run-in-node-container: support rootless mode

markmc · markmc · commit 1c183aa8fc5b · 2022-04-01T11:50:04.000+01:00
run-in-node-container is used for javascript "rollup", so the tools running in the container produce files which must be owned by the user on the host. To achieve this, the docker run --user option is used to ensure that the tools in the container are run as host user. However, with rootless mode - apparently in both docker and podman, but I'm using podman - a user namespace is used and users in the container are mapped to a range of users on the host. This means that if we run a command as root in the container, this corresponds to the host user. When we specify --user, this results in a different host user being used. There are apparently two ways of achieving what we want - not using --user so that the commands run as root in the container, which is mapped to the desired host user. Or we can use --userns keep-id which means a 1:1 user mapping is used, and the user specified by --user corresponds to the same user on the host. The former seems more like how you'd typically use this mode. And so we detect rootless mode using "docker system info", and avoid the --user flag in this case. Podman reports "rootless: (true|false)", whereas docker just includes a "rootless" keyword. For more on this, see: https://www.redhat.com/sysadmin/user-flag-rootless-containers https://docs.docker.com/engine/security/rootless pre-commit/pre-commit#1243 pre-commit/pre-commit#1484 (Note: all of the above applies even without SELinux and was tested with "setenforce 0")
diff --git a/hack/run-in-node-container.sh b/hack/run-in-node-container.sh
@@ -33,16 +33,26 @@ elif ! (command -v docker >/dev/null); then
   echo "WARNING: docker not installed; please install docker or try setting NO_DOCKER=true" >&2
   exit 1
 fi
+
+# We are running as the current host user/group so the files produced are
+# owned appropriately on the host.
+# With rootless mode, this happens without the need for a --user option.
+# https://www.redhat.com/sysadmin/user-flag-rootless-containers
+# Docker includes the "rootless" keyword in its "system info" output,
+# whereas podman includes "rootless: (true|false)".
+DOCKER_USER=""
+if ! "${DOCKER[@]}" system info | grep -q "rootless\(: true\)\?$"; then
+    DOCKER_USER="--user $(id -u):$(id -g)"
+fi
+
 # NOTE: yarn tries to read configs under $HOME and fails if it can't,
 # we don't need these configs but we need it to not fail.
 # We set HOME to somewhere read/write-able by any user, since our uid will not
 # exist in /etc/passwd in the node image and yarn will try to read from / and
 # fail instead if we don't.
-# We are running as the current host user/group so the files produced are
-# owned appropriately on the host.
 "${DOCKER[@]}" run \
     --rm -i \
-    --user $(id -u):$(id -g) \
+    ${DOCKER_USER} \
     -e HOME=/tmp \
     -v "${REPO_ROOT:?}:${REPO_ROOT:?}" -w "${REPO_ROOT}" \
     "${NODE_IMAGE}" \
