Merge pull request #38 from david-caro/use_non_root

Use non-root for python-base
inspirehep · May 24, 2017 · bd66100 · bd66100
2 parents 17caebe + 6b33742
commit bd66100
Show file tree

Hide file tree

Showing 5 changed files with 131 additions and 22 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -5,11 +5,12 @@ services:
 
 env:
  global:
- - DOCKER_VERSION=1.12.3-0~trusty
- - DOCKER_COMPOSE_VERSION=1.9.0
- - secure: B2o+OVhyzRFr0SvLl18FtTT6DO6+d69BizgULki5MTgMdxGJrVAEoj+AAl5edwJwjN6MZ4OiSCLoauKHjjlHjZT2A0J8wMHGCAD3IpdpZ9wacw0qjkNKkUXDRTdFycDXVTngHn0YJ++tA7kHG98DAkRq7YfWrsb5kxxFo54Gl8UkvWpOxKx0nd6n1d4/OooKYhSXaPKPcZ/Mpa/LR1/O2xC61RBYrzk3DPlFmW5+4F2iSKh7ALPd92joyDsxRnOuVcQU/aCb6fUPwVH7znn2Rw9i8pwCYNXoJdNzM0DvyV4tFf1aigsHS7uGRFtzXGSe57MEoJl7prCbHKjHLZ+ZrOgay4CmYmpdEAYKTJwNPdM1mm80wftYfyo3kMynDoJU82wvGwlQ4ZDYckvJ11XVKASLO40QNxLiZaOCs++R4WExVbK2yNGMUyoC26Z7pJl2t5FGEdBjr73Ee19NslwFgGBsI5IE1JG7SToFFVaQiwIKuuTEQX81JZFsihpv8SgaAFj2Ur6D50yh4YnUbau7f2wei6xHlKg+GGYQsMweYxXQUrAzdr5igOrb3AJ3dW8h9vH6LIERlblImbvAFu0xFl0dK1Bbv6TkB908DVtN1JzrcN1iu9ca6cXyIfuSkR8cBQ/DK3Ih8s/V1slq1Qf71ydt1a+TVT95rtq1StnneD0=
- - secure: TPae1TtBCdNxaZprJ6H1gsyyznJ+JSKqAJOz/b4GatG4+yru2JWjc6HSXWMQ6MGQtyyxJpq5PRlnNH9HFRc7OSe4KgmDd8CkwJBXFV8qK1cRXKgiG7X75gIcRx4RCLw5z2VcmNc2cdq7Zh4y/1q1kmRrlqMqEF/c8/k/+naenffy6W6bqbL0rWfGmyQJ6YaxZCUuqfWVPzAbwR81tAhIuSj5I9/eKKjpmtc5Z/yZ990zl7zFz8j4Fn96Vv+qeDwumLHlK9DP9t1I13IW05jZY1TRnCSw0qRTpdXdEM0Cdzhmb9rBe10MikkHhhEkmxlv6gNSkDdupJniUi7ETdWUrfq6rzDRGBrCpce273aq2mykH8+Cqb76L6iD20nbPNm01/W65Td/E51XrYK4gSa9ZgBDddpoG4vk0kiZq96N3a/vLf4c8e7zwOxT2HIk2SECgan2pGbs5wCrUN5g+hdLaDVn8XqZdlFPfs5FKL8Yu9tNlarFWz9aqpRwvDZc3u8ikIFukCgouQZvcd5srH69ZCZB8kV5TUWWBO2UZVKv5K+7Ym+5HdLNYdUsA0fCVxIS+0u6UqT7w7JWkCANXICubAfEqpNB68CKrxMjSAlzxoBxpWlS+Wu0NLfoHQYw8m1xdrHax2hCIYsEXvmuAi7Z8qtNdWBn8XK9wcEQaLFdGVo=
- - secure: sI+rBt9WC8ag/iL3ul6Onz8mQhj9UDjqLGqOXowN3fg5ElCm7wI6gXEaFhAt+LABL9Fu62YTr8U5OZkkj2EoVvyzKQBMcV89g460CJh077dNVrmbM2Ot3vMm0iMnsGtRHA4rODLFicdUKVinKP8tJfrw3BWCGA20+ZI10oD8JOeqiMSu3hjYrS8uNMdkcvRV6xKWa5ABr/fDbLo9ErcHKSKavpUPD+3G+WKsW6BdGC8IhA5qwLYWDQeUZez/Yi2ry2clgGloW1GhYf/h+LAdxOw9lDTs+AmRlWmQgv7bszF5vbnKXHXnAVPxvk+VC9v06XLR8PpFjQCJwrU52wZFTjxvOXw/vgyrMcEWQiDQmPbSo1cBI5cE6E4TAvcvwbUlvCBuBMg44SSoBecj7WsnigzRdUQh5m4UeFOpR548yRjsckwONcT6DZah01lLKdcziyOLy28SPxbfnyoV3A0CMfobrPijfYF55hFMkdz8wD4As0IYS+OcFe9nLEcCWQYTClaUqFsdX62oFkUoDRvR0F+pYH/HTttt8LscXaxjUn+KQtLmcANEVf28vnR1foT2WNCyIK9zV3Hepd/2w0Xi88kCM/sTPEu7ON/3BfD4Gv6vu3a3nSthHwUIacQGn4LsPegVKG6Mymc4bj7YQCZjPO9L+qxqZ3zSWpg5ziXQvVc=
