diff --git a/actions/buildpack-aliyun/1.0/dice.yml b/actions/buildpack-aliyun/1.0/dice.yml index ca25c3c2..7014a71a 100644 --- a/actions/buildpack-aliyun/1.0/dice.yml +++ b/actions/buildpack-aliyun/1.0/dice.yml @@ -1,7 +1,7 @@ ### job 配置项 jobs: buildpack-aliyun: - image: registry.erda.cloud/erda-actions/buildpack-aliyun-action:1.0-20230103141416-d085afc + image: registry.erda.cloud/erda-actions/buildpack-aliyun-action:1.0-20240314111031-384b1871 envs: # Dockerfile / Dockerfile.build 中 {{BP_DOCKER_BASE_REGISTRY}} 需要该环境变量进行文件渲染。 # 作用:Dockerfile 里 FROM XXX,这个 XXX 镜像的 Registry 地址。 diff --git a/actions/buildpack-aliyun/1.0/internal/run/conf/params.go b/actions/buildpack-aliyun/1.0/internal/run/conf/params.go index eff09ded..85012f8d 100644 --- a/actions/buildpack-aliyun/1.0/internal/run/conf/params.go +++ b/actions/buildpack-aliyun/1.0/internal/run/conf/params.go @@ -52,8 +52,9 @@ type params struct { Modules []*Module ModulesStr string `env:"ACTION_MODULES" required:"true"` - HttpProxy string `env:"ACTION_HTTP_PROXY" required:"false"` - HttpsProxy string `env:"ACTION_HTTPS_PROXY" required:"false"` + HttpProxy string `env:"ACTION_HTTP_PROXY" required:"false"` + HttpsProxy string `env:"ACTION_HTTPS_PROXY" required:"false"` + RunningAsRoot bool `env:"ACTION_RUNNING_AS_ROOT" required:"false"` // OnlyBuild means no pack step. // +optional diff --git a/actions/buildpack-aliyun/1.0/internal/run/pack/pack_buildkit.go b/actions/buildpack-aliyun/1.0/internal/run/pack/pack_buildkit.go index b0072f60..dab564f9 100644 --- a/actions/buildpack-aliyun/1.0/internal/run/pack/pack_buildkit.go +++ b/actions/buildpack-aliyun/1.0/internal/run/pack/pack_buildkit.go @@ -39,6 +39,7 @@ func PackForBuildkit() ([]byte, error) { /* context/ + -- repo/ -- bp-backend/ -- bp/ @@ -89,6 +90,9 @@ func dockerPackBuildForBuildkit() ([]byte, error) { return nil, err } newDockerfileContent := dockerfile.ReplaceOrInsertBuildArgToDockerfile(dockerfileContent, conf.Params().BpArgs) + if !conf.Params().RunningAsRoot { + newDockerfileContent = dockerfile.InsertErdaUserToDockerfile(newDockerfileContent) + } //---------------------- newDockerfileContentLines := strings.Split(string(newDockerfileContent), "\n") diff --git a/actions/buildpack/1.0/dice.yml b/actions/buildpack/1.0/dice.yml index a3f55d20..7c3395b5 100644 --- a/actions/buildpack/1.0/dice.yml +++ b/actions/buildpack/1.0/dice.yml @@ -1,7 +1,7 @@ ### job 配置项 jobs: buildpack: - image: registry.erda.cloud/erda-actions/buildpack-action:1.0-20230912165801-8ef9d0cb + image: registry.erda.cloud/erda-actions/buildpack-action:1.0-20240313161931-384b1871 envs: # Dockerfile / Dockerfile.build 中 {{BP_DOCKER_BASE_REGISTRY}} 需要该环境变量进行文件渲染。 # 作用:Dockerfile 里 FROM XXX,这个 XXX 镜像的 Registry 地址。 diff --git a/actions/buildpack/1.0/internal/run/conf/params.go b/actions/buildpack/1.0/internal/run/conf/params.go index da997733..27a17525 100644 --- a/actions/buildpack/1.0/internal/run/conf/params.go +++ b/actions/buildpack/1.0/internal/run/conf/params.go @@ -52,8 +52,9 @@ type params struct { Modules []*Module ModulesStr string `env:"ACTION_MODULES" required:"true"` - HttpProxy string `env:"ACTION_HTTP_PROXY" required:"false"` - HttpsProxy string `env:"ACTION_HTTPS_PROXY" required:"false"` + HttpProxy string `env:"ACTION_HTTP_PROXY" required:"false"` + HttpsProxy string `env:"ACTION_HTTPS_PROXY" required:"false"` + RunningAsRoot bool `env:"ACTION_RUNNING_AS_ROOT" required:"false"` // OnlyBuild means no pack step. // +optional diff --git a/actions/buildpack/1.0/internal/run/pack/pack_buildkit.go b/actions/buildpack/1.0/internal/run/pack/pack_buildkit.go index 4d7406b5..f94ea279 100644 --- a/actions/buildpack/1.0/internal/run/pack/pack_buildkit.go +++ b/actions/buildpack/1.0/internal/run/pack/pack_buildkit.go @@ -91,6 +91,9 @@ func dockerPackBuildForBuildkit() ([]byte, error) { return nil, err } newDockerfileContent := dockerfile.ReplaceOrInsertBuildArgToDockerfile(dockerfileContent, conf.Params().BpArgs) + if !conf.Params().RunningAsRoot { + newDockerfileContent = dockerfile.InsertErdaUserToDockerfile(newDockerfileContent) + } //---------------------- newDockerfileContentLines := strings.Split(string(newDockerfileContent), "\n") diff --git a/actions/java/1.0/dice.yml b/actions/java/1.0/dice.yml index 478407e3..9c65db3b 100644 --- a/actions/java/1.0/dice.yml +++ b/actions/java/1.0/dice.yml @@ -1,7 +1,7 @@ ### job 配置项 jobs: java: - image: registry.erda.cloud/erda-actions/java-action:1.0-20230821111659-1ff4f6c1 + image: registry.erda.cloud/erda-actions/java-action:1.0-20240314110058-384b1871 envs: # 详见 actions/buildpack/1.0/dice.yml BP_DOCKER_BASE_REGISTRY: registry.erda.cloud diff --git a/actions/java/1.0/internal/pkg/build/pack.go b/actions/java/1.0/internal/pkg/build/pack.go index 026ae9b6..61bd40f5 100644 --- a/actions/java/1.0/internal/pkg/build/pack.go +++ b/actions/java/1.0/internal/pkg/build/pack.go @@ -3,6 +3,7 @@ package build import ( "encoding/json" "fmt" + "github.com/erda-project/erda-actions/pkg/dockerfile" "io/ioutil" "os" "os/exec" @@ -151,6 +152,17 @@ func packAndPushAppImage(cfg conf.Conf) error { buildArgs["SCRIPT_ARGS"] = cfg.PreStartArgs } + if !cfg.RunningAsRoot { + dockerfileContent, err := os.ReadFile(dockerFilePath) + if err != nil { + return err + } + dockerfileContent = dockerfile.InsertErdaUserToDockerfile(dockerfileContent) + if err = filehelper.CreateFile(dockerFilePath, string(dockerfileContent), 0644); err != nil { + return err + } + } + // witch the build method if cfg.BuildkitEnable == "true" { if err := packWithBuildKit(cfg, repo, buildArgs); err != nil { diff --git a/actions/java/1.0/internal/pkg/conf/conf.go b/actions/java/1.0/internal/pkg/conf/conf.go index 47685b40..2e988db0 100644 --- a/actions/java/1.0/internal/pkg/conf/conf.go +++ b/actions/java/1.0/internal/pkg/conf/conf.go @@ -23,6 +23,7 @@ type Conf struct { MonitorAgent string `env:"ACTION_MONITOR" default:"true"` // 是否使用监控 agent,若用户未配置,默认启用, true/false PreStartScript string `env:"ACTION_PRE_START_SCRIPT"` // 执行用户运行前脚本路径+名称,默认为项目根目录 PreStartArgs string `env:"ACTION_PRE_START_ARGS"` // 执行用户运行前脚本参数 + RunningAsRoot bool `env:"ACTION_RUNNING_AS_ROOT"` // whether to run as root user // pipeline注入,镜像生成需要 OrgID int64 `env:"DICE_ORG_ID" required:"true"` OrgName string `env:"DICE_ORG_NAME" required:"true"` diff --git a/actions/js/1.0/internal/pkg/build/execute.go b/actions/js/1.0/internal/pkg/build/execute.go index 5023a7a8..9d843f47 100644 --- a/actions/js/1.0/internal/pkg/build/execute.go +++ b/actions/js/1.0/internal/pkg/build/execute.go @@ -3,6 +3,7 @@ package build import ( "encoding/json" "fmt" + "github.com/erda-project/erda-actions/pkg/dockerfile" "net/url" "os" "os/exec" @@ -215,6 +216,18 @@ func packAndPushImage(cfg conf.Conf) error { // docker build 业务镜像 repo := getRepo(cfg) + if !cfg.RunningAsRoot { + dockerfilePath := fmt.Sprintf("%s/%s/Dockerfile", filepath.Base(compPrefix), cfg.ContainerType) + dockerfileContent, err := os.ReadFile(dockerfilePath) + if err != nil { + return err + } + dockerfileContent = dockerfile.InsertErdaUserToDockerfile(dockerfileContent) + if err = filehelper.CreateFile(dockerfilePath, string(dockerfileContent), 0644); err != nil { + return err + } + } + if cfg.BuildkitEnable == "true" { if err := packWithBuildkit(repo, cfg); err != nil { return err diff --git a/actions/js/1.0/internal/pkg/conf/conf.go b/actions/js/1.0/internal/pkg/conf/conf.go index 47739997..02f09569 100644 --- a/actions/js/1.0/internal/pkg/conf/conf.go +++ b/actions/js/1.0/internal/pkg/conf/conf.go @@ -14,6 +14,7 @@ type Conf struct { NpmUsername string `env:"ACTION_NPM_USER"` NpmPassword string `env:"ACTION_NPM_PASSWORD"` Service string `env:"ACTION_SERVICE"` // 与 dice.yml 里 service 对应,部署时,通过 service 关联镜像 TODO deprecated + RunningAsRoot bool `env:"ACTION_RUNNING_AS_ROOT" default:"false"` // pipeline 注入,镜像生成时使用 TaskName string `env:"PIPELINE_TASK_NAME" default:"unknown"` ClusterName string `env:"DICE_CLUSTER_NAME" required:"true"` diff --git a/pkg/dockerfile/dockerfile.go b/pkg/dockerfile/dockerfile.go index 75851f44..aa85921d 100644 --- a/pkg/dockerfile/dockerfile.go +++ b/pkg/dockerfile/dockerfile.go @@ -11,6 +11,30 @@ import ( "github.com/erda-project/erda/pkg/strutil" ) +var ( + erdaUser = `RUN groupadd -g 1001 erda -f && useradd -u 1001 -g 1001 erda -o + USER erda + ` +) + +func InsertErdaUserToDockerfile(content []byte) []byte { + lines := strutil.Split(string(content), "\n", true) + var result []string + var hasInserted bool + for _, line := range lines { + if strings.HasPrefix(line, "ENTRYPOINT") || strings.HasPrefix(line, "CMD") { + result = append(result, erdaUser, line) + hasInserted = true + continue + } + result = append(result, line) + } + if !hasInserted { + result = append(result, erdaUser) + } + return []byte(strings.Join(result, "\n")) +} + func ReplaceOrInsertBuildArgToDockerfile(content []byte, buildArgs map[string]string) []byte { // v 使用 json 序列化进行转义 diff --git a/pkg/dockerfile/dockerfile_test.go b/pkg/dockerfile/dockerfile_test.go index e22768d3..594325a2 100644 --- a/pkg/dockerfile/dockerfile_test.go +++ b/pkg/dockerfile/dockerfile_test.go @@ -101,3 +101,35 @@ ARG URL } fmt.Println(string(ReplaceOrInsertBuildArgToDockerfile(dockerfile, bpArgs))) } + +func TestInsertErdaUserToDockerfile(t *testing.T) { + dockerfile := []byte(` +FROM registry.erda.cloud/retag/pyroscope-java:v0.11.5 as pyroscope-java +FROM registry.erda.cloud/erda-x/openjdk:8_11 + +ARG CONTAINER_VERSION=v8 +ENV CONTAINER_VERSION ${CONTAINER_VERSION} + +ENV SCRIPT_ARGS ${SCRIPT_ARGS} + +COPY comp/openjdk/entrypoint.sh /entrypoint.sh +RUN chmod +x /entrypoint.sh + +COPY pre_start.sh /pre_start.sh +RUN chmod +x /pre_start.sh + +COPY comp/fonts /usr/share/fonts/custom +#COPY comp/arthas-boot.jar / +COPY comp/jacocoagent.jar /opt/jacoco/jacocoagent.jar + +ARG ERDA_VERSION +COPY comp/spot-agent/${ERDA_VERSION}/spot-agent.tar.gz /tmp/spot-agent.tar.gz +RUN \ + if [ "${MONITOR_AGENT}" = true ]; then \ + mkdir -p /opt/spot; tar -xzf /tmp/spot-agent.tar.gz -C /opt/spot; \ + fi && rm -rf /tmp/spot-agent.tar.gz + +ENTRYPOINT ["/entrypoint.sh"] +`) + fmt.Println(string(InsertErdaUserToDockerfile(dockerfile))) +}