DO NOT MERGE (yet) - Fix gnupg/rpm/deb containers

dockerfiles/deb/Dockerfile

@@ -20,4 +20,5 @@ LABEL summary="DEB packaging/signing toolchain" \
 USER root
 RUN apt-get install -yq --no-install-recommends reprepro
 
-USER nonroot:nonroot
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
+CMD ["reprepro --version", "/bin/bash"]

dockerfiles/gnupg/Dockerfile

@@ -6,8 +6,6 @@ FROM docker.io/library/ubuntu:latest
 ARG GPG_KEYID=9D4B2B6EB8F97156D19669A9FF0812D491B96798
 ARG VCS_REF=master
 ARG BUILD_DATE=""
-ARG UID=1000
-ARG GID=1000
 
 # metadata
 LABEL summary="Base image for GnuPG operations" \
@@ -23,14 +21,10 @@ LABEL summary="Base image for GnuPG operations" \
 
 RUN apt-get update && apt-get install -yq --no-install-recommends bash ca-certificates curl gnupg
 
-RUN set -x \
-    && groupadd -g $GID nonroot \
-    && useradd -u $UID -g $GID -s /bin/bash -m nonroot
-
-USER nonroot:nonroot
+COPY gnupg/entrypoint.sh /usr/local/bin/entrypoint.sh
 
 RUN curl -LfSs "https://keyserver.ubuntu.com/pks/lookup?op=get&search=0x${GPG_KEYID}&options=mr&exact=on" | gpg --import - \
   && gpg --list-keys
 
-WORKDIR /home/nonroot
-CMD ["/bin/bash"]
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
+CMD ["gpg --version | head -n1", "/bin/bash"]

dockerfiles/gnupg/README.md

@@ -1,8 +1,16 @@
 # gnupg
 
 Docker image based on [official Ubuntu image](https://hub.docker.com/_/ubuntu) ubuntu:latest.
+Used as base for tooling that requires gnupg. GPG usually requires working with the gpg-agent.
+Using the gpg-agent in a rootless context can be challenging as you will need to align the UID
+in the container with the UIDs of your local system.
 
-Used as base for tooling that requires gnupg.
+While we could make an image with UID that could be passed as ARG, this will likely always endup
+being the wrong UID. For this reason, this image is creating the users at runtime.
+By default, the UID is `1000` but you may customize it using the `LOCAL_USER_ID` environment variable.
+
+This will allow downstream images such as `paritytech/rpm` and `paritytech/deb` to be ran with the "right"
+UID and allows mapping the gpg-agent socket for the right UID.
 
 **Tools:**
 
@@ -16,3 +24,17 @@ Used as base for tooling that requires gnupg.
 ```Dockerfile
 FROM docker.io/paritytech/gnupg:latest
 ```
+
+In your downstream image, you will want to set the `ENTRYPOINT` as:
+```
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
+```
+
+You can check the `rpm` and `deb` images for sample use.
+
+## Tests
+
+You need to install [container-structure-test](https://github.com/GoogleContainerTools/container-structure-test) then run:
+```
+container-structure-test test --image $REGISTRY_PATH/gnupg --config tests/quick.yaml
+```

dockerfiles/gnupg/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+USER_ID=${LOCAL_USER_ID:-1000}
+
+echo "Starting with UID : $USER_ID"
+
+if [ -d "/home/user" ]; then
+    useradd --shell /bin/bash -u $USER_ID -o -c "" -M user
+  else
+    useradd --shell /bin/bash -u $USER_ID -o -c "" -m user
+fi
+echo "User 'user' created"
+
+export HOME=/home/user
+chown -R user $HOME
+mkdir -p $HOME/.gnupg
+chmod 700 $HOME/.gnupg
+chown -R user $HOME/.gnupg
+
+exec chroot --userspec=user / sh -c "cd ${HOME}; $@"

dockerfiles/gnupg/tests/quick.yaml

@@ -0,0 +1,29 @@
+schemaVersion: '2.0.0'
+
+commandTests:
+  - name: "root"
+    setup: []
+    command: "whoami"
+    args: []
+    expectedOutput: ["root"]
+  - name: "uid"
+    setup: []
+    command: "id"
+    args: ["-u"]
+    expectedOutput: ["0"]
+  - name: "gid"
+    setup: []
+    command: "id"
+    args: ["-g"]
+    expectedOutput: ["0"]
+  - name:  "apt-get upgrade"
+    command: "apt-get"
+    args: ["-qqs", "upgrade"]
+    excludedOutput: [".*Inst.*Security.* | .*Security.*Inst.*"]
+    excludedError: [".*Inst.*Security.* | .*Security.*Inst.*"]
+metadataTest:
+  labels:
+    - key: maintainer
+      value: devops-team@parity.io
+  exposedPorts: []
+  volumes: []

dockerfiles/rpm/Dockerfile

@@ -19,7 +19,11 @@ LABEL summary="RPM packaging/signing toolchain" \
 
 USER root
 RUN apt-get install -yq --no-install-recommends rpm
+RUN ln -s /usr/bin/gpg /usr/bin/gpg2
 
-USER nonroot:nonroot
+COPY rpm/rpmmacros /home/user/.rpmmacros
+COPY rpm/rpmmacros /root/.rpmmacros
 
-COPY rpm/rpmmacros /home/nonroot/.rpmmacros
+ENTRYPOINT [ "/usr/local/bin/entrypoint.sh" ]
+
+CMD ["rpm --version", "/bin/bash"]

dockerfiles/rpm/rpmmacros

@@ -1,5 +1,5 @@
 %_signature gpg
-%_gpg_path /home/nonroot/.gnupg
+%_gpg_path /home/user/.gnupg
 %_gpg_name security@parity.io
 %_gpg /usr/bin/gpg
 %__gpg_sign_cmd %{__gpg} gpg --force-v3-sigs --batch --verbose --no-armor -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}

dockerfiles/rpm/tests/quick.yaml

@@ -0,0 +1,31 @@
+schemaVersion: '2.0.0'
+globalEnvVars:
+  - key: "LOCAL_USER_ID"
+    value: "1005"
+
+# Quick set of tests
+fileExistenceTests:
+  - name: 'Check presence of .rpmmacros'
+    path: '/home/user/.rpmmacros'
+    shouldExist: true
+    permissions: -rw-r--r--
+commandTests:
+  - name:  "apt-get upgrade"
+    command: "apt-get"
+    args: ["-qqs", "upgrade"]
+    excludedOutput: [".*Inst.*Security.* | .*Security.*Inst.*"]
+    excludedError: [".*Inst.*Security.* | .*Security.*Inst.*"]
+  - name:  "rpm version"
+    command: "rpm"
+    args: ["--version"]
+    expectedOutput: ["RPM"]
+  - name:  "gpg2 version"
+    command: "gpg2"
+    args: ["--version"]
+    expectedOutput: ["gpg.*2.*"]
+metadataTest:
+  labels:
+    - key: maintainer
+      value: devops-team@parity.io
+  exposedPorts: []
+  volumes: []