Ground work for non-root

Signed-off-by: Simon Ferquel <[email protected]>

Author: simonferquel

Dockerfile.invocation-image

@@ -15,7 +15,8 @@ RUN make EXPERIMENTAL=${EXPERIMENTAL} bin/cnab-run
 
  # local cnab invocation image
 FROM alpine:${ALPINE_VERSION} as invocation
-RUN apk add --no-cache ca-certificates
+RUN apk add --no-cache ca-certificates && adduser -S cnab
+USER cnab
 COPY --from=build /go/src/github.com/docker/app/bin/cnab-run /cnab/app/run
 WORKDIR /cnab/app
 CMD /cnab/app/run

Gopkg.lock

@@ -44,7 +44,8 @@ required = ["github.com/wadey/gocovmerge"]
 
 [[override]]
   name = "github.com/deislabs/duffle"
-  branch = "master"
+  source = "github.com/simonferquel/duffle"
+  branch = "custom-container-config"
 
 [[constraint]]
   name = "github.com/sirupsen/logrus"

Gopkg.toml

@@ -0,0 +1 @@
+8162aa64cf9962b818007cfe7bb9ce9c4b14e7e5308c12847134c6574797e2c6

e2e/.docker/.buildNodeID

@@ -1,6 +1,7 @@
 package commands
 
 import (
+	"github.com/docker/cli/cli/context/docker"
 	"fmt"
 	"io/ioutil"
 	"os"
@@ -18,6 +19,8 @@ import (
 	"github.com/docker/cli/cli/command"
 	"github.com/docker/cli/cli/context/store"
 	"github.com/docker/distribution/reference"
+	"github.com/docker/docker/api/types/container"
+	"github.com/docker/docker/api/types/mount"
 	"github.com/pkg/errors"
 )
 
@@ -76,13 +79,27 @@ func duffleHome() home.Home {
 }
 
 // prepareDriver prepares a driver per the user's request.
-func prepareDriver(dockerCli command.Cli) (driver.Driver, error) {
+func prepareDriver(dockerCli command.Cli, bindLocalSocket bool) (driver.Driver, error) {
 	driverImpl, err := driver.Lookup("docker")
 	if err != nil {
 		return driverImpl, err
 	}
 	if d, ok := driverImpl.(*driver.DockerDriver); ok {
 		d.SetDockerCli(dockerCli)
+		if bindLocalSocket {
+			d.AddConfigurationOptions(func(config *container.Config, hostConfig *container.HostConfig) error {
+				config.User = "0:0"
+				mounts := []mount.Mount{
+					{
+						Type:   mount.TypeBind,
+						Source: "/var/run/docker.sock",
+						Target: "/var/run/docker.sock",
+					},
+				}
+				hostConfig.Mounts = mounts
+				return nil
+			})
+		}
 	}
 
 	// Load any driver-specific config out of the environment.
@@ -161,3 +178,30 @@ func resolveBundle(dockerCli command.Cli, name string, pullRef bool, insecureReg
 	}
 	return nil, fmt.Errorf("could not resolve bundle %q", name)
 }
+
+func requiresBindMount(targetContextName string, targetOrchestrator string, dockerCli command.Cli) (bool, error){
+	if targetOrchestrator == "kubernetes"{
+		return false, nil
+	}
+	ctxMeta, err := dockerCli.ContextStore().GetContextMetadata(targetContextName)
+	if err != nil{
+		return false, err
+	}
+	dockerCtx, err := command.GetDockerContext(ctxMeta)
+	if err != nil{
+		return false, err
+	}
+	if dockerCtx.StackOrchestrator == command.OrchestratorKubernetes{
+		return false, nil
+	}
+	dockerEndpoint, err := docker.EndpointFromContext(ctxMeta)
+	if err != nil{
+		return false, err
+	}
+	host := dockerEndpoint.Host
+	switch host{
+	case "", "unix:///var/run/docker.sock", "npipe:////./pipe/docker_engine":
+		return true, nil
+	}
+	return false, nil
+}

internal/commands/cnab.go

@@ -39,7 +39,7 @@ func runInspect(dockerCli command.Cli, appname string, opts inspectOptions) erro
 	if err != nil {
 		return err
 	}
-	driverImpl, err := prepareDriver(dockerCli)
+	driverImpl, err := prepareDriver(dockerCli, false)
 	if err != nil {
 		return err
 	}

