From 0df8392c86400f34858820430b85817782ba2710 Mon Sep 17 00:00:00 2001 From: SomberNight Date: Thu, 3 Mar 2022 18:53:21 +0100 Subject: [PATCH] build: rm need for sudo in most places; and do not run as root This includes two logically separate changes: - on the host, try not to require sudo when running the build scripts - namely when interacting with the docker daemon, this requires the unix user on the host to be part of the `docker` group - this solves part of https://github.com/spesmilo/electrum/issues/7602 - while running inside the docker containers, do not run as root - this means that e.g. files created in mounted folders should no longer be owned by root on the host - there is some code duplication involved here - not sure how it could be deduped. --- contrib/android/Dockerfile | 17 +++++------------ contrib/android/build.sh | 8 ++++---- contrib/build-linux/appimage/Dockerfile | 12 ++++++++++++ contrib/build-linux/appimage/build.sh | 8 ++++---- contrib/build-linux/sdist/Dockerfile | 12 ++++++++++++ contrib/build-linux/sdist/build.sh | 8 ++++---- contrib/build-wine/Dockerfile | 15 +++++++++++++++ contrib/build-wine/build-electrum-git.sh | 4 ++-- contrib/build-wine/build.sh | 8 ++++---- contrib/build-wine/make_win.sh | 2 +- contrib/make_libusb.sh | 2 +- 11 files changed, 64 insertions(+), 32 deletions(-) diff --git a/contrib/android/Dockerfile b/contrib/android/Dockerfile index 71ac55172..f24094f3b 100644 --- a/contrib/android/Dockerfile +++ b/contrib/android/Dockerfile @@ -94,11 +94,6 @@ RUN curl --location --progress-bar \ && rm -rf "${APACHE_ANT_ARCHIVE}" -ENV USER="user" -ENV HOME_DIR="/home/${USER}" -ENV WORK_DIR="${HOME_DIR}/wspace" \ - PATH="${HOME_DIR}/.local/bin:${PATH}" - # install system/build dependencies # https://github.com/kivy/buildozer/blob/master/docs/source/installation.rst#android-on-ubuntu-2004-64bit # TODO probably need to pin versions of at least some of these for over-time reproducibility? @@ -136,17 +131,15 @@ RUN apt -y update -qq \ && apt -y clean -# prepare non root env +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" RUN useradd --create-home --shell /bin/bash ${USER} - -# with sudo access and no password RUN usermod -append --groups sudo ${USER} RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers - - WORKDIR ${WORK_DIR} - -# user needs ownership/write access to these directories RUN chown --recursive ${USER} ${WORK_DIR} ${ANDROID_SDK_HOME} RUN chown ${USER} /opt USER ${USER} diff --git a/contrib/android/build.sh b/contrib/android/build.sh index 853b9b862..b102260f3 100755 --- a/contrib/android/build.sh +++ b/contrib/android/build.sh @@ -22,7 +22,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-android-builder-img \ --file "$CONTRIB_ANDROID/Dockerfile" \ @@ -33,7 +33,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_ANDROID/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -51,7 +51,7 @@ fi info "building binary..." mkdir --parents "$PROJECT_ROOT_OR_FRESHCLONE_ROOT"/.buildozer/.gradle -sudo docker run -it --rm \ +docker run -it --rm \ --name electrum-android-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/home/user/wspace/electrum \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT"/.buildozer/.gradle:/home/user/.gradle \ @@ -63,5 +63,5 @@ sudo docker run -it --rm \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$DISTDIR/" - sudo cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" + cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" fi diff --git a/contrib/build-linux/appimage/Dockerfile b/contrib/build-linux/appimage/Dockerfile index 9ea6eb2ea..9884744a8 100644 --- a/contrib/build-linux/appimage/Dockerfile +++ b/contrib/build-linux/appimage/Dockerfile @@ -56,3 +56,15 @@ RUN apt-get update -q && \ rm -rf /var/lib/apt/lists/* && \ apt-get autoremove -y && \ apt-get clean + +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" +RUN useradd --create-home --shell /bin/bash ${USER} +RUN usermod -append --groups sudo ${USER} +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +WORKDIR ${WORK_DIR} +RUN chown --recursive ${USER} ${WORK_DIR} +USER ${USER} diff --git a/contrib/build-linux/appimage/build.sh b/contrib/build-linux/appimage/build.sh index 65b361081..6f48142a2 100755 --- a/contrib/build-linux/appimage/build.sh +++ b/contrib/build-linux/appimage/build.sh @@ -22,7 +22,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-appimage-builder-img \ "$CONTRIB_APPIMAGE" @@ -31,7 +31,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_APPIMAGE/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -42,7 +42,7 @@ else fi info "building binary..." -sudo docker run -it \ +docker run -it \ --name electrum-appimage-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/electrum \ --rm \ @@ -53,5 +53,5 @@ sudo docker run -it \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$DISTDIR/" - sudo cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" + cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" fi diff --git a/contrib/build-linux/sdist/Dockerfile b/contrib/build-linux/sdist/Dockerfile index bf7d03850..028940dc8 100644 --- a/contrib/build-linux/sdist/Dockerfile +++ b/contrib/build-linux/sdist/Dockerfile @@ -16,3 +16,15 @@ RUN apt-get update -q && \ rm -rf /var/lib/apt/lists/* && \ apt-get autoremove -y && \ apt-get clean + +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" +RUN useradd --create-home --shell /bin/bash ${USER} +RUN usermod -append --groups sudo ${USER} +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +WORKDIR ${WORK_DIR} +RUN chown --recursive ${USER} ${WORK_DIR} +USER ${USER} diff --git a/contrib/build-linux/sdist/build.sh b/contrib/build-linux/sdist/build.sh index 5f64c160e..ed969cbdf 100755 --- a/contrib/build-linux/sdist/build.sh +++ b/contrib/build-linux/sdist/build.sh @@ -22,7 +22,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-sdist-builder-img \ "$CONTRIB_SDIST" @@ -31,7 +31,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_SDIST/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -42,7 +42,7 @@ else fi info "building binary..." -sudo docker run -it \ +docker run -it \ --name electrum-sdist-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/electrum \ --rm \ @@ -53,5 +53,5 @@ sudo docker run -it \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$DISTDIR/" - sudo cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" + cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" fi diff --git a/contrib/build-wine/Dockerfile b/contrib/build-wine/Dockerfile index 9e66ee1fb..be3a9c1e9 100644 --- a/contrib/build-wine/Dockerfile +++ b/contrib/build-wine/Dockerfile @@ -53,3 +53,18 @@ RUN wget -nc https://dl.winehq.org/wine-builds/Release.key && \ rm -rf /var/lib/apt/lists/* && \ apt-get autoremove -y && \ apt-get clean + +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" +RUN useradd --create-home --shell /bin/bash ${USER} +RUN usermod -append --groups sudo ${USER} +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +WORKDIR ${WORK_DIR} +RUN chown --recursive ${USER} ${WORK_DIR} +RUN chown ${USER} /opt +USER ${USER} + +RUN mkdir --parents "/opt/wine64/drive_c/electrum" diff --git a/contrib/build-wine/build-electrum-git.sh b/contrib/build-wine/build-electrum-git.sh index 1dbe1511d..3bfcbbd76 100755 --- a/contrib/build-wine/build-electrum-git.sh +++ b/contrib/build-wine/build-electrum-git.sh @@ -31,7 +31,7 @@ for i in ./locale/*; do done popd -find -exec touch -d '2000-11-11T11:11:11+00:00' {} + +find -exec touch -h -d '2000-11-11T11:11:11+00:00' {} + popd @@ -60,7 +60,7 @@ wine "$WINE_PYHOME/scripts/pyinstaller.exe" --noconfirm --ascii --clean --name $ # set timestamps in dist, in order to make the installer reproducible pushd dist -find -exec touch -d '2000-11-11T11:11:11+00:00' {} + +find -exec touch -h -d '2000-11-11T11:11:11+00:00' {} + popd info "building NSIS installer" diff --git a/contrib/build-wine/build.sh b/contrib/build-wine/build.sh index 48d21f3e4..3f7d3cb6f 100755 --- a/contrib/build-wine/build.sh +++ b/contrib/build-wine/build.sh @@ -21,7 +21,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-wine-builder-img \ "$CONTRIB_WINE" @@ -30,7 +30,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_WINE/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -41,7 +41,7 @@ else fi info "building binary..." -sudo docker run -it \ +docker run -it \ --name electrum-wine-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/wine64/drive_c/electrum \ --rm \ @@ -52,5 +52,5 @@ sudo docker run -it \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$PROJECT_ROOT/contrib/build-wine/dist/" - sudo cp -f "$FRESH_CLONE/contrib/build-wine/dist"/*.exe "$PROJECT_ROOT/contrib/build-wine/dist/" + cp -f "$FRESH_CLONE/contrib/build-wine/dist"/*.exe "$PROJECT_ROOT/contrib/build-wine/dist/" fi diff --git a/contrib/build-wine/make_win.sh b/contrib/build-wine/make_win.sh index c3448da84..18be42a7d 100755 --- a/contrib/build-wine/make_win.sh +++ b/contrib/build-wine/make_win.sh @@ -64,7 +64,7 @@ fi info "Resetting modification time in C:\Python..." # (Because of some bugs in pyinstaller) pushd /opt/wine64/drive_c/python* -find -exec touch -d '2000-11-11T11:11:11+00:00' {} + +find -exec touch -h -d '2000-11-11T11:11:11+00:00' {} + popd ls -l /opt/wine64/drive_c/python* diff --git a/contrib/make_libusb.sh b/contrib/make_libusb.sh index 20e3f27c3..6f4bcf4e7 100755 --- a/contrib/make_libusb.sh +++ b/contrib/make_libusb.sh @@ -48,7 +48,7 @@ info "Building $pkgname..." || fail "Could not configure $pkgname. Please make sure you have a C compiler installed and try again." fi make -j4 || fail "Could not build $pkgname" - make install || fail "Could not install $pkgname" + make install || warn "Could not install $pkgname" . "$here/$pkgname/libusb/.libs/libusb-1.0.la" host_strip "$here/$pkgname/libusb/.libs/$dlname" TARGET_NAME="$dlname"