From 55eaa380364bb94097b269186288a35b8589c3d7 Mon Sep 17 00:00:00 2001 From: Tim Hockin Date: Sat, 14 May 2016 22:58:23 -0700 Subject: [PATCH] Allow non-root build to write go code. --- build/common.sh | 31 +++++++++++++++++++++---------- hack/update-generated-protobuf.sh | 2 +- 2 files changed, 22 insertions(+), 11 deletions(-) diff --git a/build/common.sh b/build/common.sh index 2fe25fc6ae5..9f9c3e58f74 100755 --- a/build/common.sh +++ b/build/common.sh @@ -61,6 +61,7 @@ readonly KUBE_BUILD_IMAGE_CROSS_TAG="v1.6.2-2" readonly LOCAL_OUTPUT_ROOT="${KUBE_ROOT}/${OUT_DIR:-_output}" readonly LOCAL_OUTPUT_SUBPATH="${LOCAL_OUTPUT_ROOT}/dockerized" readonly LOCAL_OUTPUT_BINPATH="${LOCAL_OUTPUT_SUBPATH}/bin" +readonly LOCAL_OUTPUT_GOPATH="${LOCAL_OUTPUT_SUBPATH}/go" readonly LOCAL_OUTPUT_IMAGE_STAGING="${LOCAL_OUTPUT_ROOT}/images" readonly OUTPUT_BINPATH="${CUSTOM_OUTPUT_BINPATH:-$LOCAL_OUTPUT_BINPATH}" @@ -68,18 +69,13 @@ readonly OUTPUT_BINPATH="${CUSTOM_OUTPUT_BINPATH:-$LOCAL_OUTPUT_BINPATH}" readonly REMOTE_OUTPUT_ROOT="/go/src/${KUBE_GO_PACKAGE}/_output" readonly REMOTE_OUTPUT_SUBPATH="${REMOTE_OUTPUT_ROOT}/dockerized" readonly REMOTE_OUTPUT_BINPATH="${REMOTE_OUTPUT_SUBPATH}/bin" +readonly REMOTE_OUTPUT_GOPATH="${REMOTE_OUTPUT_SUBPATH}/go" readonly DOCKER_MOUNT_ARGS_BASE=( --volume "${OUTPUT_BINPATH}:${REMOTE_OUTPUT_BINPATH}" --volume /etc/localtime:/etc/localtime:ro ) -# We create a Docker data container to cache incremental build artifacts. -readonly REMOTE_OUTPUT_GOPATH="${REMOTE_OUTPUT_SUBPATH}/go" -readonly DOCKER_DATA_MOUNT_ARGS=( - --volume "${REMOTE_OUTPUT_GOPATH}" -) - # This is where the final release artifacts are created locally readonly RELEASE_STAGE="${LOCAL_OUTPUT_ROOT}/release-stage" readonly RELEASE_DIR="${LOCAL_OUTPUT_ROOT}/release-tars" @@ -559,16 +555,31 @@ function kube::build::clean_images() { } function kube::build::ensure_data_container() { - if ! "${DOCKER[@]}" inspect "${KUBE_BUILD_DATA_CONTAINER_NAME}" >/dev/null 2>&1; then + # If the data container exists AND exited successfully, we can use it. + # Otherwise nuke it and start over. + local ret=0 + local code=$(docker inspect \ + -f '{{.State.ExitCode}}' \ + "${KUBE_BUILD_DATA_CONTAINER_NAME}" 2>/dev/null || ret=$?) + if [[ "${ret}" == 0 && "${code}" != 0 ]]; then + kube::build::destroy_container "${KUBE_BUILD_DATA_CONTAINER_NAME}" + ret=1 + fi + if [[ "${ret}" != 0 ]]; then kube::log::status "Creating data container ${KUBE_BUILD_DATA_CONTAINER_NAME}" + # We have to ensure the directory exists, or else the docker run will + # create it as root. + mkdir -p "${LOCAL_OUTPUT_GOPATH}" + # We want this to run as root to be able to chown, so non-root users can + # later use the result as a data container. This run both creates the data + # container and chowns the GOPATH. local -ra docker_cmd=( "${DOCKER[@]}" run - "${DOCKER_DATA_MOUNT_ARGS[@]}" + --volume "${REMOTE_OUTPUT_GOPATH}" --name "${KUBE_BUILD_DATA_CONTAINER_NAME}" - --user "$(id -u):$(id -g)" --hostname "${HOSTNAME}" "${KUBE_BUILD_IMAGE}" - true + chown -R $(id -u).$(id -g) "${REMOTE_OUTPUT_GOPATH}" ) "${docker_cmd[@]}" fi diff --git a/hack/update-generated-protobuf.sh b/hack/update-generated-protobuf.sh index 78ef8757f3b..01080bb376a 100755 --- a/hack/update-generated-protobuf.sh +++ b/hack/update-generated-protobuf.sh @@ -31,7 +31,7 @@ function prereqs() { fi kube::build::ensure_docker_daemon_connectivity || return 1 - KUBE_ROOT_HASH=$(kube::build::short_hash "${HOSTNAME:-}:${REPO_DIR:-${KUBE_ROOT}}/go-to-protobuf") + KUBE_ROOT_HASH=$(kube::build::short_hash "${HOSTNAME:-}:${REPO_DIR:-${KUBE_ROOT}}") KUBE_BUILD_IMAGE_TAG="build-${KUBE_ROOT_HASH}" KUBE_BUILD_IMAGE="${KUBE_BUILD_IMAGE_REPO}:${KUBE_BUILD_IMAGE_TAG}" KUBE_BUILD_CONTAINER_NAME="kube-build-${KUBE_ROOT_HASH}"