hazza/docker-stacks
1
0
Fork 0
mirror of https://github.com/jupyter/docker-stacks.git synced 2025-10-16 06:22:56 +00:00
Code Issues Packages Projects Releases Wiki Activity

[FAST_BUILD] No sudo when run with rootless triplet (#2132)

Browse Source 
* No sudo when run with rootless triplet

-  rootless triplet: -e NB_USER=root -e NB_UID=0 -e NB_GID=0

* Add tests for rootless triplet

* Update tests for rootless triplet

* Fix tests for rootless triplet
This commit is contained in:
Olivier Benz
2024-08-11 17:50:27 +02:00
committed by GitHub
parent e6b5e74ba4
commit 6f74c72a92
2 changed files with 48 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
images/docker-stacks-foundation/start.sh
View File

@@ -155,11 +155,14 @@ if [ "$(id -u)" == 0 ]; then
unset_explicit_env_vars unset_explicit_env_vars
_log "Running as ${NB_USER}:" "${cmd[@]}" _log "Running as ${NB_USER}:" "${cmd[@]}"
exec sudo --preserve-env --set-home --user "${NB_USER}" \ if [ "${NB_USER}" = "root" ] && [ "${NB_UID}" = "$(id -u "${NB_USER}")" ] && [ "${NB_GID}" = "$(id -g "${NB_USER}")" ]; then
LD_LIBRARY_PATH="${LD_LIBRARY_PATH}" \ HOME="/home/root" exec "${cmd[@]}"
PATH="${PATH}" \ else
PYTHONPATH="${PYTHONPATH:-}" \ exec sudo --preserve-env --set-home --user "${NB_USER}" \
"${cmd[@]}" LD_LIBRARY_PATH="${LD_LIBRARY_PATH}" \
PATH="${PATH}" \
PYTHONPATH="${PYTHONPATH:-}" \
"${cmd[@]}"
# Notes on how we ensure that the environment that this container is started # Notes on how we ensure that the environment that this container is started
# with is preserved (except vars listed in JUPYTER_ENV_VARS_TO_UNSET) when # with is preserved (except vars listed in JUPYTER_ENV_VARS_TO_UNSET) when
# we transition from running as root to running as NB_USER. # we transition from running as root to running as NB_USER.
@@ -187,6 +190,7 @@ if [ "$(id -u)" == 0 ]; then
# above in /etc/sudoers.d/path. Thus PATH is irrelevant to how the above # above in /etc/sudoers.d/path. Thus PATH is irrelevant to how the above
# sudo command resolves the path of `${cmd[@]}`. The PATH will be relevant # sudo command resolves the path of `${cmd[@]}`. The PATH will be relevant
# for resolving paths of any subprocesses spawned by `${cmd[@]}`. # for resolving paths of any subprocesses spawned by `${cmd[@]}`.
fi
# The container didn't start as the root user, so we will have to act as the # The container didn't start as the root user, so we will have to act as the
# user we started as. # user we started as.

39
tests/docker-stacks-foundation/test_user_options.py
View File

@@ -305,3 +305,42 @@ def test_startsh_multiple_exec(container: TrackedContainer) -> None:
"WARNING: start.sh is the default ENTRYPOINT, do not include it in CMD" "WARNING: start.sh is the default ENTRYPOINT, do not include it in CMD"
in warnings[0] in warnings[0]
) )
def test_rootless_triplet_change(container: TrackedContainer) -> None:
"""Container should change the username (`NB_USER`), the UID and the GID of the default user."""
logs = container.run_and_wait(
timeout=10,
tty=True,
user="root",
environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"],
command=["id"],
)
assert "uid=0(root)" in logs
assert "gid=0(root)" in logs
assert "groups=0(root)" in logs
def test_rootless_triplet_home(container: TrackedContainer) -> None:
"""Container should change the home directory for triplet NB_USER=root, NB_UID=0, NB_GID=0."""
logs = container.run_and_wait(
timeout=10,
tty=True,
user="root",
environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"],
command=["bash", "-c", "echo HOME=${HOME} && getent passwd root"],
)
assert "HOME=/home/root" in logs
assert "root:x:0:0:root:/home/root:/bin/bash" in logs
def test_rootless_triplet_sudo(container: TrackedContainer) -> None:
"""Container should not be started with sudo for triplet NB_USER=root, NB_UID=0, NB_GID=0."""
logs = container.run_and_wait(
timeout=10,
tty=True,
user="root",
environment=["NB_USER=root", "NB_UID=0", "NB_GID=0"],
command=["env"],
)
assert "SUDO" not in logs