+ - DOCKER_DATA=/tmp/data
+ - DOCKER_VERSION=1.12.3-0~trusty
+ - DOCKER_COMPOSE_VERSION=1.9.0
+ - secure: B2o+OVhyzRFr0SvLl18FtTT6DO6+d69BizgULki5MTgMdxGJrVAEoj+AAl5edwJwjN6MZ4OiSCLoauKHjjlHjZT2A0J8wMHGCAD3IpdpZ9wacw0qjkNKkUXDRTdFycDXVTngHn0YJ++tA7kHG98DAkRq7YfWrsb5kxxFo54Gl8UkvWpOxKx0nd6n1d4/OooKYhSXaPKPcZ/Mpa/LR1/O2xC61RBYrzk3DPlFmW5+4F2iSKh7ALPd92joyDsxRnOuVcQU/aCb6fUPwVH7znn2Rw9i8pwCYNXoJdNzM0DvyV4tFf1aigsHS7uGRFtzXGSe57MEoJl7prCbHKjHLZ+ZrOgay4CmYmpdEAYKTJwNPdM1mm80wftYfyo3kMynDoJU82wvGwlQ4ZDYckvJ11XVKASLO40QNxLiZaOCs++R4WExVbK2yNGMUyoC26Z7pJl2t5FGEdBjr73Ee19NslwFgGBsI5IE1JG7SToFFVaQiwIKuuTEQX81JZFsihpv8SgaAFj2Ur6D50yh4YnUbau7f2wei6xHlKg+GGYQsMweYxXQUrAzdr5igOrb3AJ3dW8h9vH6LIERlblImbvAFu0xFl0dK1Bbv6TkB908DVtN1JzrcN1iu9ca6cXyIfuSkR8cBQ/DK3Ih8s/V1slq1Qf71ydt1a+TVT95rtq1StnneD0=
+ - secure: TPae1TtBCdNxaZprJ6H1gsyyznJ+JSKqAJOz/b4GatG4+yru2JWjc6HSXWMQ6MGQtyyxJpq5PRlnNH9HFRc7OSe4KgmDd8CkwJBXFV8qK1cRXKgiG7X75gIcRx4RCLw5z2VcmNc2cdq7Zh4y/1q1kmRrlqMqEF/c8/k/+naenffy6W6bqbL0rWfGmyQJ6YaxZCUuqfWVPzAbwR81tAhIuSj5I9/eKKjpmtc5Z/yZ990zl7zFz8j4Fn96Vv+qeDwumLHlK9DP9t1I13IW05jZY1TRnCSw0qRTpdXdEM0Cdzhmb9rBe10MikkHhhEkmxlv6gNSkDdupJniUi7ETdWUrfq6rzDRGBrCpce273aq2mykH8+Cqb76L6iD20nbPNm01/W65Td/E51XrYK4gSa9ZgBDddpoG4vk0kiZq96N3a/vLf4c8e7zwOxT2HIk2SECgan2pGbs5wCrUN5g+hdLaDVn8XqZdlFPfs5FKL8Yu9tNlarFWz9aqpRwvDZc3u8ikIFukCgouQZvcd5srH69ZCZB8kV5TUWWBO2UZVKv5K+7Ym+5HdLNYdUsA0fCVxIS+0u6UqT7w7JWkCANXICubAfEqpNB68CKrxMjSAlzxoBxpWlS+Wu0NLfoHQYw8m1xdrHax2hCIYsEXvmuAi7Z8qtNdWBn8XK9wcEQaLFdGVo=
+ - secure: sI+rBt9WC8ag/iL3ul6Onz8mQhj9UDjqLGqOXowN3fg5ElCm7wI6gXEaFhAt+LABL9Fu62YTr8U5OZkkj2EoVvyzKQBMcV89g460CJh077dNVrmbM2Ot3vMm0iMnsGtRHA4rODLFicdUKVinKP8tJfrw3BWCGA20+ZI10oD8JOeqiMSu3hjYrS8uNMdkcvRV6xKWa5ABr/fDbLo9ErcHKSKavpUPD+3G+WKsW6BdGC8IhA5qwLYWDQeUZez/Yi2ry2clgGloW1GhYf/h+LAdxOw9lDTs+AmRlWmQgv7bszF5vbnKXHXnAVPxvk+VC9v06XLR8PpFjQCJwrU52wZFTjxvOXw/vgyrMcEWQiDQmPbSo1cBI5cE6E4TAvcvwbUlvCBuBMg44SSoBecj7WsnigzRdUQh5m4UeFOpR548yRjsckwONcT6DZah01lLKdcziyOLy28SPxbfnyoV3A0CMfobrPijfYF55hFMkdz8wD4As0IYS+OcFe9nLEcCWQYTClaUqFsdX62oFkUoDRvR0F+pYH/HTttt8LscXaxjUn+KQtLmcANEVf28vnR1foT2WNCyIK9zV3Hepd/2w0Xi88kCM/sTPEu7ON/3BfD4Gv6vu3a3nSthHwUIacQGn4LsPegVKG6Mymc4bj7YQCZjPO9L+qxqZ3zSWpg5ziXQvVc=
 
