Outline sycl user creation into a separate script; Make it require password for sudo

AlexeySachkov · AlexeySachkov · commit 49ab31925e73 · 2024-12-13T08:13:32.000-08:00
diff --git a/devops/containers/ubuntu2204_base.Dockerfile b/devops/containers/ubuntu2204_base.Dockerfile
@@ -8,21 +8,8 @@ USER root
 COPY scripts/install_build_tools.sh /install.sh
 RUN /install.sh
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
-# group 109 is required for sycl user to access PVC card.
-RUN groupadd -g 109 render
-RUN usermod -aG render sycl
-
-# Allow sycl user to run as sudo
-RUN echo "sycl  ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+COPY scripts/setup-sycl-user.sh /user-setup.sh
+RUN /user-setup.sh
 
 COPY actions/cached_checkout /actions/cached_checkout
 COPY actions/cleanup /actions/cleanup
diff --git a/devops/containers/ubuntu2204_build.Dockerfile b/devops/containers/ubuntu2204_build.Dockerfile
@@ -30,14 +30,8 @@ RUN apt update && apt install -yqq rocm-dev && \
   apt-get clean && \
   rm -rf /var/lib/apt/lists/*
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
+COPY scripts/setup-sycl-user.sh /user-setup.sh
+RUN /user-setup.sh
 
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 
diff --git a/devops/containers/ubuntu2204_preinstalled.Dockerfile b/devops/containers/ubuntu2204_preinstalled.Dockerfile
@@ -3,22 +3,15 @@ ARG base_image=ghcr.io/intel/llvm/ubuntu2204_intel_drivers
 
 FROM $base_image:$base_tag
 
+USER ROOT
+
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 RUN mkdir -p /opt/sycl
 ADD sycl_linux.tar.gz /opt/sycl/
 
 ENV PATH /opt/sycl/bin:$PATH
 ENV LD_LIBRARY_PATH /opt/sycl/lib:$LD_LIBRARY_PATH
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
 USER sycl
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_base.Dockerfile b/devops/containers/ubuntu2404_base.Dockerfile
@@ -8,21 +8,8 @@ USER root
 COPY scripts/install_build_tools.sh /install.sh
 RUN /install.sh
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-RUN groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-RUN usermod -aG video sycl
-RUN usermod -aG irc sycl
-
-# group 109 is required for sycl user to access PVC card.
-RUN groupadd -g 109 render
-RUN usermod -aG render sycl
-
-# Allow sycl user to run as sudo
-RUN echo "sycl  ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
+COPY scripts/create-sycl-user.sh /user-setup.sh
+RUN /user-setup.sh
 
 COPY actions/cached_checkout /actions/cached_checkout
 COPY actions/cleanup /actions/cleanup
diff --git a/devops/scripts/create-sycl-user.sh b/devops/scripts/create-sycl-user.sh
@@ -0,0 +1,30 @@
+#!/bin/bash
+
+# By default Ubuntu sets an arbitrary UID value, that is different from host
+# system. When CI passes default UID value of 1001, some of LLVM tools fail to
+# discover user home directory and fail a few LIT tests. Fixes UID and GID to
+# 1001, that is used as default by GitHub Actions.
+groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
+# Add sycl user to video/irc groups so that it can access GPU
+usermod -aG video sycl
+usermod -aG irc sycl
+
+# group 109 is required for sycl user to access PVC card.
+groupadd -g 109 render
+usermod -aG render sycl
+
+if [[ -f /run/secrets/sycl_passwd ]]; then
+  # When running in our CI environment, we restrict access to root.
+
+  # Set password for sycl user
+  cat /run/secrets/sycl_passwd | passwd -s sycl
+
+  # Allow sycl user to run as sudo, but only with password
+  echo "sycl  ALL=(root) PASSWD:ALL" >> /etc/sudoers
+else
+  # Otherwise, we allow password-less root to simplify building other
+  # containers on top.
+
+  # Allow sycl user to run as sudo passwrod-less
+  echo "sycl  ALL=(root) NOPASSWD:ALL" >> /etc/sudoers
+fi
