From f1537da778db2d5e38d10bf886738e5dda3f8bdd Mon Sep 17 00:00:00 2001 From: bjorn3 <17426603+bjorn3@users.noreply.github.com> Date: Wed, 9 Oct 2024 11:54:44 +0200 Subject: [PATCH] Build sudo-rs outside of the docker container This significantly reduces the size of the container. --- .github/workflows/ci.yaml | 10 ++++++++ test-framework/sudo-test/src/docker.rs | 25 ++++++++++++++++++- test-framework/sudo-test/src/ours.Dockerfile | 11 +++----- .../src/ours.Dockerfile.dockerignore | 6 +---- 4 files changed, 38 insertions(+), 14 deletions(-) diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 1cc38c383..3e7a75c6c 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -27,6 +27,11 @@ jobs: key: docker-buildx-rs-${{ github.sha }} restore-keys: docker-buildx-rs- + - name: Install dependencies + run: | + sudo apt update + sudo apt install libpam0g-dev + - name: Rust Cache uses: Swatinem/rust-cache@v2 with: @@ -95,6 +100,11 @@ jobs: key: docker-buildx-rs-${{ github.sha }} restore-keys: docker-buildx-rs- + - name: Install dependencies + run: | + sudo apt update + sudo apt install libpam0g-dev + - name: Rust Cache uses: Swatinem/rust-cache@v2 with: diff --git a/test-framework/sudo-test/src/docker.rs b/test-framework/sudo-test/src/docker.rs index b86d66a10..8dea795f2 100644 --- a/test-framework/sudo-test/src/docker.rs +++ b/test-framework/sudo-test/src/docker.rs @@ -2,7 +2,7 @@ use core::str; use std::{ env, fs::{self, File}, - io::{Seek, SeekFrom, Write}, + io::{Seek, SeekFrom, Write, ErrorKind}, path::{Path, PathBuf}, process::{self, Command as StdCommand, Stdio}, }; @@ -146,6 +146,29 @@ pub fn build_base_image() -> Result<()> { match SudoUnderTest::from_env()? { SudoUnderTest::Ours => { + // Build sudo-rs + let mut cargo_cmd = StdCommand::new("cargo"); + cargo_cmd.args(["build", "--locked", "--features=dev", "--bins"]); + cargo_cmd.current_dir(&repo_root); + if env::var_os("SUDO_TEST_VERBOSE_DOCKER_BUILD").is_none() { + cargo_cmd.stderr(Stdio::null()).stdout(Stdio::null()); + } + if !cargo_cmd.status()?.success() { + return Err("`cargo build --locked --features=dev --bins` failed".into()); + } + + // Copy all binaries to a single place where the Dockerfile will find them + let target_debug_dir = repo_root.join("target").join("debug"); + let build_dir = repo_root.join("target").join("build"); + match fs::create_dir(&build_dir) { + Ok(()) => {} + Err(e) if e.kind() == ErrorKind::AlreadyExists => {} + Err(e) => return Err(e.into()), + } + for f in ["sudo", "su", "visudo"] { + fs::copy(target_debug_dir.join(f), build_dir.join(f))?; + } + // needed for dockerfile-specific dockerignore (e.g. `Dockerfile.dockerignore`) support cmd.current_dir(repo_root); cmd.args(["-f", "test-framework/sudo-test/src/ours.Dockerfile", "."]); diff --git a/test-framework/sudo-test/src/ours.Dockerfile b/test-framework/sudo-test/src/ours.Dockerfile index f8b33ce54..8baa1da53 100644 --- a/test-framework/sudo-test/src/ours.Dockerfile +++ b/test-framework/sudo-test/src/ours.Dockerfile @@ -1,18 +1,13 @@ -FROM rust:1-slim-bookworm +FROM debian:bookworm-slim RUN apt-get update && \ - apt-get install -y --no-install-recommends clang libclang-dev libpam0g-dev procps sshpass rsyslog -# cache the crates.io index in the image for faster local testing -RUN cargo search sudo + apt-get install -y --no-install-recommends procps sshpass rsyslog WORKDIR /usr/src/sudo -COPY . . -RUN --mount=type=cache,target=/usr/src/sudo/target cargo build --locked --features="dev" --bins && mkdir -p build && cp target/debug/sudo build/sudo && cp target/debug/su build/su && cp target/debug/visudo build/visudo +COPY target/build build # set setuid on install RUN install --mode 4755 build/sudo /usr/bin/sudo RUN install --mode 4755 build/su /usr/bin/su RUN install --mode 755 build/visudo /usr/sbin/visudo # `apt-get install sudo` creates this directory; creating it in the image saves us the work of creating it in each compliance test RUN mkdir -p /etc/sudoers.d -# remove build dependencies -RUN apt-get autoremove -y clang libclang-dev # set the default working directory to somewhere world writable so sudo / su can create .profraw files there WORKDIR /tmp diff --git a/test-framework/sudo-test/src/ours.Dockerfile.dockerignore b/test-framework/sudo-test/src/ours.Dockerfile.dockerignore index 85367177a..28762c081 100644 --- a/test-framework/sudo-test/src/ours.Dockerfile.dockerignore +++ b/test-framework/sudo-test/src/ours.Dockerfile.dockerignore @@ -2,8 +2,4 @@ * # but these -!Cargo.lock -!Cargo.toml -!src/**/* -!bin/**/* -!build.rs +!/target/build