 before_install:
  # List available docker versions.

diff --git a/build.sh b/build.sh
@@ -70,6 +70,15 @@ parse_options(){
 }
 
 
+build_venv_rights_fixer() {
+ cd python_base
+ gcc -o fix_venv_rights fix_venv_rights.c
+ local res=$?
+ cd -
+ return "$res"
+}
+
+
 main(){
  parse_options "$@"
  # fail on unset variables expansion
@@ -81,6 +90,9 @@ main(){
  TAG="$DOCKER_PROJECT:dev.$TRAVIS_BRANCH-$DOCKER_IMAGE_TAG"
  fi
 
+ echo "Building venv rights fixer binary"
+ build_venv_rights_fixer
+
  echo "Building image $TAG"
  retry docker build -f "$DOCKERFILE" $ARGS -t "$TAG" .
 }

diff --git a/python_base/Dockerfile b/python_base/Dockerfile
@@ -51,10 +51,13 @@ RUN npm install -g \
  requirejs \
  uglify-js
 
+RUN mkdir /code /deps /tmpvenv /src-cache /pip-cache
+
+
 ARG INSPIRE_PYTHON_VERSION
 ENV INSPIRE_PYTHON_VERSION ${INSPIRE_PYTHON_VERSION:-2.7}
 
-RUN virtualenv /tmpvenv -p python${INSPIRE_PYTHON_VERSION} && \
+RUN virtualenv -v /tmpvenv -p python${INSPIRE_PYTHON_VERSION} && \
  . /tmpvenv/bin/activate && \
  pip install --upgrade pip && \
  pip install --upgrade setuptools wheel && \
@@ -72,16 +75,21 @@ RUN virtualenv /tmpvenv -p python${INSPIRE_PYTHON_VERSION} && \
  pip wheel --wheel-dir /pip-cache -r requirements-all.txt --pre && \
  pip install --find-links /pip-cache -r requirements.txt --pre -e .[tests,crawler,docs] gunicorn --exists-action i && \
  pip uninstall -y Inspirehep && \
- mkdir /deps && \
  pip freeze > /deps/deps.txt && \
  deactivate && \
  mv /tmpvenv/src /src-cache && \
  rm -rf /tmpvenv && \
- mkdir /code && \
  dbus-uuidgen > /etc/machine-id
 