internal/commands/inspect.go

@@ -73,7 +73,10 @@ func runInstall(dockerCli command.Cli, appname string, opts installOptions) erro
 		return errors.New("with-registry-auth is not supported at the moment")
 	}
 	targetContext := getTargetContext(opts.targetContext, dockerCli.CurrentContext())
-
+	doBindMount, err := requiresBindMount(targetContext, opts.orchestrator, dockerCli)
+	if err != nil {
+		return err
+	}
 	bndl, err := resolveBundle(dockerCli, appname, opts.pull, opts.insecureRegistries)
 	if err != nil {
 		return err
@@ -95,7 +98,7 @@ func runInstall(dockerCli command.Cli, appname string, opts installOptions) erro
 		return err
 	}
 
-	driverImpl, err := prepareDriver(dockerCli)
+	driverImpl, err := prepareDriver(dockerCli, doBindMount)
 	if err != nil {
 		return err
 	}

internal/commands/install.go

@@ -38,8 +38,15 @@ func runStatus(dockerCli command.Cli, claimName string, opts credentialOptions)
 		return err
 	}
 	targetContext := getTargetContext(opts.targetContext, dockerCli.CurrentContext())
-
-	driverImpl, err := prepareDriver(dockerCli)
+	var specifiedOrchestrator string
+	if rawOrchestrator, ok := c.Parameters["docker.orchestrator"]; ok {
+		specifiedOrchestrator = rawOrchestrator.(string)
+	}
+	doBindMounts, err := requiresBindMount(targetContext, specifiedOrchestrator, dockerCli)
+	if err != nil {
+		return err
+	}
+	driverImpl, err := prepareDriver(dockerCli, doBindMounts)
 	if err != nil {
 		return err
 	}

internal/commands/status.go

@@ -39,7 +39,15 @@ func runUninstall(dockerCli command.Cli, claimName string, opts credentialOption
 	}
 	targetContext := getTargetContext(opts.targetContext, dockerCli.CurrentContext())
 
-	driverImpl, err := prepareDriver(dockerCli)
+	var specifiedOrchestrator string
+	if rawOrchestrator, ok := c.Parameters["docker.orchestrator"]; ok {
+		specifiedOrchestrator = rawOrchestrator.(string)
+	}
+	doBindMounts, err := requiresBindMount(targetContext, specifiedOrchestrator, dockerCli)
+	if err != nil {
+		return err
+	}
+	driverImpl, err := prepareDriver(dockerCli, doBindMounts)
 	if err != nil {
 		return err
 	}

internal/commands/uninstall.go

@@ -55,26 +55,32 @@ func runUpgrade(dockerCli command.Cli, installationName string, opts upgradeOpti
 		}
 		c.Bundle = b
 	}
-	driverImpl, err := prepareDriver(dockerCli)
+	c.Parameters, err = mergeBundleParameters(c.Bundle,
+		withFileParameters(opts.parametersFiles),
+		withCommandLineParameters(opts.overrides),
+	)
 	if err != nil {
 		return err
 	}
-	creds, err := prepareCredentialSet(targetContext, dockerCli.ContextStore(), c.Bundle, opts.credentialsets)
+	var specifiedOrchestrator string
+	if rawOrchestrator, ok := c.Parameters["docker.orchestrator"]; ok {
+		specifiedOrchestrator = rawOrchestrator.(string)
+	}
+	doBindMounts, err := requiresBindMount(targetContext, specifiedOrchestrator, dockerCli)
 	if err != nil {
 		return err
 	}
-	if err := credentials.Validate(creds, c.Bundle.Credentials); err != nil {
+	driverImpl, err := prepareDriver(dockerCli, doBindMounts)
+	if err != nil {
 		return err
 	}
-
-	c.Parameters, err = mergeBundleParameters(c.Bundle,
-		withFileParameters(opts.parametersFiles),
-		withCommandLineParameters(opts.overrides),
-	)
+	creds, err := prepareCredentialSet(targetContext, dockerCli.ContextStore(), c.Bundle, opts.credentialsets)
 	if err != nil {
 		return err
 	}
-
+	if err := credentials.Validate(creds, c.Bundle.Credentials); err != nil {
+		return err
+	}
 	u := &action.Upgrade{
 		Driver: driverImpl,
 	}