Merge branch 'develop' into main

clemlesne · Jun 19, 2023 · 126f5f6 · 126f5f6
2 parents 1bc1447 + 28b8f1d
commit 126f5f6
Show file tree

Hide file tree

Showing 8 changed files with 74 additions and 105 deletions.
diff --git a/.github/workflows/pipeline.yaml b/.github/workflows/pipeline.yaml
@@ -273,12 +273,12 @@ jobs:
 
       - name: Setup QEMU
         id: setup-qemu
-        uses: docker/setup-qemu-action@v2.1.0
+        uses: docker/setup-qemu-action@v2.2.0
         with:
           platforms: ${{ matrix.arch }}
 
       - name: Setup Docker Buildx
-        uses: docker/setup-buildx-action@v2.5.0
+        uses: docker/setup-buildx-action@v2.7.0
         with:
           version: v${{ env.BUILDX_VERSION }}
           driver-opts: |
@@ -291,14 +291,14 @@ jobs:
           node-version: ${{ env.NODE_VERSION }}
 
       - name: Login to registry - GitHub
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           registry: ${{ env.CONTAINER_REGISTRY_GHCR }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to registry - Docker Hub
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           registry: ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }}
           username: clemlesne
@@ -447,14 +447,14 @@ jobs:
           echo "version_full=$(powershell cicd/version/version.ps1 -g . -c -m)" >> $Env:GITHUB_OUTPUT
 
       - name: Login to registry - GitHub
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           registry: ${{ env.CONTAINER_REGISTRY_GHCR }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to registry - Docker Hub
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           registry: ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }}
           username: clemlesne
@@ -620,14 +620,14 @@ jobs:
           version: ${{ env.ORAS_VERSION }}
 
       - name: Login to registry - GitHub
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           registry: ${{ env.CONTAINER_REGISTRY_GHCR }}
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
       - name: Login to registry - Docker Hub
-        uses: docker/login-action@v2.1.0
+        uses: docker/login-action@v2.2.0
         with:
           registry: ${{ env.CONTAINER_REGISTRY_DOCKER_HUB }}
           username: clemlesne

diff --git a/src/docker/Dockerfile-bookworm b/src/docker/Dockerfile-bookworm
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:8.0-preview-bookworm-slim as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -177,7 +177,9 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
@@ -188,23 +190,17 @@ RUN rm arch.sh
 ENV PYTHONDONTWRITEBYTECODE=
 ENV PIP_BREAK_SYSTEM_PACKAGES=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-bullseye b/src/docker/Dockerfile-bullseye
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-bullseye-slim as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -148,6 +148,7 @@ ENV TINI_VERSION ${TINI_VERSION}
 RUN curl -LsSf --retry 3 https://github.com/krallin/tini/releases/download/v${TINI_VERSION}/tini-$(ARCH_X64=amd64 bash arch.sh) -o /tini \
     && chmod +x /tini \
     && /tini --version
+ENTRYPOINT ["/tini", "--"]
 
 # Install BuildKit, then verify installation
 ARG BUILDKIT_VERSION
@@ -173,7 +174,9 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
@@ -183,23 +186,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-focal b/src/docker/Dockerfile-focal
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-focal as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -173,10 +173,10 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
-
-# Define path for the custom SSL certificate
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
 # Cleanup helper script
@@ -185,23 +185,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-jammy b/src/docker/Dockerfile-jammy
@@ -4,7 +4,7 @@ FROM mcr.microsoft.com/dotnet/aspnet:6.0-jammy as base
 ENV DEBIAN_FRONTEND noninteractive
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -181,10 +181,10 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
-
-# Define path for the custom SSL certificate
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
 # Cleanup helper script
@@ -193,23 +193,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/Dockerfile-ubi8 b/src/docker/Dockerfile-ubi8
@@ -1,7 +1,7 @@
 FROM registry.access.redhat.com/ubi8/ubi-minimal:8.8 as base
 
