Bug 1426445: Add sanity check that worker uid/gid is 1000 in run-task; r?dustin,gps
MozReview-Commit-ID: 7T7rQpLhJIN
--- a/taskcluster/docker/debian-base/Dockerfile
+++ b/taskcluster/docker/debian-base/Dockerfile
@@ -1,17 +1,17 @@
# %ARG DIST
# %ARG BASE_TAG
FROM debian:$DIST-$BASE_TAG
MAINTAINER Mike Hommey <mhommey@mozilla.com>
### Add worker user and setup its workspace.
RUN mkdir /builds && \
- groupadd -g 500 worker && \
- useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker && \
+ groupadd -g 1000 worker && \
+ useradd -u 1000 -g 1000 -d /builds/worker -s /bin/bash -m worker && \
mkdir -p /builds/worker/workspace && \
chown -R worker:worker /builds
# Declare default working folder
WORKDIR /builds/worker
# Set variable normally configured at login, by the shells parent process, these
# are taken from GNU su manual
--- a/taskcluster/docker/google-play-strings/Dockerfile
+++ b/taskcluster/docker/google-play-strings/Dockerfile
@@ -1,14 +1,14 @@
FROM ubuntu:16.04
MAINTAINER Johan Lorenzo <jlorenzo+tc@mozilla.com>
RUN mkdir /builds
-RUN groupadd -g 500 worker
-RUN useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker
+RUN groupadd -g 1000 worker
+RUN useradd -u 1000 -g 1000 -d /builds/worker -s /bin/bash -m worker
RUN apt-get update
RUN apt-get install --yes git python3-setuptools build-essential libssl-dev libffi-dev python3-dev
WORKDIR /builds/worker/
RUN git clone https://github.com/mozilla-releng/mozapkpublisher
WORKDIR /builds/worker/mozapkpublisher
RUN python3 setup.py develop
--- a/taskcluster/docker/recipes/run-task
+++ b/taskcluster/docker/recipes/run-task
@@ -277,16 +277,23 @@ def main(args):
return 1
try:
group = grp.getgrnam(args.group)
except KeyError:
print('could not find group %s; specify --group to a known group' %
args.group)
return 1
+ if user.pw_name == 'worker' and user.pw_uid != 1000:
+ print('user `worker` must have uid=1000.')
+ return 1
+ if group.gr_name == 'worker' and group.gr_gid != 1000:
+ print('group `worker` must have gid=1000.')
+ return 1
+
# Find all groups to which this user is a member.
gids = [g.gr_gid for g in grp.getgrall() if args.group in g.gr_mem]
uid = user.pw_uid
gid = group.gr_gid
else:
uid = gid = gids = None
--- a/taskcluster/docker/update-verify/Dockerfile
+++ b/taskcluster/docker/update-verify/Dockerfile
@@ -5,18 +5,18 @@ MAINTAINER release@mozilla.com
RUN dpkg --add-architecture i386 && apt-get -q update \
# p7zip-full is for extracting Windows and OS X packages
# wget is for downloading update.xml, installers, and MARs
# libgtk-3-0 and libgtk2.0-0 are required to run the Firefox updater
&& apt-get -q --yes install p7zip-full wget libgtk-3-0 libgtk-3.0:i386 libgtk2.0-0 libgtk2.0-0:i386 \
&& apt-get clean
RUN mkdir /builds
-RUN groupadd -g 500 worker
-RUN useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker
+RUN groupadd -g 1000 worker
+RUN useradd -u 1000 -g 1000 -d /builds/worker -s /bin/bash -m worker
WORKDIR /builds/worker
VOLUME /builds/worker/.cache
VOLUME /builds/worker/checkouts
RUN mkdir /build
# %include python/mozbuild/mozbuild/action/tooltool.py
ADD topsrcdir/python/mozbuild/mozbuild/action/tooltool.py /build/tooltool.py
--- a/taskcluster/taskgraph/transforms/task.py
+++ b/taskcluster/taskgraph/transforms/task.py
@@ -869,17 +869,17 @@ def build_docker_worker_payload(config,
# the run-task content into the cache name. However, doing so preserves
# the mechanism whereby changing run-task results in new caches
# everywhere.
# As an additional mechanism to force the use of different caches, the
# string literal in the variable below can be changed. This is
# preferred to changing run-task because it doesn't require images
# to be rebuilt.
- cache_version = 'v2'
+ cache_version = 'v3'
if run_task:
suffix = '-%s-%s' % (cache_version, _run_task_suffix())
if out_of_tree_image:
name_hash = hashlib.sha256(out_of_tree_image).hexdigest()
suffix += name_hash[0:12]