From 25288b3017c7911b1962734674f3933b3476fa4d Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 7 Mar 2024 11:16:11 +0100 Subject: [PATCH 1/3] Don't run as root when building protobuf files Signed-off-by: Fredrik Skogman --- Dockerfile | 22 ++++++++----- Dockerfile.jsonschema | 12 +++++++ Makefile | 61 +++++++++++++++++------------------- gen/jsonschema/jsonschema.sh | 2 +- 4 files changed, 57 insertions(+), 40 deletions(-) diff --git a/Dockerfile b/Dockerfile index bfcb5358..8996513f 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,15 +6,23 @@ RUN set -ex && \ apt-get install -y --no-install-recommends \ python3-pip +# Install Python dev dependencies. +COPY ./dev-requirements.txt /tmp/ +RUN python3 -m pip install --upgrade pip && \ + python3 -m pip install --requirement /tmp/dev-requirements.txt + # Install Rust cargo. RUN set -ex && \ apt-get install -y --no-install-recommends \ curl \ - build-essential -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y -ENV PATH="/root/.cargo/bin:${PATH}" + build-essential -# Install Python dev dependencies. -COPY ./dev-requirements.txt /tmp/ -RUN python3 -m pip install --upgrade pip && \ - python3 -m pip install --requirement /tmp/dev-requirements.txt +# Switch user +ARG uid=1000 +RUN useradd -u ${uid} -s /bin/sh -m builder + +USER builder +WORKDIR /home/builder + +RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | bash -s -- -y +ENV PATH="/home/builder/.cargo/bin:${PATH}" diff --git a/Dockerfile.jsonschema b/Dockerfile.jsonschema index 4de834a1..b980ff77 100644 --- a/Dockerfile.jsonschema +++ b/Dockerfile.jsonschema @@ -1,7 +1,19 @@ # 3.18.2 FROM alpine@sha256:c5b1261d6d3e43071626931fc004f70149baeba2c8ec672bd4f27761f8e1ad6b RUN apk add --update protoc protobuf-dev go git + +# Switch user +ARG uid=1000 +RUN adduser -u ${uid} -S builder + +RUN mkdir -p /home/builder +RUN chown builder /home/builder + +USER builder +WORKDIR /home/builder + RUN go install github.com/chrusty/protoc-gen-jsonschema/cmd/protoc-gen-jsonschema@1.4.1 + # This is required to get the field_behavior.proto file # NOTE: --filter=tree:0 performs a treeless clone; we do this to optimize cloning # this otherwise relatively heavy repository. diff --git a/Makefile b/Makefile index 0c29363c..3eca1db4 100644 --- a/Makefile +++ b/Makefile @@ -21,59 +21,56 @@ RUST_ACTION ?= run -p sigstore-protobuf-specs-codegen # generate all language protobuf code all: go python typescript ruby jsonschema rust +CUSER=$(shell id -u ${USER}) +CGROUP=$(shell id -g ${USER}) +DOCKER_RUN=docker run --platform linux/amd64 -u ${CUSER}:${CGROUP} -v ${PWD}:/defs +DOCKER_BUILD=docker build --platform linux/amd64 --build-arg uid=${CUSER} + # generate Go protobuf code go: docker-image @echo "Generating go protobuf files" - docker run --platform linux/amd64 -v ${PWD}:/defs ${PROTOC_IMAGE} -d protos -l go --go-module-prefix github.com/sigstore/protobuf-specs/gen/pb-go + ${DOCKER_RUN} ${PROTOC_IMAGE} \ + -d /defs/protos \ + -o /defs/gen/pb-go \ + -l go --go-module-prefix github.com/sigstore/protobuf-specs/gen/pb-go python: docker-image @echo "Generating python protobuf files" # we need to manually fix the PYTHONPATH due to: https://github.com/namely/docker-protoc/pull/356 - docker run \ - --platform linux/amd64 \ - -v ${PWD}:/defs \ - -e PYTHONPATH="/opt/mypy-protobuf/" \ + ${DOCKER_RUN} -e PYTHONPATH="/opt/mypy-protobuf/" \ --entrypoint bash ${PROTOC_IMAGE} \ - -c "cd ./gen/pb-python/sigstore_protobuf_specs && protoc -I/opt/include -I../../../protos/ --python_betterproto_out=. ../../../protos/*.proto" + -c "cd /defs/gen/pb-python/sigstore_protobuf_specs && protoc -I/opt/include -I../../../protos/ --python_betterproto_out=. ../../../protos/*.proto" typescript: docker-image @echo "Generating javascript protobuf files" - docker run \ - --platform linux/amd64 \ - -v ${PWD}:/defs \ - ${PROTOC_IMAGE} \ - -d protos -l typescript -o ./gen/pb-typescript/src/__generated__ --ts_opt oneof=unions,forceLong=string,env=node,exportCommonSymbols=false,outputPartialMethods=false,outputEncodeMethods=false,unrecognizedEnum=false + ${DOCKER_RUN} ${PROTOC_IMAGE} \ + -d /defs/protos -l typescript \ + -o /defs/gen/pb-typescript/src/__generated__ \ + --ts_opt oneof=unions,forceLong=string,env=node,exportCommonSymbols=false,outputPartialMethods=false,outputEncodeMethods=false,unrecognizedEnum=false ruby: docker-image @echo "Generating ruby protobuf files" - docker run \ - --platform