Skip to content

Commit

Permalink
[docker/podman] Fix user permissions
Browse files Browse the repository at this point in the history
Before this commit, the container started as root. With podman 4.3, the option --userns=keep-id when running the container forwards the UID & GID. Hence, no manual permission management is needed anymore.

Signed-off-by: Pascal Nasahl <[email protected]>
  • Loading branch information
nasahlpa committed Oct 4, 2023
1 parent 2607011 commit 5e34345
Show file tree
Hide file tree
Showing 4 changed files with 5 additions and 40 deletions.
2 changes: 1 addition & 1 deletion doc/getting_started.md
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,7 @@ The
[Dockerfile](https://github.com/lowRISC/ot-sca/blob/master/util/docker/Dockerfile)
in this repository can be used to build a ready-to-use image with all the
dependencies installed. To build the image:
1. If not already installed, install Podman following the instructions
1. If not already installed, install Podman and containers-storage following the instructions
[here](https://podman.io/getting-started/installation), and
2. Build the container image using
[build\_image.sh](https://github.com/lowRISC/ot-sca/blob/master/util/docker/build_image.sh):
Expand Down
2 changes: 1 addition & 1 deletion util/docker/Dockerfile
Original file line number Diff line number Diff line change
Expand Up @@ -83,6 +83,6 @@ RUN rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/* /usr/share/doc/*

# Entrypoint
COPY util/docker/docker_entrypoint.sh /docker_entrypoint.sh
RUN echo "exec /docker_entrypoint.sh '${USER_NAME}' '${MOUNT_DIR}'" > /docker_entrypoint_wrapper.sh
RUN echo "exec /docker_entrypoint.sh" > /docker_entrypoint_wrapper.sh
RUN chmod +x /docker_entrypoint.sh /docker_entrypoint_wrapper.sh
ENTRYPOINT /docker_entrypoint_wrapper.sh
40 changes: 2 additions & 38 deletions util/docker/docker_entrypoint.sh
Original file line number Diff line number Diff line change
Expand Up @@ -4,45 +4,9 @@
# SPDX-License-Identifier: Apache-2.0

# Entrypoint for OpenTitan SCA/FI image. This script:
# - Creates a new non-privileged user with the same UID and GID as the owner of
# the host directory to avoid permission issues,
# - Adds this user to plugdev and dialout groups to able to access
# chipwhisperer devices,
# - Drops root privileges by switching to the newly created user, and
# - Replaces the current process with a new shell.

# We expect only two variables.
if [[ "$#" -ne 2 ]]; then
echo "Unexpected number of parameters: $#" >&2
exit 1
fi

readonly USER_NAME="$1"
readonly MOUNT_DIR="$2"
readonly SHELL='/bin/bash'

# Create a user with the same UID and GID as the owner of the mount.
# Note: The user is also added to plugdev and dialout to be able talk to
# chipwhisperer USB devices. IDs of these groups must match those of the
# host system, which typically is the case.
HOST_UID="$(stat -c '%u' "${MOUNT_DIR}")"
readonly HOST_UID
HOST_GID="$(stat -c '%g' "${MOUNT_DIR}")"
readonly HOST_GID
echo "Creating user '${USER_NAME}' with UID=${HOST_UID}, GID=${HOST_GID}."
groupadd -g "${HOST_GID}" "${USER_NAME}"
useradd -u "${HOST_UID}" -g "${HOST_GID}" -m -s "${SHELL}" "${USER_NAME}"

# Install git lfs
runuser "${USER_NAME}" -c 'git lfs install' > /dev/null

# Workaround for setpriv: libcap-ng is too old for "-all" caps argument.
# Instead, create a list of all capabilities supported by the kernel.
CAP_PREFIX="-cap_"
CAPS="${CAP_PREFIX}$(seq -s ",${CAP_PREFIX}" 0 $(cat /proc/sys/kernel/cap_last_cap))"

# Cleanup, drop privileges, and replace the current process with a new shell.
rm /docker_entrypoint.sh /docker_entrypoint_wrapper.sh
HOME_DIR="$(getent passwd "${USER_NAME}" | cut -d : -f 6)"
readonly HOME_DIR
HOME="${HOME_DIR}" exec setpriv --reuid="${HOST_UID}" --regid="${HOST_GID}" --inh-caps=${CAPS} --init-group "${SHELL}"
# Switch to shell
exec "${SHELL}"
1 change: 1 addition & 0 deletions util/docker/run_container.sh
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,7 @@ if [[ -z "${HOST_WORK_DIR}" ]] || [[ -z "${SHM_SIZE}" ]] || [[ ${#DEVICES[@]} -e
fi

podman run --rm -it \
--userns=keep-id \
--shm-size "${SHM_SIZE}" \
-v "${HOST_WORK_DIR}":"${CONTAINER_WORK_DIR}" \
-w "${CONTAINER_WORK_DIR}" \
Expand Down

0 comments on commit 5e34345

Please sign in to comment.