drop permissions of container to match host system (#8021)

* drop permissions of container to match host system

* try conditional if

* [ci lang-only Pascal]: revert test change

* [ci lang-only Pascal]: Update Dockerfile

* [ci lang-only Pascal]: use gosu to drop permissions

Author: gdams

.github/workflows/build.yml

@@ -142,7 +142,7 @@ jobs:
         if: ${{ env.RUN_TESTS }}
         uses: mattes/cached-docker-build-action@v1
         with:
-          args: " --file ./Dockerfile --tag techempower/tfb ."
+          args: " --file ./Dockerfile --build-arg USER_ID=$(id -u) --build-arg GROUP_ID=$(id -g) --tag techempower/tfb ."
           cache_key: "${{ hashFiles('./Dockerfile') }}"
       - name: Stop services
         # Stop services that would claim ports we may need
@@ -155,7 +155,7 @@ jobs:
           # run-ci.py runs the diffing to see if github actions needs to test this framework. Ideally/eventually,
           # we'd like to try and do the diffing before github_actions_clean & setup.
           # This will run the tests exactly as you would in your own vm:
-          docker network create tfb > /dev/null 2>&1 && docker run --network=tfb -v /var/run/docker.sock:/var/run/docker.sock --mount type=bind,source=`pwd`,target=/FrameworkBenchmarks techempower/tfb --mode verify --test-dir $RUN_TESTS --results-environment Github-Actions;
+          docker network create tfb > /dev/null 2>&1 && docker run --network=tfb -e USER_ID=$(id -u) -v /var/run/docker.sock:/var/run/docker.sock --mount type=bind,source=`pwd`,target=/FrameworkBenchmarks techempower/tfb --mode verify --test-dir $RUN_TESTS --results-environment Github-Actions;
   dependabot:
     needs: verify
     runs-on: ubuntu-latest

Dockerfile

@@ -1,5 +1,7 @@
 FROM ubuntu:22.04
 
+ARG USER_ID
+ARG GROUP_ID
 ARG DEBIAN_FRONTEND=noninteractive
 
 #RUN add-apt-repository universe
@@ -13,6 +15,7 @@ RUN apt-get -yqq update && apt-get -yqq install \
       dstat                       `# Collect resource usage statistics` \
       gcc \
       git-core \
+      gosu \
       libmysqlclient-dev          `# Needed for MySQL-python` \
       libpq-dev \
       python2 \
@@ -39,4 +42,17 @@ RUN pip install \
 
 ENV FWROOT=/FrameworkBenchmarks PYTHONPATH=/FrameworkBenchmarks
 
-ENTRYPOINT ["python2", "/FrameworkBenchmarks/toolset/run-tests.py"]
+# Check if Group is already created
+RUN if ! getent group $GROUP_ID; then \
+      addgroup --gid $GROUP_ID user; \
+    fi
+
+# Drop permissions of user to match those of the host system
+# Check if the User ID is already created
+RUN if ! getent passwd $USER_ID; then \
+      adduser --disabled-password --gecos '' --uid $USER_ID --gid $GROUP_ID user; \
+    fi
+
+ENV USER_ID=$USER_ID
+
+ENTRYPOINT ["/bin/bash", "FrameworkBenchmarks/entrypoint.sh" ]

entrypoint.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env bash
+set -euox pipefail
+
+chown -R $USER_ID /var/run/
+
+gosu $USER_ID python2 /FrameworkBenchmarks/toolset/run-tests.py "$@"

tfb

@@ -102,5 +102,5 @@ if ! docker network inspect tfb >/dev/null 2>&1; then
 fi
 
 test -t 1 && USE_TTY="-t"
-docker build -t techempower/tfb - < ${SCRIPT_ROOT}/Dockerfile
-exec docker run -i ${USE_TTY} ${EXTRA_DOCKER_ARGS} --rm --network tfb -v /var/run/docker.sock:/var/run/docker.sock -v ${SCRIPT_ROOT}:/FrameworkBenchmarks techempower/tfb "${@}"
+docker build -t techempower/tfb --build-arg USER_ID=$(id -u) --build-arg GROUP_ID=$(id -g) - < ${SCRIPT_ROOT}/Dockerfile
+exec docker run -i ${USE_TTY} ${EXTRA_DOCKER_ARGS} --rm --network tfb -e USER_ID=$(id -u) -v /var/run/docker.sock:/var/run/docker.sock -v ${SCRIPT_ROOT}:/FrameworkBenchmarks techempower/tfb "${@}"