Bug 1199379: drop root before beginning the build r=ted.mielczarek

This requires doing some cleanup of permissions on the cache mounts first; eventually, this should be done by the docker-worker.
2024-09-13 09:24:08 -07:00 · 2015-08-27 14:13:32 -04:00 · 2015-08-27 14:13:32 -04:00 · 24af23a319
commit 24af23a319
parent 7722f099ed
5 changed files with 26 additions and 12 deletions
--- a/testing/docker/desktop-build/Dockerfile
+++ b/testing/docker/desktop-build/Dockerfile
@ -29,5 +29,9 @@ ADD           oauth.txt /home/worker/
 # the directory where mozharness is run (not its --work-dir)
 ADD           buildprops.json /home/worker/

+# Make sure commands from here on run as `worker`
+# XXX but non-root tasks aren't yet supported - bug 1093833
+# USER worker
+
 # Set a default command useful for debugging
 CMD ["/bin/bash", "--login"]
--- a/testing/docker/desktop-build/bin/build.sh
+++ b/testing/docker/desktop-build/bin/build.sh
@ -2,6 +2,21 @@

 set -x -e -v

+# TODO: when bug 1093833 is solved and tasks can run as non-root, reduce this
+# to a simple fail-if-root check
+if [ $(id -u) = 0 ]; then
+    # each of the caches we have mounted are owned by root, so update that ownership
+    # to 'worker'
+    for cache in /home/worker/.tc-vcs /home/worker/workspace /home/worker/tooltool-cache; do
+        # -R probably isn't necessary forever, but it fixes some poisoned
+        # caches for now
+        chown -R worker:worker $cache
+    done
+
+    # ..then drop privileges by re-running this script
+    exec su worker /home/worker/bin/build.sh
+fi
+
 ####
 # The default build works for any fx_desktop_build based mozharness job:
 # via linux-build.sh
--- a/testing/docker/desktop32-build/Dockerfile
+++ b/testing/docker/desktop32-build/Dockerfile
@ -28,5 +28,9 @@ ADD                 oauth.txt /home/worker/
 # the directory where mozharness is run (not its --work-dir)
 ADD                 buildprops.json /home/worker/

+# Make sure commands from here on run as `worker`
+# XXX but non-root tasks aren't yet supported - bug 1093833
+# USER worker
+
 # Set a default command useful for debugging
 CMD ["/bin/bash", "--login"]
--- a/testing/docker/desktop32-build/bin/build.sh
+++ b/testing/docker/desktop32-build/bin/build.sh
@ -1,12 +0,0 @@
-#! /bin/bash -vex
-
-set -x -e -v
-
-####
-# The default build works for any fx_desktop_build based mozharness job:
-# via linux-build.sh
-####
-
-. $HOME/bin/checkout-sources.sh
-
-. $WORKSPACE/build/src/testing/taskcluster/scripts/builder/build-linux.sh
--- a/testing/docker/desktop32-build/bin/build.sh
+++ b/testing/docker/desktop32-build/bin/build.sh
@ -0,0 +1 @@
+testing/docker/desktop-build/bin/build.sh
--- a/testing/taskcluster/scripts/builder/build-linux.sh
+++ b/testing/taskcluster/scripts/builder/build-linux.sh
@ -2,6 +2,8 @@

 set -x -e

+echo "running as" $(id)
+
 ####
 # Taskcluster friendly wrapper for performing fx desktop builds via mozharness.
 ####