From 6e3c76ea23917bc0075c5df3415c29bd7820abbf Mon Sep 17 00:00:00 2001 From: Andre Richter Date: Sat, 2 Sep 2017 21:51:46 +0200 Subject: [PATCH] docker: Switch to official Rust image as base and rework 1. Use the official Rust nightly docker image as base 2. Remove hardcoded user 3. Use named volumes to cache .rustup and .cargo toolchain folders - Changing file permissions to user (chown) only needed on first launch 4. Cleanup apt folders after installing 5. Make bash the default fallback command 6. README.md: Unify workflows for Linux and MacOS --- docker/Dockerfile | 72 +++++++++++++++++++------------------------- docker/README.md | 39 ++++++++---------------- docker/entrypoint.sh | 33 +++++++++++++------- 3 files changed, 65 insertions(+), 79 deletions(-) diff --git a/docker/Dockerfile b/docker/Dockerfile index 0b85581..f4014e3 100755 --- a/docker/Dockerfile +++ b/docker/Dockerfile @@ -1,47 +1,37 @@ -FROM ubuntu:17.04 +FROM rustlang/rust:nightly -ENV USER user -ARG LOCAL_UID=local -ARG LOCAL_GID=local -ENV BUILD_UID=${LOCAL_UID:-9001} -ENV BUILD_GID=${LOCAL_GID:-9001} - -RUN apt-get update \ - && apt-get install -y dirmngr git gosu gcc fuse nasm qemu-utils pkg-config \ - libfuse-dev make curl wget file sudo apt-transport-https autoconf flex \ - bison texinfo \ - && apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA12E97F0881517F \ - && echo "deb https://static.redox-os.org/toolchain/apt/ /" >> /etc/apt/sources.list.d/redox.list \ - && apt-get update -o Dir::Etc::sourcelist="redox.list" \ - && apt-get install -y x86-64-unknown-redox-newlib x86-64-unknown-redox-binutils x86-64-unknown-redox-gcc \ - && if [ $BUILD_UID != local ] && [ $BUILD_GID != local ]; then \ - groupadd -g $BUILD_GID user; \ - useradd --shell /bin/bash -u $BUILD_UID -g $BUILD_GID -o -c "" -m $USER; \ - else \ - useradd --shell /bin/bash -c "" -m $USER; \ - fi \ - && echo "$USER ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/user-no-sudo-password +RUN set -ex; \ + apt-get update; \ + apt-get install -q -y --no-install-recommends \ + apt-transport-https \ + bison \ + flex \ + fuse \ + gosu \ + libfuse-dev \ + nasm \ + qemu-utils \ + sudo \ + texinfo \ + git \ + ; \ + apt-key adv --keyserver keyserver.ubuntu.com --recv-keys AA12E97F0881517F; \ + echo "deb https://static.redox-os.org/toolchain/apt/ /" >> \ + /etc/apt/sources.list.d/redox.list; \ + apt-get update -o Dir::Etc::sourcelist="redox.list"; \ + apt-get install -q -y --no-install-recommends \ + x86-64-unknown-redox-newlib \ + x86-64-unknown-redox-binutils \ + x86-64-unknown-redox-gcc \ + ; \ + cargo install xargo; \ + cargo install cargo-config; \ + apt-get autoremove -q -y; \ + apt-get clean -q -y; \ + rm -rf /var/lib/apt/lists/* COPY entrypoint.sh /usr/local/bin/entrypoint.sh RUN chmod +x /usr/local/bin/entrypoint.sh -USER $USER -ENV HOME /home/$USER -ENV PATH $HOME/.cargo/bin:$PATH -ENV SRC_PATH $HOME/src -WORKDIR $HOME -RUN curl https://sh.rustup.rs > sh.rustup.rs \ - && sh sh.rustup.rs -y \ - && rustup update \ - && rustup component add rust-src \ - && rustup default nightly \ - && curl -O https://ftp.gnu.org/gnu/automake/automake-1.15.1.tar.gz \ - && tar -xvpf automake-1.15.1.tar.gz; cd automake-1.15.1; ./configure; make; sudo make install; cd .. \ - && cargo install xargo \ - && cargo install cargo-config \ - && mkdir -p $SRC_PATH - -WORKDIR $SRC_PATH -USER root - ENTRYPOINT ["/usr/local/bin/entrypoint.sh"] +CMD ["/bin/bash"] diff --git a/docker/README.md b/docker/README.md index 4d9ad93..559974a 100644 --- a/docker/README.md +++ b/docker/README.md @@ -12,15 +12,10 @@ git clone https://github.com/redox-os/redox.git ; cd redox ``` ### Build the container -This will prepare an Ubuntu 17.04 docker image with the required -dependencies and the pre-built toolchain. As long as you