Improve resiliency for arbitrary docker run -u 1006:1006 environments #175

Author: elgalu

.travis.yml

@@ -40,10 +40,10 @@ jobs:
         - travis_retry ./test/script_scenario_basic
         - travis_retry ./test/script_scenario_restart
 
-    # - env: test=scenario_arbitrary_uid
-    #   script:
-    #     - travis_retry ./test/before_install_pull
-    #     - travis_retry ./test/script_scenario_arbitrary_uid
+    - env: test=scenario_arbitrary_uid
+      script:
+        - travis_retry ./test/before_install_pull
+        - travis_retry ./test/script_scenario_arbitrary_uid
 
     - env: test=scenario_node_dies
       script:

Dockerfile

@@ -156,8 +156,14 @@ RUN useradd seluser \
          --create-home \
   && usermod -a -G sudo seluser \
   && gpasswd -a seluser video \
-  && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers \
-  && echo 'seluser:secret' | chpasswd
+  && echo 'seluser:secret' | chpasswd \
+  && useradd extrauser \
+         --shell /bin/bash  \
+  && usermod -a -G sudo extrauser \
+  && gpasswd -a extrauser video \
+  && gpasswd -a extrauser seluser \
+  && echo 'extrauser:secret' | chpasswd \
+  && echo 'ALL ALL = (ALL) NOPASSWD: ALL' >> /etc/sudoers
 
 #==============================
 # Java8 - OpenJDK JRE headless

bin/entry.sh

@@ -18,28 +18,22 @@ if [ -f /var/run/secrets/kubernetes.io/serviceaccount/token ]; then
   export USE_KUBERNETES=true
 fi
 
-# Let's stop using sudo in K8s environments
+CURRENT_UID="$(id -u)"
+CURRENT_GID="$(id -g)"
+
+# Ensure that assigned uid has entry in /etc/passwd.
+if ! whoami &> /dev/null; then
+  echo "extrauser:x:${CURRENT_UID}:0::/home/extrauser:/bin/bash" >> /etc/passwd
+fi
+
+# Tests if the container works without sudo access
 if [ "${REMOVE_SELUSER_FROM_SUDOERS_FOR_TESTING}" == "true" ]; then
-  # This doesn't seem to work unless you logout:
-  #  sudo gpasswd -d seluser sudo
   sudo rm $(which sudo)
   if sudo pwd >/dev/null 2>&1; then
     die "Somehow we still have sudo access despite having removed it. Quitting. $(sudo pwd)"
   fi
 fi
 
-CURRENT_UID="$(id -u)"
-CURRENT_GID="$(id -g)"
-
-# Ensure that assigned uid has entry in /etc/passwd.
-if [ ${CURRENT_UID} -ne 1000 ]; then
-  echo "${USER}:x:${CURRENT_UID}:${CURRENT_GID}:,,,:/home/seluser:/bin/bash" >> /tmp/passwd
-  # cat /etc/passwd | sed -e "s/^${USER}:/builder:/" > /tmp/passwd
-  cat /etc/passwd | sed -e "s/^${USER}:/seluser:/" > /tmp/passwd
-  cat /tmp/passwd > /etc/passwd
-  rm /tmp/passwd
-fi
-
 # Flag to know if we have sudo acess
 if sudo pwd >/dev/null 2>&1; then
   export WE_HAVE_SUDO_ACCESS="true"
@@ -48,16 +42,13 @@ else
   warn "We don't have sudo"
 fi
 
-# if [ ${CURRENT_UID} -ne 1000 ]; then
-#   if [ "${WE_HAVE_SUDO_ACCESS}" == "true" ]; then
-#     warn 1
-#     sudo groupadd --gid ${CURRENT_GID} selgroup
-#     warn 2
-#     sudo gpasswd -a ${USER} seluser
-#     warn 3
-#     sudo gpasswd -a ${USER} selgroup
-#   fi
-# fi
+if [ ${CURRENT_GID} -ne 1000 ]; then
+  if [ "${WE_HAVE_SUDO_ACCESS}" == "true" ]; then
+    sudo groupadd --gid ${CURRENT_GID} selgroup
+    # sudo gpasswd -a ${USER} seluser
+    sudo gpasswd -a ${USER} selgroup
+  fi
+fi
 
 #==============================================
 # Java blocks until kernel have enough entropy
@@ -70,7 +61,7 @@ if [ "${WE_HAVE_SUDO_ACCESS}" == "true" ]; then
   # with --privileged and sudo here works more reliable
   sudo -E haveged
 else
-  haveged || true
+  haveged
 fi
 
 # Workaround that might help to get dbus working in docker

test/script_run_all_tests

@@ -10,7 +10,7 @@ rm -rf ./videos
 # In Travis these ones require travis_retry
 if [ "${CI}" != "true" ]; then
   ./test/script_scenario_basic
-  # ./test/script_scenario_arbitrary_uid
+  ./test/script_scenario_arbitrary_uid
   ./test/script_scenario_restart
   ./test/script_scenario_node_dies
   ./test/script_scenario_make

video-rec/bin/start-video-rec.sh

@@ -11,7 +11,11 @@ set -e
 
 # Remove the video file if exists
 # Added a non-sudo conditional so this works on non-sudo environments like K8s
-(sudo rm -f "${VIDEO_BASE_PATH}"*) || (rm -f "${VIDEO_BASE_PATH}"*)
+if [ "${WE_HAVE_SUDO_ACCESS}" == "true" ]; then
+  sudo rm -f "${VIDEO_BASE_PATH}"*
+else
+  rm -f "${VIDEO_BASE_PATH}"*
+fi
 
 # record testing video using password file
 # using sudo due to http://stackoverflow.com/questions/23544282/
@@ -32,8 +36,15 @@ export final_video_path="${VIDEOS_DIR}/${VIDEO_FILE_NAME}.${VIDEO_FILE_EXTENSION
 
 # Fix perms to be able to start ffmpeg without sudo
 # Added a non-sudo conditional so this works on non-sudo environments like K8s
-(sudo touch "${tmp_video_path}") || (touch "${tmp_video_path}")
-(sudo chown seluser:seluser "${tmp_video_path}") || (chown seluser:seluser "${tmp_video_path}") || true
+if [ "${WE_HAVE_SUDO_ACCESS}" == "true" ]; then
+  TMP_CUR_USER=$(whoami)
+  TMP_CUR_GROUP=$(id -g)
+  sudo touch "${tmp_video_path}"
+  sudo chown ${TMP_CUR_USER}:${TMP_CUR_GROUP} "${tmp_video_path}"
+  sudo chmod 666 "${tmp_video_path}"
+else
+  touch "${tmp_video_path}"
+fi
 
 # avconv or ffmpeg
 ffmpeg -f x11grab \