sergiotarxz/termux-packages
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Use non-root user when using docker

Browse Source 
We now use a non-root user when building packages using a docker
container. This allows detecting misconfigured packages which try
to install files outside of $TERMUX_PREFIX or otherwise mess with
the system during a build.
This commit is contained in:
Fredrik Fornwall 2017-01-22 23:13:48 +01:00
parent 71430aa64e
commit e59984067b
2 changed files with 17 additions and 19 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
scripts/Dockerfile
View File

@ -9,26 +9,28 @@ FROM ubuntu:16.10
# Fix locale to avoid warnings: # Fix locale to avoid warnings:
ENV LANG C.UTF-8 ENV LANG C.UTF-8
# We expect this to be mounted with '-v $PWD:/root/termux-packages':
WORKDIR /root/termux-packages
# Needed for setup: # Needed for setup:
ADD ./setup-ubuntu.sh /tmp/setup-ubuntu.sh ADD ./setup-ubuntu.sh /tmp/setup-ubuntu.sh
ADD ./setup-android-sdk.sh /tmp/setup-android-sdk.sh ADD ./setup-android-sdk.sh /tmp/setup-android-sdk.sh
# Allow configure to be run as root:
ENV FORCE_UNSAFE_CONFIGURE 1
# Setup needed packages and the Android SDK and NDK: # Setup needed packages and the Android SDK and NDK:
RUN apt-get update && \ RUN apt-get update && \
DEBIAN_FRONTEND=noninteractive apt-get install -yq sudo && \ apt-get -yq upgrade && \
/tmp/setup-ubuntu.sh && \ apt-get install -yq sudo && \
apt-get clean && \ adduser --disabled-password --shell /bin/bash --gecos "" builder && \
/tmp/setup-android-sdk.sh && \ echo "builder ALL=(root) NOPASSWD:ALL" > /etc/sudoers.d/builder && \
chmod 0440 /etc/sudoers.d/builder && \
su - builder -c /tmp/setup-ubuntu.sh && \
su - builder -c /tmp/setup-android-sdk.sh && \
# Removed unused parts to make a smaller Docker image: # Removed unused parts to make a smaller Docker image:
cd /root/lib/android-ndk/ && \ apt-get clean && \
rm -rf /var/lib/apt/lists/* && \
cd /home/builder/lib/android-ndk/ && \
rm -Rf toolchains/mips* && \ rm -Rf toolchains/mips* && \
rm -Rf sources/cxx-stl/gabi++ sources/cxx-stl/llvm-libc++* sources/cxx-stl/system/ sources/cxx-stl/stlport && \ rm -Rf sources/cxx-stl/gabi++ sources/cxx-stl/llvm-libc++* sources/cxx-stl/system/ sources/cxx-stl/stlport && \
cd platforms && ls | grep -v android-21 | xargs rm -Rf && \ cd platforms && ls | grep -v android-21 | xargs rm -Rf && \
cd /root/lib/android-sdk/tools && rm -Rf emulator* lib* proguard templates cd /home/builder/lib/android-sdk/tools && rm -Rf emulator* lib* proguard templates
# We expect this to be mounted with '-v $PWD:/home/builder/termux-packages':
WORKDIR /home/builder/termux-packages

10
scripts/run-docker.sh
View File

@ -1,10 +1,6 @@
#!/bin/sh #!/bin/sh
set -e -u set -e -u
# Read settings from .termuxrc if existing
test -f $HOME/.termuxrc && . $HOME/.termuxrc
: ${TERMUX_TOPDIR:="$HOME/.termux-build"}
IMAGE_NAME=termux/package-builder IMAGE_NAME=termux/package-builder
CONTAINER_NAME=termux-package-builder CONTAINER_NAME=termux-package-builder
@ -15,14 +11,14 @@ docker start $CONTAINER_NAME > /dev/null 2> /dev/null || {
docker run \ docker run \
-d \ -d \
--name $CONTAINER_NAME \ --name $CONTAINER_NAME \
-v $PWD:/root/termux-packages \ -v $PWD:/home/builder/termux-packages \
-t $IMAGE_NAME -t $IMAGE_NAME
} }
if [ "$#" -eq "0" ]; then if [ "$#" -eq "0" ]; then
docker exec -it $CONTAINER_NAME bash docker exec -i -t -u builder $CONTAINER_NAME bash
else else
docker exec -it $CONTAINER_NAME $@ docker exec -i -t -u builder $CONTAINER_NAME $@
fi fi