diff options
-rwxr-xr-x | tcwg-base/new-user.sh | 14 | ||||
-rw-r--r-- | tcwg-base/tcwg-dev/Dockerfile.in | 9 | ||||
-rwxr-xr-x | tcwg-base/tcwg-dev/run.sh | 25 | ||||
-rwxr-xr-x | tcwg-base/tcwg-dev/start.sh | 66 |
4 files changed, 44 insertions, 70 deletions
diff --git a/tcwg-base/new-user.sh b/tcwg-base/new-user.sh index 727982a1..fb7debd7 100755 --- a/tcwg-base/new-user.sh +++ b/tcwg-base/new-user.sh @@ -10,6 +10,7 @@ usage () passwd_ent="" group="" home_data="default" +update=false user="" verbose=false @@ -18,6 +19,7 @@ while [ $# -gt 0 ]; do --passwd) passwd_ent="$2" ;; --group) group="$2" ;; --home-data) home_data="$2" ;; + --update) update="$2" ;; --user) user="$2" ;; --verbose) verbose="$2"; shift ;; *) echo "ERROR: Wrong option: $1"; usage ;; @@ -43,7 +45,11 @@ if [ x"$group" != x"" ]; then group=$(echo "$group" | cut -d: -f 1) if [ x"$gid" != x"" ]; then - groupadd -g $gid $group + action="add" + if $update && getent group $group; then + action="mod" + fi + group${action} -g $gid $group fi group_opt="-g $group" @@ -68,7 +74,11 @@ if [ x"$user" != x"" ]; then shell=$(echo $passwd_ent | cut -d: -f 7) fi - useradd -m $group_opt -G kvm \ + action="add" + if $update && getent passwd $user; then + action="mod" + fi + user${action} -m $group_opt -G kvm \ ${uid:+-u $uid} \ ${comment:+-c "$comment"} \ ${shell:+-s "$shell"} \ diff --git a/tcwg-base/tcwg-dev/Dockerfile.in b/tcwg-base/tcwg-dev/Dockerfile.in index ecc23f29..e0eda9e3 100644 --- a/tcwg-base/tcwg-dev/Dockerfile.in +++ b/tcwg-base/tcwg-dev/Dockerfile.in @@ -1,8 +1,5 @@ FROM linaro/ci-#{ARCH}-tcwg-base-ubuntu:#{DISTRO} -COPY run.sh . -COPY start.sh . - RUN apt-get update \ && DEBIAN_FRONTEND=noninteractive apt-get install -y \ software-properties-common \ @@ -40,15 +37,15 @@ RUN apt-get update \ /tmp/* \ /var/tmp/* -RUN sed -i -e '/.*AuthorizedKeysFile/ d' /etc/ssh/sshd_config \ - && echo "AuthorizedKeysFile %h/.ssh/authorized_keys.docker" >> /etc/ssh/sshd_config \ - && locale-gen en_US.UTF-8 && update-locale LANG=en_US.UTF-8 \ +RUN locale-gen en_US.UTF-8 && update-locale LANG=en_US.UTF-8 \ && apt-file update # Create directories required for X11. RUN mkdir -p /tmp/.X11-unix /tmp/.ICE-unix \ && chmod 1777 /tmp/.X11-unix /tmp/.ICE-unix +COPY run.sh start.sh / + #if ARCH_amd64 || ARCH_arm64 ENTRYPOINT ["/run.sh"] #else diff --git a/tcwg-base/tcwg-dev/run.sh b/tcwg-base/tcwg-dev/run.sh index 8029a32f..a0c9ce6b 100755 --- a/tcwg-base/tcwg-dev/run.sh +++ b/tcwg-base/tcwg-dev/run.sh @@ -7,29 +7,6 @@ if [ x"$1" = x"start.sh" ]; then exit 0 fi -if ! [ -f /etc/sudoers.d/user ]; then - passwd_ent="$1" - groupname="$2" - pubkey="$3" - - username="$(echo $passwd_ent | cut -d: -f 1)" - uid="$(echo $passwd_ent | cut -d: -f 3)" - gid="$(echo $passwd_ent | cut -d: -f 4)" - comment="$(echo $passwd_ent | cut -d: -f 5)" - home="$(echo $passwd_ent | cut -d: -f 6)" - shell="$(echo $passwd_ent | cut -d: -f 7)" - - groupadd -g "$gid" "$groupname" - useradd -m -u "$uid" -g "$groupname" -G kvm -c "$comment" -s "$shell" "$username" - - if ! [ -f /home/$username/.ssh/authorized_keys.docker ] \ - && [ x"$pubkey" != x"" ]; then - sudo -u $username mkdir -p /home/$username/.ssh/ - echo "$pubkey" | sudo -u $username tee /home/$username/.ssh/authorized_keys.docker > /dev/null - fi - - echo "$username ALL = NOPASSWD: ALL" > /etc/sudoers.d/user - chmod 440 /etc/sudoers.d/user -fi +new-user.sh --update true "$@" exec /usr/sbin/sshd -D diff --git a/tcwg-base/tcwg-dev/start.sh b/tcwg-base/tcwg-dev/start.sh index b06c8bba..9117cc72 100755 --- a/tcwg-base/tcwg-dev/start.sh +++ b/tcwg-base/tcwg-dev/start.sh @@ -5,21 +5,15 @@ set -e usage () { cat <<EOF -$0 [OPTIONS] -- IMAGE +$0 [OPTIONS] -- IMAGE [NEW_USER_PARAMS] Options: - --getent DATA - User data from "getent passwd" - - --group NAME - Primary group name + --home volume/bind + How to mount /home; default is volume home-$user --name CONTAINER_NAME Name of the container - --pubkey KEY - SSH public key to install inside container - --user USER Username to create inside the container @@ -29,19 +23,15 @@ EOF exit 1 } -getent="default" -group="default" +home="volume" name="default" -pubkey="ldap" user="$USER" verbose=false while [ $# -gt 0 ]; do case $1 in - --getent) getent="$2"; shift ;; - --group) group="$2"; shift ;; + --home) home="$2"; shift ;; --name) name="$2"; shift ;; - --pubkey) pubkey="$2"; shift ;; --user) user="$2"; shift ;; --verbose) verbose="$2"; shift ;; --) shift; break ;; @@ -51,6 +41,7 @@ while [ $# -gt 0 ]; do done image="$1" +shift if $verbose; then set -x @@ -78,18 +69,30 @@ if [ x"$name" = x"default" ]; then fi mounts="" -if [ -d "/home/$user" ]; then - # Bind-mount $HOME - mounts="$mounts -v /home/$user:/home/$user" -else - # Create/re-use docker volume and mount it as user's home - mounts="$mounts -v home-$user:/home" + +home_top="/home" +if [ -f "/.dockerenv" ] && mount | grep -q "/run/docker.sock "; then + # If inside "host" container (with proxied docker and /home from host-home + # volume), convert paths to refer to volume's path on bare-metal. + home_top=/var/lib/docker/volumes/host-home/_data/ fi -if [ -d "/home/tcwg-buildslave" ]; then +case "$home" in + bind) + # Bind-mount $HOME + mounts="$mounts -v $home_top/$user:/home/$user" + ;; + volume) + # Create/re-use docker volume and mount it as user's home + mounts="$mounts -v home-$user:/home" + ;; +esac + + +if [ -d "$home_top/tcwg-buildslave" ]; then # Bind-mount /home/tcwg-buildslave read-only to get access to # /home/tcwg-buildslave/snapshots-ref/ - mounts="$mounts -v /home/tcwg-buildslave:/home/tcwg-buildslave:ro" + mounts="$mounts -v $home_top/tcwg-buildslave:/home/tcwg-buildslave:ro" fi # Use at most half of all available RAM. @@ -98,27 +101,14 @@ memlimit=$(($(free -g | awk '/^Mem/ { print $2 }') / 2))G # SYS_PTRACE is required for debugger work. caps="--cap-add=IPC_LOCK --cap-add=SYS_PTRACE" -if [ x"$getent" = x"default" ]; then - getent=$(getent passwd $user) -fi - -if [ x"$group" = x"default" ]; then - group=$(id -gn $user) -fi - -if [ x"$pubkey" = x"ldap" ]; then - # Fetch ssh public key from LDAP. - pubkey=$(/etc/ssh/ssh_keys.py $user 2>/dev/null || sss_ssh_authorizedkeys $user 2>/dev/null) -fi - -$DOCKER run --name=$name -dt -p 22 $mounts --memory=$memlimit --pids-limit=5000 $caps $image "$getent" "$group" "$pubkey" +$DOCKER run --name=$name -dt -p 22 $mounts --memory=$memlimit --pids-limit=5000 $caps $image --user $user "$@" port=$($DOCKER port $name 22 | cut -d: -f 2) set +x cat <<EOF NOTE: the warning about kernel not supporting swap memory limit is expected -To connect to container run "ssh -p $port localhost" +To connect to container run "ssh -p $port $user@localhost" To stop container run "docker stop $name" To restart container run "docker start $name" To remove container run "docker rm -fv $name" |