rely on this particular -dependencies and toolchain versions, you don't need to rebuild the container. -#### Linux -```shell -docker build --build-arg LOCAL_UID="$(id -u)" --build-arg LOCAL_GID="$(id -g)" \ - -t redox docker/ -``` -#### MacOS +This will prepare a docker image with the required dependencies and +the pre-built toolchain. As long as you rely on this particular +dependencies and toolchain versions, you don't need to rebuild the +container. ```shell docker build -t redox docker/ ``` @@ -34,12 +29,12 @@ git pull --rebase --recurse-submodules && git submodule sync \ ``` ### Run the container to build Redox -#### Linux without security modules ```shell docker run --cap-add MKNOD --cap-add SYS_ADMIN --device /dev/fuse \ -e LOCAL_UID="$(id -u)" -e LOCAL_GID="$(id -g)" \ - -v redox-"$(id -u)"-"$(id -g)"-cargo:/home/user/.cargo \ - -v "$(pwd):/home/user/src" --rm redox make fetch all + -v redox-"$(id -u)-$(id -g)"-cargo:/usr/local/cargo \ + -v redox-"$(id -u)-$(id -g)"-rustup:/usr/local/rustup \ + -v "$(pwd):$(pwd)" -w "$(pwd)" --rm redox make fetch all ``` #### Linux with security modules
Add the following options depending on the security modules activated on your system: @@ -53,23 +48,13 @@ Ex.: for a SELinux only system such as Fedora or CentOS docker run --cap-add MKNOD --cap-add SYS_ADMIN --device /dev/fuse \ -e LOCAL_UID="$(id -u)" -e LOCAL_GID="$(id -g)" \ --security-opt label=disable \ - -v redox-"$(id -u)"-"$(id -g)"-cargo:/home/user/.cargo \ - -v "$(pwd):/home/user/src" --rm redox make fetch all -``` -#### MacOS -```shell -docker run --cap-add MKNOD --cap-add SYS_ADMIN --device /dev/fuse \ - -v redox-cargo:/home/user/.cargo \ - -v "$(pwd):/home/user/src" --rm redox make fetch all + -v redox-"$(id -u)-$(id -g)"-cargo:/usr/local/cargo \ + -v redox-"$(id -u)-$(id -g)"-rustup:/usr/local/rustup \ + -v "$(pwd):$(pwd)" -w "$(pwd)" --rm redox make fetch all ``` ### Clear the named volume containing the cargo cache -#### Linux ```shell -docker volume rm redox-"$(id -u)"-"$(id -g)"-cargo -``` - -#### MacOS -```shell -docker volume rm redox-cargo +docker volume rm redox-"$(id -u)-$(id -g)"-cargo \ + redox-"$(id -u)-$(id -g)"-rustup ``` diff --git a/docker/entrypoint.sh b/docker/entrypoint.sh index d47300e..c893b72 100755 --- a/docker/entrypoint.sh +++ b/docker/entrypoint.sh @@ -1,18 +1,29 @@ #!/usr/bin/env bash -# Use -e LOCAL_UID="$(id -u)" -e LOCAL_GID="$(id -g)" -# on the docker run command line if the container build user is different -# from the run user +# Add local user +# Either use LOCAL_UID and LOCAL_GID if passed in at runtime via +# -e LOCAL_UID="$(id -u)" -e LOCAL_GID="$(id -g)" or fallback +USER_NAME=redox +RUN_UID=${LOCAL_UID:-9001} +RUN_GID=${LOCAL_GID:-9001} -CONT_UID=`id -u user` -CONT_GID=`id -g user` -RUN_UID=${LOCAL_UID:-$CONT_UID} -RUN_GID=${LOCAL_GID:-$CONT_GID} +groupadd --non-unique --gid $RUN_GID $USER_NAME +useradd --non-unique --create-home --uid $RUN_UID --gid $USER_NAME --groups sudo $USER_NAME -if [ $RUN_UID != $CONT_UID ] || [ $RUN_GID != $CONT_GID ]; then +echo "$USER_NAME ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/user-no-sudo-password + +export HOME=/home/$USER_NAME + +# Check current UID and GID of files in the named volume caches for +# cargo and rustup. Test only one of the top level folders to speed +# things up. +TESTFILE=$RUSTUP_HOME/settings.toml +CACHED_UID=$(stat -c "%u" $TESTFILE) +CACHED_GID=$(stat -c "%g" $TESTFILE) + +if [ $CACHED_UID != $RUN_UID ] || [ $RUN_GID != $CACHED_GID ]; then echo -e "\033[01;38;5;155mChanging user id:group to ${RUN_UID}:${RUN_GID}. Please wait...\033[0m" - groupmod -g $RUN_GID user - usermod -u $RUN_UID -g $RUN_GID user + chown $RUN_UID:$RUN_GID -R $CARGO_HOME $RUSTUP_HOME fi -exec gosu user:user "$@" +exec gosu $USER_NAME "$@"