 # Configure local user
-USER root
+ENV USER root
 ENV HOME /app-root
 
 # Avoid Python cache during build
@@ -172,10 +172,10 @@ RUN mkdir -p ${AZP_HOME} \
     && cd ${AZP_HOME} \
     && chmod +x run-docker.sh config.sh \
     && AGENT_ALLOW_RUNASROOT="1" bash run-docker.sh --version \
-    && rm -rf _diag
+    && rm -rf _diag \
+    # Allow local user to R/W to agent home
+    && chmod -R a+w .
 ENV AZP_WORK ${HOME}/azp-work
-
-# Define path for the custom SSL certificate
 ENV AZP_CUSTOM_CERT_PEM ${HOME}/azp-custom-certs
 
 # Cleanup helper script
@@ -184,23 +184,17 @@ RUN rm arch.sh
 # Reset Python configs to default
 ENV PYTHONDONTWRITEBYTECODE=
 
-# Configure startup
-COPY uid_entrypoint.sh /
-RUN chmod a=rx /uid_entrypoint.sh \
-    && chmod a+w /etc/passwd /etc/shadow
-ENTRYPOINT ["/tini", "--", "/uid_entrypoint.sh"]
-
 # Configure local user
-ENV USER app-user
-RUN mkdir -p ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
-    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid \
-    && echo "${USER} ALL=(ALL) NOPASSWD:ALL" >>/etc/sudoers
+RUN mkdir -p /run/user/0 ${HOME}/.local/tmp ${HOME}/.local/share/buildkit \
+    && chown -R ${USER} /run/user/0 ${HOME} \
+    && echo ${USER}:100000:65536 | tee /etc/subuid | tee /etc/subgid
+USER 0:0
+ENV XDG_RUNTIME_DIR=/run/user/0
 ENV TMPDIR=${HOME}/.local/tmp
+ENV BUILDKIT_HOST=unix:///run/user/0/buildkit/buildkitd.sock
 
 # Install Azure Pipelines Agent startup script
 WORKDIR ${AZP_HOME}
 COPY start.sh .
-
 # Run as exec form, so that it can receive signals from Tini
-USER ${USER}
 CMD ["bash", "start.sh"]
diff --git a/src/docker/uid_entrypoint.sh b/src/docker/uid_entrypoint.sh
diff --git a/src/helm/azure-pipelines-agent/templates/_helpers.tpl b/src/helm/azure-pipelines-agent/templates/_helpers.tpl
@@ -74,6 +74,18 @@ Create the name of the Secret to use.
 {{- end }}
 {{- end }}
 
+{{/*
+Default PodSecurytyContext object to apply to containers.
+
+Can be overriden by setting ".Values.podSecurityContext".
+
+See: https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#podsecuritycontext-v1-core
+*/}}
+{{- define "azure-pipelines-agent.defaultPodSecurityContext" -}}
+# All volumes are owned bu group 0 (root), same as the default user
+fsGroup: 0
+{{- end }}
+
 {{/*
 Default SecurytyContext object to apply to containers.
 
@@ -82,13 +94,14 @@ Can be overriden by setting ".Values.securityContext".
 See: https://kubernetes.io/docs/concepts/windows/intro/#compatibility-v1-pod-spec-containers
 */}}
 {{- define "azure-pipelines-agent.defaultSecurityContext" -}}
-runAsNonRoot: true
+runAsNonRoot: false
 readOnlyRootFilesystem: false
 {{- if .Values.image.isWindows }}
 windowsOptions:
   runAsUserName: ContainerAdministrator
 {{- else }}
 allowPrivilegeEscalation: false
+runAsUser: 0
 capabilities:
   drop: ["ALL"]
 {{- end }}
@@ -111,10 +124,8 @@ imagePullSecrets:
   {{- toYaml . | nindent 2 }}
 {{- end }}
 serviceAccountName: {{ include "azure-pipelines-agent.serviceAccountName" . }}
-{{- with .Values.podSecurityContext }}
 securityContext:
-  {{- toYaml . | nindent 2 }}
-{{- end }}
+  {{- toYaml (mustMergeOverwrite (include "azure-pipelines-agent.defaultPodSecurityContext" . | fromYaml) .Values.podSecurityContext) | nindent 2 }}
 {{- with .Values.initContainers }}
 initContainers:
   {{- toYaml . | nindent 2 }}