Merge pull request #83 from thin-edge/fix-preserve-sudoers-file

fix: preserve tedge's default sudoers rules

Author: reubenmiller

Dockerfile

@@ -63,8 +63,13 @@ RUN usermod -u "$USERID" tedge \
     && mkdir -p /etc/tedge/credentials \
     && chown -R tedge:tedge /etc/tedge \
     && chown -R tedge:tedge /var/tedge \
-    && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge, /etc/tedge/sm-plugins/[a-zA-Z0-9]*, /bin/sync, /sbin/init, /usr/bin/tedgectl, /bin/kill, /usr/bin/tedge-container, /usr/bin/docker, /usr/bin/podman, /usr/bin/podman-remote, /usr/bin/podman-compose" >/etc/sudoers.d/tedge \
-    && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge-write /etc/*" >> /etc/sudoers.d/tedge \
+    # original tedge settings
+    && echo "tedge    ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge, /etc/tedge/sm-plugins/[a-zA-Z0-9]*, /bin/sync, /sbin/init" > /etc/sudoers.d/tedge  \
+    && echo "tedge    ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge-write /etc/*" >> /etc/sudoers.d/tedge \
+    && echo "tedge    ALL = (ALL) NOPASSWD:SETENV: /usr/share/tedge/log-plugins/[a-zA-Z0-9]*" >> /etc/sudoers.d/tedge \
+    # additional sudoers rules
+    && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /bin/sync, /sbin/init, /usr/bin/tedgectl, /bin/kill" >/etc/sudoers.d/tedge-system \
+    && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /usr/bin/tedge-container, /usr/bin/docker, /usr/bin/podman, /usr/bin/podman-remote, /usr/bin/podman-compose" >/etc/sudoers.d/tedge-containers \
     && echo "tedge  ALL = (ALL) NOPASSWD:SETENV: /usr/bin/fix-permissions.sh" >> /etc/sudoers.d/tedge-fix-permissions
 # Custom init. scripts - e.g. write env variables data to files
 COPY cont-init.d/*  /etc/cont-init.d/

test-images/common/container-bundle.sh

@@ -172,6 +172,17 @@ bootstrap_certificate() {
         tedge cert upload c8y
 }
 
+ wait_for_path() {
+    path="$1"
+    wait_seconds="${2:-30}"
+    waited=0
+    while [ ! -e "$path" ] && [ "$waited" -lt "$wait_seconds" ]; do
+        echo "Waiting for $path ($waited/$wait_seconds)..."
+        sleep 1
+        waited=$((waited + 1))
+    done
+}
+
 start() {
     CONTAINER_OPTIONS=""
 
@@ -184,10 +195,13 @@ start() {
         podman)
             # Mount socket to a path expected by the container under test
             # In podman, host.containers.internal is accessible by default
-            if [ -e /run/podman/podman.sock ]; then
-                CONTAINER_OPTIONS="$CONTAINER_OPTIONS -v /run/podman/podman.sock:/var/run/docker.sock:rw"
+            SOCKET_PATH="/run/podman/podman.sock"
+            # Wait for the podman socket to exist, up to 30 seconds
+            wait_for_path "$SOCKET_PATH" 30
+            if [ -e "$SOCKET_PATH" ]; then
+                CONTAINER_OPTIONS="$CONTAINER_OPTIONS -v $SOCKET_PATH:/var/run/docker.sock:rw"
             else
-                echo "Could not the podman socket"
+                echo "The podman socket does not exist. path=$SOCKET_PATH"
                 exit 1
             fi
             ;;

test-images/podman-v4/Dockerfile

@@ -1,5 +1,6 @@
 FROM quay.io/containers/podman:v4.4
 RUN systemctl enable podman.socket \
+    && echo "enable podman.socket" > /usr/lib/systemd/system-preset/95-podman.preset \
     # create systemd-tmpfiles config to create a symlink for docker to the podman socket
     # which allows using docker and docker compose without having to set the DOCKER_HOST variable
     # Source: podman-docker debian package

test-images/podman-v5/Dockerfile

@@ -1,8 +1,9 @@
 FROM quay.io/containers/podman:v5
 RUN systemctl enable podman.socket \
+    && echo "enable podman.socket" > /usr/lib/systemd/system-preset/95-podman.preset \
     # create systemd-tmpfiles config to create a symlink for docker to the podman socket
     # which allows using docker and docker compose without having to set the DOCKER_HOST variable
     # Source: podman-docker debian package
     && echo 'L+  %t/docker.sock   -    -    -     -   %t/podman/podman.sock' | tee /usr/lib/tmpfiles.d/podman-docker-socket.conf \
-    && systemd-tmpfiles --create podman-docker.conf >/dev/null || true
+    && systemd-tmpfiles --create podman-docker-socket.conf >/dev/null || true
 ENTRYPOINT [ "/lib/systemd/systemd" ]