-WORKDIR /code
 
+RUN useradd test
+RUN chown -R test:test /code /deps /src-cache /pip-cache
+# This allows us to change the venv rights after it has been created
 ADD ./python_base/docker_entrypoint.sh /docker_entrypoint.sh
+ADD ./python_base/fix_venv_rights /fix_venv_rights
+RUN chmod 4755 /fix_venv_rights
+
+USER test
+WORKDIR /code
 ENTRYPOINT ["/docker_entrypoint.sh"]
 CMD true
diff --git a/python_base/docker_entrypoint.sh b/python_base/docker_entrypoint.sh
@@ -1,9 +1,9 @@
-#!/bin/bash
-
+#!/bin/bash -ei
+#
 # -*- coding: utf-8 -*-
 #
 # This file is part of INSPIRE.
-# Copyright (C) 2016 CERN.
+# Copyright (C) 2017 CERN.
 #
 # INSPIRE is free software: you can redistribute it and/or modify
 # it under the terms of the GNU General Public License as published by
@@ -21,19 +21,73 @@
 # In applying this licence, CERN does not waive the privileges and immunities
 # granted to it by virtue of its status as an Intergovernmental Organization
 # or submit itself to any jurisdiction.
+#
+# Note on the usage of signal handlers.
+#
+# In order to be able to restore the ownership of the venv at the end, we have
+# to declare it as a trap for the EXIT signal, that forces us to not use
+# 'exec' for the wrapped command, and that leads us to manually having to
+# forward also the SIGTERM and SIGINT signals.
+set -me
+
+VENV_PATH=/virtualenv
+
+
+restore_venv_rights() {
+ if [[ "$BASE_USER_UID" != "" ]]; then
+ BASE_USER_GID="${BASE_USER_GID:-$BASE_USER_UID}"
+ echo "Restoring permissions of venv to $BASE_USER_UID:$BASE_USER_GID"
+ /fix_venv_rights "$BASE_USER_UID:$BASE_USER_GID"
+ else
+ echo "No BASE_USER_UID env var defined, skipping venv permission" \
+ "restore."
+ fi
+}
+
+forward_sigterm() {
+ echo "Forwarding SIGTERM to $child"
+ kill -SIGTERM "$child" &>/dev/null
+ trap forward_sigterm SIGTERM
+ wait "$child"
+}
 
-set -e
 
-if [ ! -f /virtualenv/bin/activate ]; then
- virtualenv /virtualenv -p python${INSPIRE_PYTHON_VERSION}
- source /virtualenv/bin/activate
+forward_sigint() {
+ echo "Forwarding SIGINT to $child"
+ kill -SIGINT "$child" &>/dev/null
+ trap forward_sigint SIGINT
+ wait "$child"
+}
+
+
+prepare_venv() {
+ virtualenv "$VENV_PATH" -p "python${INSPIRE_PYTHON_VERSION}"
+ source "$VENV_PATH"/bin/activate
  pip install --upgrade pip
  pip install --upgrade setuptools wheel
- cp -r /src-cache /virtualenv/src
-else
- source /virtualenv/bin/activate
-fi
+ cp -r /src-cache "$VENV_PATH"/src
+}
+
+
+main() {
+ /fix_venv_rights 'test:test'
+ trap restore_venv_rights EXIT
+
+ if ! [[ -f "$VENV_PATH/bin/activate" ]]; then
+ prepare_venv
+ else
+ source "$VENV_PATH"/bin/activate
+ fi
+
+ find \( -name __pycache__ -o -name '*.pyc' \) -delete
+
+ trap forward_sigterm SIGTERM
+ trap forward_sigint SIGINT
+
+ "$@" &
+ child="$!"
+ fg >/dev/null
+}
 
-find \( -name __pycache__ -o -name '*.pyc' \) | xargs rm -rf
 
-exec "$@"
+main "$@"
diff --git a/python_base/fix_venv_rights.c b/python_base/fix_venv_rights.c
@@ -0,0 +1,34 @@
+// This is needed to be able to run with suid enabled, as most modern linuxes
+// don't honoor it on scripts (shell, python, ...) due to security reasons.
+#include <stdlib.h>
+#include <stdio.h>
+#include <unistd.h>
+#include <sys/wait.h>
+
+// This path is hardcoded because we don't need it to be flexible, and that
+// simplifies this program security-wise.
+char *VENV_PATH = "/virtualenv/";
+
+
+int main (int argc, char *argv[]) {
+ char *chown_argv[] = {
+ "/usr/bin/chown",
+ "--recursive",
+ NULL,
+ // This will be replaced by the <uid:gid> passed as argument.
+ VENV_PATH,
+ NULL
+ // This last NULL is required to 'flag' the end of the options.
+ };
+ char *chown_env[] = { NULL };
+ int status;
+ int cureuid;
+
+ if (argc != 2) {
+ fprintf(stderr, "Usage: %s <user>:<gorup>\n", argv[0]);
+ exit(EXIT_FAILURE);
+ }
+
+ chown_argv[2] = argv[1];
+ execve(chown_argv[0], chown_argv, chown_env);
+}