2525
2626set -e
2727
28- COMMAND=(" $@ "
28+ # NOTE: sudo uses the env_reset option to reset environment variables to a secure bare minimum.
29+ # The --preserve-env option below passes those variables through to the invoked process; however,
30+ # this appears not to affect the environment used with execve, so we resolve the binary to run
31+ # in this file using the $PATH specified in the Dockerfile.
32+ COMMAND=( " $( which " $1 " ) "
33+ shift
34+ COMMAND=( " ${COMMAND[@]} " " $@ "
2935
3036if ! touch /this_is_writable_file_system; then
3137 echo " You can't write to your filesystem!"
@@ -50,14 +56,14 @@ getent passwd "${CI_BUILD_UID}" || adduser --force-badname --gid "${CI_BUILD_GID
5056usermod -a -G sudo -G tvm-venv " ${CI_BUILD_USER} "
5157
5258# Add user to video group for ROCm
53- if [[ ! -z $ ROCM_ENABLED; then
59+ if [[ ! -z " ${ ROCM_ENABLED-} " ; then
5460 usermod -a -G video " ${CI_BUILD_USER} "
5561fi
5662
5763# This is a grotesque hack to get PYTEST_ADD_OPTS available to all task scripts.
5864echo " ${CI_BUILD_USER} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/90-nopasswd-sudo
5965
60- if [[ ! -z $ CUDA_VISIBLE_DEVICES; then
66+ if [[ ! -z " ${ CUDA_VISIBLE_DEVICES-} " ; then
6167 CUDA_ENV=" CUDA_VISIBLE_DEVICES=${CUDA_VISIBLE_DEVICES} "
6268else
6369 CUDA_ENV=" "
@@ -67,8 +73,8 @@ sudo -u "#${CI_BUILD_UID}" --preserve-env \
6773${CUDA_ENV} \
6874PATH=${PATH} \
6975JAVA_HOME=${JAVA_HOME} \
70- LD_LIBRARY_PATH=${LD_LIBRARY_PATH} \
71- PYTHONPATH=${PYTHONPATH} \
72- CI_IMAGE_NAME=${CI_IMAGE_NAME} \
73- HOME=${CI_BUILD_HOME} \
76+ LD_LIBRARY_PATH=" ${LD_LIBRARY_PATH-} "
77+ PYTHONPATH=" ${PYTHONPATH-} "
78+ CI_IMAGE_NAME=" ${CI_IMAGE_NAME-} "
79+ HOME=" ${CI_BUILD_HOME-} "
7480" ${COMMAND[@]} "
0 commit comments