINT ["/ko-app/git-init"] + +# Local Variables: +# mode: dockerfile +# End: diff --git a/openshift/ci-operator/uidwrapper b/openshift/ci-operator/uidwrapper new file mode 100755 index 00000000000..20b74123ff2 --- /dev/null +++ b/openshift/ci-operator/uidwrapper @@ -0,0 +1,8 @@ +#!/bin/sh +if ! whoami &> /dev/null; then + if [ -w /etc/passwd ]; then + echo "${USER_NAME:-default}:x:$(id -u):0:${USER_NAME:-default} user:${HOME}:/sbin/nologin" >> /etc/passwd + fi +fi + +exec ${0}.orig $@ diff --git a/openshift/e2e-tests-openshift.sh b/openshift/e2e-tests-openshift.sh index c5d50eb6ab1..93bab166edf 100755 --- a/openshift/e2e-tests-openshift.sh +++ b/openshift/e2e-tests-openshift.sh @@ -17,10 +17,6 @@ env function install_tekton_pipeline() { header "Installing Tekton Pipeline" - # Grant the necessary privileges to the service accounts Knative will use: - oc adm policy add-scc-to-user anyuid -z tekton-pipelines-controller -n $TEKTON_PIPELINE_NAMESPACE - oc adm policy add-cluster-role-to-user cluster-admin -z tekton-pipelines-controller -n $TEKTON_PIPELINE_NAMESPACE - create_pipeline wait_until_pods_running $TEKTON_PIPELINE_NAMESPACE || return 1