@@ -27,6 +27,11 @@ export P_CI_DIR="$PWD"
2727
2828if [ -z " $DANGER_RUN_CI_ON_HOST " ; then
2929 echo " Creating $DOCKER_NAME_TAG container to run in"
30+ LOCAL_UID=$( id -u)
31+ LOCAL_GID=$( id -g)
32+
33+ # the name isn't important, so long as we use the same UID
34+ LOCAL_USER=nonroot
3035 ${CI_RETRY_EXE} docker pull " $DOCKER_NAME_TAG "
3136
3237 if [ -n " ${RESTART_CI_DOCKER_BEFORE_RUN} " ; then
@@ -44,34 +49,47 @@ if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
4449 --env-file /tmp/env \
4550 --name $CONTAINER_NAME \
4651 $DOCKER_NAME_TAG )
47- export DOCKER_CI_CMD_PREFIX=" docker exec $DOCKER_ID "
52+
53+ # Create a non-root user inside the container which matches the local user.
54+ #
55+ # This prevents the root user in the container modifying the local file system permissions
56+ # on the mounted directories
57+ docker exec " $DOCKER_ID " " $LOCAL_UID " " $LOCAL_USER "
58+ docker exec " $DOCKER_ID " " $LOCAL_GID " " $LOCAL_USER "
59+ docker exec " $DOCKER_ID " " $LOCAL_USER " " $LOCAL_USER " " ${BASE_ROOT_DIR} "
60+ export DOCKER_CI_CMD_PREFIX_ROOT=" docker exec -u 0 $DOCKER_ID "
61+ export DOCKER_CI_CMD_PREFIX=" docker exec -u $LOCAL_UID $DOCKER_ID "
4862else
4963 echo " Running on host system without docker wrapper"
5064fi
5165
5266CI_EXEC () {
5367 $DOCKER_CI_CMD_PREFIX bash -c " export PATH=$BASE_SCRATCH_DIR /bins/:\$ PATH && cd \" $P_CI_DIR \" && $* "
5468}
69+ CI_EXEC_ROOT () {
70+ $DOCKER_CI_CMD_PREFIX_ROOT bash -c " export PATH=$BASE_SCRATCH_DIR /bins/:\$ PATH && cd \" $P_CI_DIR \" && $* "
71+ }
5572export -f CI_EXEC
73+ export -f CI_EXEC_ROOT
5674
5775if [ -n " $DPKG_ADD_ARCH " ; then
58- CI_EXEC dpkg --add-architecture " $DPKG_ADD_ARCH "
76+ CI_EXEC_ROOT dpkg --add-architecture " $DPKG_ADD_ARCH "
5977fi
6078
6179if [[ $DOCKER_NAME_TAG == * centos* ]]; then
62- ${CI_RETRY_EXE} CI_EXEC dnf -y install epel-release
63- ${CI_RETRY_EXE} CI_EXEC dnf -y --allowerasing install " $DOCKER_PACKAGES " " $PACKAGES "
80+ ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y install epel-release
81+ ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y --allowerasing install " $DOCKER_PACKAGES " " $PACKAGES "
6482elif [ " $CI_USE_APT_INSTALL " != " no" ; then
6583 if [[ " ${ADD_UNTRUSTED_BPFCC_PPA} " == " true" ; then
6684 # Ubuntu 22.04 LTS and Debian 11 both have an outdated bpfcc-tools packages.
6785 # The iovisor PPA is outdated as well. The next Ubuntu and Debian releases will contain updated
6886 # packages. Meanwhile, use an untrusted PPA to install an up-to-date version of the bpfcc-tools
6987 # package.
7088 # TODO: drop this once we can use newer images in GCE
71- CI_EXEC add-apt-repository ppa:hadret/bpfcc
89+ CI_EXEC_ROOT add-apt-repository ppa:hadret/bpfcc
7290 fi
73- ${CI_RETRY_EXE} CI_EXEC apt-get update
74- ${CI_RETRY_EXE} CI_EXEC apt-get install --no-install-recommends --no-upgrade -y " $PACKAGES " " $DOCKER_PACKAGES "
91+ ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get update
92+ ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get install --no-install-recommends --no-upgrade -y " $PACKAGES " " $DOCKER_PACKAGES "
7593fi
7694
7795if [ -n " $PIP_PACKAGES " ; then
@@ -126,7 +144,7 @@ if [[ "${RUN_TIDY}" == "true" ]]; then
126144 CI_EXEC " mkdir -p ${DIR_IWYU} /build/"
127145 CI_EXEC " git clone --depth=1 https://github.com/include-what-you-use/include-what-you-use -b clang_14 ${DIR_IWYU} /include-what-you-use"
128146 CI_EXEC " cd ${DIR_IWYU} /build && cmake -G 'Unix Makefiles' -DCMAKE_PREFIX_PATH=/usr/lib/llvm-14 ../include-what-you-use"
129- CI_EXEC " cd ${DIR_IWYU} /build && make install $MAKEJOBS "
147+ CI_EXEC_ROOT " cd ${DIR_IWYU} /build && make install $MAKEJOBS "
130148 fi
131149fi
132150
0 commit comments