Revert "Merge branch 'feat/non-0-user' into develop"

This reverts commit 5619968.
clemlesne · Jun 19, 2023 · d1897c2 · d1897c2
1 parent 80f7ad1
commit d1897c2
Show file tree

Hide file tree

Showing 7 changed files with 38 additions and 83 deletions.
diff --git a/src/docker/Dockerfile-bookworm b/src/docker/Dockerfile-bookworm
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0-preview-bookworm-slim as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -188,23 +188,17 @@ RUN rm arch.sh
 ENV PYTHONDONTWRITEBYTECODE=
 ENV PIP_BREAK_SYSTEM_PACKAGES=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -148,6 +148,7 @@ ENV TINI_VERSION ${TINI_VERSION}
 RUN curl -LsSf --retry 3 https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$(ARCH_X64=amd64 bash arch.sh) -o /tini \
     && chmod +x /tini \
     && /tini --version
+ENTRYPOINT ["/tini", "--"]
 
 # Install BuildKit, then verify installation
 ARG BUILDKIT_VERSION
@@ -183,23 +184,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-focal as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -185,23 +185,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-jammy as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -193,23 +193,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-ubi8 b/src/docker/Dockerfile-ubi8
@@ -1,7 +1,7 @@
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as base
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -184,23 +184,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/uid_entrypoint.sh b/src/docker/uid_entrypoint.sh
diff --git a/src/helm/azure-pipelines-agent/templates/_helpers.tpl b/src/helm/azure-pipelines-agent/templates/_helpers.tpl
@@ -82,13 +82,14 @@ Can be overriden by setting ".Values.securityContext".
 See: https://kubernetes.io/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers
 */}}
 {{- define "azure-pipelines-agent.defaultSecurityContext" -}}
-runAsNonRoot: true
+runAsNonRoot: false
 readOnlyRootFilesystem: false
 {{- if .Values.image.isWindows }}
 windowsOptions:
   runAsUserName: ContainerAdministrator
 {{- else }}
 allowPrivilegeEscalation: false
+runAsUser: 0
 capabilities:
   drop: ["ALL"]
 {{- end }}