Browse Source

Merge branch 'wip-libvirt' into 'master'

enough: prevent contain/host group id conflicts

Closes #324

See merge request main/infrastructure!417
keep-around/31437bc03e1cdc7146379b0e04de12388f523f96
Loïc Dachary 5 months ago
parent
commit
31437bc03e
  1. 14
      enough/common/data/base.dockerfile

14
enough/common/data/base.dockerfile

@ -10,9 +10,14 @@ ENV KVM_GID ${KVM_GID:-108}
ARG USER_ID
ENV USER_ID ${USER_ID:-0}
#
# The intention is to reduce the chances of conflict between the host libvirt & kvm system groups
# ids and the container system group ids.
#
RUN sed -i.backup -e 's/FIRST_SYSTEM_GID=.*/FIRST_SYSTEM_GID=500/' -e 's/FIRST_SYSTEM_UID=.*/FIRST_SYSTEM_UID=500/' /etc/adduser.conf
RUN apt-get update && \
apt-get install --quiet -y curl virtualenv python3 gcc libffi-dev libssl-dev python3-dev make git rsync \
systemd systemd-sysv sudo openvpn \
systemd systemd-sysv sudo openvpn \
openssh-server libvirt-dev
RUN groupadd --gid $DOCKER_GID docker
RUN curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh
@ -20,6 +25,13 @@ RUN curl -L "https://github.com/docker/compose/releases/download/1.24.0/docker-c
RUN groupadd --gid $LIBVIRT_GID libvirt
RUN groupadd --gid $KVM_GID kvm
#
# Go back to where system group ids start because sanity checks may be made on
# the kvm & libvirt groups and fail if they are not in the system range. For
# instance if the host has kvm == 106 and FIRST_SYSTEM_GID == 500 in the container,
# kvm will not be considered to be a system group.
#
RUN mv /etc/adduser.conf.backup /etc/adduser.conf
RUN if test $USER_NAME != root ; then useradd --no-create-home --home-dir /tmp --uid $USER_ID --groups $DOCKER_GID,$LIBVIRT_GID,$KVM_GID $USER_NAME && echo "$USER_NAME ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers ; fi
ENV REQUESTS_CA_BUNDLE /etc/ssl/certs

Loading…
Cancel
Save