linux/amd64 \ - -v ${PWD}:/defs \ - --entrypoint bash ${PROTOC_IMAGE} \ - -c "cd ./gen/pb-ruby && protoc -I/opt/include -I../../protos/ --ruby_out=lib ../../protos/*.proto" + ${DOCKER_RUN} --entrypoint bash ${PROTOC_IMAGE} \ + -c "cd /defs/gen/pb-ruby && protoc -I/opt/include -I../../protos/ --ruby_out=lib ../../protos/*.proto" jsonschema: docker-image-jsonschema @echo "Generating JSON schema files" - docker run \ - -v ${PWD}:/defs \ - --entrypoint sh \ - ${JSONSCHEMA_IMAGE} \ - -c "cd defs/gen/jsonschema && ./jsonschema.sh -I ../../protos -I /googleapis/ --jsonschema_out=schemas ../../protos/*.proto" + ${DOCKER_RUN} --entrypoint sh \ + ${JSONSCHEMA_IMAGE} \ + -c "cd /defs/gen/jsonschema && ./jsonschema.sh -I ../../protos -I /home/builder/googleapis/ --jsonschema_out=schemas ../../protos/*.proto" -rust: docker-image - docker run \ - --platform linux/amd64 \ - -v ${PWD}:/defs \ - -e "RUST_BACKTRACE=1" \ - -e "CARGO_REGISTRY_TOKEN" \ +rust: docker-image gen/pb-rust/schemas + @echo "Generating rust protobuf files" + ${DOCKER_RUN} -e "RUST_BACKTRACE=1" \ + -e "CARGO_REGISTRY_TOKEN" --entrypoint bash ${PROTOC_IMAGE} \ - -c "cd gen/pb-rust && cargo ${RUST_ACTION}" + -c "cd /defs/gen/pb-rust && cargo build" # docker already does its own caching so we can attempt a build every time .PHONY: docker-image docker-image: @echo "Building development docker image" - docker build -t ${PROTOC_IMAGE} . + ${DOCKER_BUILD} -t ${PROTOC_IMAGE} . # to recover from a situation where a stale layer exist, just purging the # docker image via `make clean` is not enough. Re-building without layer @@ -81,12 +78,12 @@ docker-image: .PHONY: docker-image-no-cache docker-image-no-cache: @echo "Building development docker image with disabled cache" - docker build --no-cache -t ${PROTOC_IMAGE} . + ${DOCKER_BUILD} --no-cache -t ${PROTOC_IMAGE} . .PHONY: docker-image-jsonschema docker-image-jsonschema: @echo "Building docker image for generating JSON schema files" - docker build -t ${JSONSCHEMA_IMAGE} -f Dockerfile.jsonschema . + ${DOCKER_BUILD} -t ${JSONSCHEMA_IMAGE} -f Dockerfile.jsonschema . # clean up generated files (not working? try sudo make clean) clean: @@ -95,7 +92,7 @@ clean: gen/pb-python/sigstore_protobuf_specs/dev \ gen/pb-python/sigstore_protobuf_specs/io \ gen/pb-rust/target - docker rmi -f ${PROTOC_IMAGE} + docker rmi -f ${PROTOC_IMAGE} ${JSONSCHEMA_IMAGE} help: docker run --pull always --platform linux/amd64 -v ${PWD}:/defs ${PROTOC_IMAGE} diff --git a/gen/jsonschema/jsonschema.sh b/gen/jsonschema/jsonschema.sh index a24391be..0b0a4b0e 100755 --- a/gen/jsonschema/jsonschema.sh +++ b/gen/jsonschema/jsonschema.sh @@ -3,7 +3,7 @@ set -u set -e -protoc --plugin=/root/go/bin/protoc-gen-jsonschema \ +protoc --plugin=/home/builder/go/bin/protoc-gen-jsonschema \ --jsonschema_opt=disallow_additional_properties \ --jsonschema_opt=enforce_oneof \ --jsonschema_opt=enums_as_strings_only \ From 81c37b959f385ece32dc90d8885a03cfeeac3684 Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 7 Mar 2024 11:31:16 +0100 Subject: [PATCH 2/3] Updated rust target as first merge was wrong Signed-off-by: Fredrik Skogman --- Makefile | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/Makefile b/Makefile index 3eca1db4..4d1d0314 100644 --- a/Makefile +++ b/Makefile @@ -59,12 +59,12 @@ jsonschema: docker-image-jsonschema ${JSONSCHEMA_IMAGE} \ -c "cd /defs/gen/jsonschema && ./jsonschema.sh -I ../../protos -I /home/builder/googleapis/ --jsonschema_out=schemas ../../protos/*.proto" -rust: docker-image gen/pb-rust/schemas +rust: docker-image @echo "Generating rust protobuf files" ${DOCKER_RUN} -e "RUST_BACKTRACE=1" \ - -e "CARGO_REGISTRY_TOKEN" + -e "CARGO_REGISTRY_TOKEN" \ --entrypoint bash ${PROTOC_IMAGE} \ - -c "cd /defs/gen/pb-rust && cargo build" + -c "cd /defs/gen/pb-rust && cargo ${RUST_ACTION}" # docker already does its own caching so we can attempt a build every time .PHONY: docker-image From 9027b78258062354103f91e0588f37267d6dc90c Mon Sep 17 00:00:00 2001 From: Fredrik Skogman Date: Thu, 7 Mar 2024 12:35:35 +0100 Subject: [PATCH 3/3] white space fixes Signed-off-by: Fredrik Skogman --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 8996513f..c261e1bf 100644 --- a/Dockerfile +++ b/Dockerfile @@ -15,7 +15,7 @@ RUN python3 -m pip install --upgrade pip && \ RUN set -ex && \ apt-get install -y --no-install-recommends \ curl \ - build-essential + build-essential # Switch user ARG uid=1000