From 0df8392c86400f34858820430b85817782ba2710 Mon Sep 17 00:00:00 2001 From: SomberNight Date: Thu, 3 Mar 2022 18:53:21 +0100 Subject: [PATCH 1/2] build: rm need for sudo in most places; and do not run as root This includes two logically separate changes: - on the host, try not to require sudo when running the build scripts - namely when interacting with the docker daemon, this requires the unix user on the host to be part of the `docker` group - this solves part of https://github.com/spesmilo/electrum/issues/7602 - while running inside the docker containers, do not run as root - this means that e.g. files created in mounted folders should no longer be owned by root on the host - there is some code duplication involved here - not sure how it could be deduped. --- contrib/android/Dockerfile | 17 +++++------------ contrib/android/build.sh | 8 ++++---- contrib/build-linux/appimage/Dockerfile | 12 ++++++++++++ contrib/build-linux/appimage/build.sh | 8 ++++---- contrib/build-linux/sdist/Dockerfile | 12 ++++++++++++ contrib/build-linux/sdist/build.sh | 8 ++++---- contrib/build-wine/Dockerfile | 15 +++++++++++++++ contrib/build-wine/build-electrum-git.sh | 4 ++-- contrib/build-wine/build.sh | 8 ++++---- contrib/build-wine/make_win.sh | 2 +- contrib/make_libusb.sh | 2 +- 11 files changed, 64 insertions(+), 32 deletions(-) diff --git a/contrib/android/Dockerfile b/contrib/android/Dockerfile index 71ac55172..f24094f3b 100644 --- a/contrib/android/Dockerfile +++ b/contrib/android/Dockerfile @@ -94,11 +94,6 @@ RUN curl --location --progress-bar \ && rm -rf "${APACHE_ANT_ARCHIVE}" -ENV USER="user" -ENV HOME_DIR="/home/${USER}" -ENV WORK_DIR="${HOME_DIR}/wspace" \ - PATH="${HOME_DIR}/.local/bin:${PATH}" - # install system/build dependencies # https://github.com/kivy/buildozer/blob/master/docs/source/installation.rst#android-on-ubuntu-2004-64bit # TODO probably need to pin versions of at least some of these for over-time reproducibility? @@ -136,17 +131,15 @@ RUN apt -y update -qq \ && apt -y clean -# prepare non root env +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" RUN useradd --create-home --shell /bin/bash ${USER} - -# with sudo access and no password RUN usermod -append --groups sudo ${USER} RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers - - WORKDIR ${WORK_DIR} - -# user needs ownership/write access to these directories RUN chown --recursive ${USER} ${WORK_DIR} ${ANDROID_SDK_HOME} RUN chown ${USER} /opt USER ${USER} diff --git a/contrib/android/build.sh b/contrib/android/build.sh index 853b9b862..b102260f3 100755 --- a/contrib/android/build.sh +++ b/contrib/android/build.sh @@ -22,7 +22,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-android-builder-img \ --file "$CONTRIB_ANDROID/Dockerfile" \ @@ -33,7 +33,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_ANDROID/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -51,7 +51,7 @@ fi info "building binary..." mkdir --parents "$PROJECT_ROOT_OR_FRESHCLONE_ROOT"/.buildozer/.gradle -sudo docker run -it --rm \ +docker run -it --rm \ --name electrum-android-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/home/user/wspace/electrum \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT"/.buildozer/.gradle:/home/user/.gradle \ @@ -63,5 +63,5 @@ sudo docker run -it --rm \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$DISTDIR/" - sudo cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" + cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" fi diff --git a/contrib/build-linux/appimage/Dockerfile b/contrib/build-linux/appimage/Dockerfile index 9ea6eb2ea..9884744a8 100644 --- a/contrib/build-linux/appimage/Dockerfile +++ b/contrib/build-linux/appimage/Dockerfile @@ -56,3 +56,15 @@ RUN apt-get update -q && \ rm -rf /var/lib/apt/lists/* && \ apt-get autoremove -y && \ apt-get clean + +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" +RUN useradd --create-home --shell /bin/bash ${USER} +RUN usermod -append --groups sudo ${USER} +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +WORKDIR ${WORK_DIR} +RUN chown --recursive ${USER} ${WORK_DIR} +USER ${USER} diff --git a/contrib/build-linux/appimage/build.sh b/contrib/build-linux/appimage/build.sh index 65b361081..6f48142a2 100755 --- a/contrib/build-linux/appimage/build.sh +++ b/contrib/build-linux/appimage/build.sh @@ -22,7 +22,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-appimage-builder-img \ "$CONTRIB_APPIMAGE" @@ -31,7 +31,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_APPIMAGE/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -42,7 +42,7 @@ else fi info "building binary..." -sudo docker run -it \ +docker run -it \ --name electrum-appimage-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/electrum \ --rm \ @@ -53,5 +53,5 @@ sudo docker run -it \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$DISTDIR/" - sudo cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" + cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" fi diff --git a/contrib/build-linux/sdist/Dockerfile b/contrib/build-linux/sdist/Dockerfile index bf7d03850..028940dc8 100644 --- a/contrib/build-linux/sdist/Dockerfile +++ b/contrib/build-linux/sdist/Dockerfile @@ -16,3 +16,15 @@ RUN apt-get update -q && \ rm -rf /var/lib/apt/lists/* && \ apt-get autoremove -y && \ apt-get clean + +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" +RUN useradd --create-home --shell /bin/bash ${USER} +RUN usermod -append --groups sudo ${USER} +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +WORKDIR ${WORK_DIR} +RUN chown --recursive ${USER} ${WORK_DIR} +USER ${USER} diff --git a/contrib/build-linux/sdist/build.sh b/contrib/build-linux/sdist/build.sh index 5f64c160e..ed969cbdf 100755 --- a/contrib/build-linux/sdist/build.sh +++ b/contrib/build-linux/sdist/build.sh @@ -22,7 +22,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-sdist-builder-img \ "$CONTRIB_SDIST" @@ -31,7 +31,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_SDIST/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -42,7 +42,7 @@ else fi info "building binary..." -sudo docker run -it \ +docker run -it \ --name electrum-sdist-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/electrum \ --rm \ @@ -53,5 +53,5 @@ sudo docker run -it \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$DISTDIR/" - sudo cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" + cp -f "$FRESH_CLONE/dist"/* "$DISTDIR/" fi diff --git a/contrib/build-wine/Dockerfile b/contrib/build-wine/Dockerfile index 9e66ee1fb..be3a9c1e9 100644 --- a/contrib/build-wine/Dockerfile +++ b/contrib/build-wine/Dockerfile @@ -53,3 +53,18 @@ RUN wget -nc https://dl.winehq.org/wine-builds/Release.key && \ rm -rf /var/lib/apt/lists/* && \ apt-get autoremove -y && \ apt-get clean + +# create new user to avoid using root; but with sudo access and no password for convenience. +ENV USER="user" +ENV HOME_DIR="/home/${USER}" +ENV WORK_DIR="${HOME_DIR}/wspace" \ + PATH="${HOME_DIR}/.local/bin:${PATH}" +RUN useradd --create-home --shell /bin/bash ${USER} +RUN usermod -append --groups sudo ${USER} +RUN echo "%sudo ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers +WORKDIR ${WORK_DIR} +RUN chown --recursive ${USER} ${WORK_DIR} +RUN chown ${USER} /opt +USER ${USER} + +RUN mkdir --parents "/opt/wine64/drive_c/electrum" diff --git a/contrib/build-wine/build-electrum-git.sh b/contrib/build-wine/build-electrum-git.sh index 1dbe1511d..3bfcbbd76 100755 --- a/contrib/build-wine/build-electrum-git.sh +++ b/contrib/build-wine/build-electrum-git.sh @@ -31,7 +31,7 @@ for i in ./locale/*; do done popd -find -exec touch -d '2000-11-11T11:11:11+00:00' {} + +find -exec touch -h -d '2000-11-11T11:11:11+00:00' {} + popd @@ -60,7 +60,7 @@ wine "$WINE_PYHOME/scripts/pyinstaller.exe" --noconfirm --ascii --clean --name $ # set timestamps in dist, in order to make the installer reproducible pushd dist -find -exec touch -d '2000-11-11T11:11:11+00:00' {} + +find -exec touch -h -d '2000-11-11T11:11:11+00:00' {} + popd info "building NSIS installer" diff --git a/contrib/build-wine/build.sh b/contrib/build-wine/build.sh index 48d21f3e4..3f7d3cb6f 100755 --- a/contrib/build-wine/build.sh +++ b/contrib/build-wine/build.sh @@ -21,7 +21,7 @@ if [ ! -z "$ELECBUILD_NOCACHE" ] ; then fi info "building docker image." -sudo docker build \ +docker build \ $DOCKER_BUILD_FLAGS \ -t electrum-wine-builder-img \ "$CONTRIB_WINE" @@ -30,7 +30,7 @@ sudo docker build \ if [ ! -z "$ELECBUILD_COMMIT" ] ; then info "ELECBUILD_COMMIT=$ELECBUILD_COMMIT. doing fresh clone and git checkout." FRESH_CLONE="$CONTRIB_WINE/fresh_clone/electrum" && \ - sudo rm -rf "$FRESH_CLONE" && \ + rm -rf "$FRESH_CLONE" && \ umask 0022 && \ git clone "$PROJECT_ROOT" "$FRESH_CLONE" && \ cd "$FRESH_CLONE" @@ -41,7 +41,7 @@ else fi info "building binary..." -sudo docker run -it \ +docker run -it \ --name electrum-wine-builder-cont \ -v "$PROJECT_ROOT_OR_FRESHCLONE_ROOT":/opt/wine64/drive_c/electrum \ --rm \ @@ -52,5 +52,5 @@ sudo docker run -it \ # make sure resulting binary location is independent of fresh_clone if [ ! -z "$ELECBUILD_COMMIT" ] ; then mkdir --parents "$PROJECT_ROOT/contrib/build-wine/dist/" - sudo cp -f "$FRESH_CLONE/contrib/build-wine/dist"/*.exe "$PROJECT_ROOT/contrib/build-wine/dist/" + cp -f "$FRESH_CLONE/contrib/build-wine/dist"/*.exe "$PROJECT_ROOT/contrib/build-wine/dist/" fi diff --git a/contrib/build-wine/make_win.sh b/contrib/build-wine/make_win.sh index c3448da84..18be42a7d 100755 --- a/contrib/build-wine/make_win.sh +++ b/contrib/build-wine/make_win.sh @@ -64,7 +64,7 @@ fi info "Resetting modification time in C:\Python..." # (Because of some bugs in pyinstaller) pushd /opt/wine64/drive_c/python* -find -exec touch -d '2000-11-11T11:11:11+00:00' {} + +find -exec touch -h -d '2000-11-11T11:11:11+00:00' {} + popd ls -l /opt/wine64/drive_c/python* diff --git a/contrib/make_libusb.sh b/contrib/make_libusb.sh index 20e3f27c3..6f4bcf4e7 100755 --- a/contrib/make_libusb.sh +++ b/contrib/make_libusb.sh @@ -48,7 +48,7 @@ info "Building $pkgname..." || fail "Could not configure $pkgname. Please make sure you have a C compiler installed and try again." fi make -j4 || fail "Could not build $pkgname" - make install || fail "Could not install $pkgname" + make install || warn "Could not install $pkgname" . "$here/$pkgname/libusb/.libs/libusb-1.0.la" host_strip "$here/$pkgname/libusb/.libs/$dlname" TARGET_NAME="$dlname" From b726fe85e1b9ea3254d9c974fd575ee0c79b529d Mon Sep 17 00:00:00 2001 From: SomberNight Date: Thu, 3 Mar 2022 18:55:35 +0100 Subject: [PATCH 2/2] contrib: add docker_notes.md --- contrib/android/Readme.md | 7 +------ contrib/build-linux/appimage/README.md | 7 +------ contrib/build-linux/sdist/README.md | 7 +------ contrib/build-wine/README.md | 7 +------ contrib/docker_notes.md | 21 +++++++++++++++++++++ 5 files changed, 25 insertions(+), 24 deletions(-) create mode 100644 contrib/docker_notes.md diff --git a/contrib/android/Readme.md b/contrib/android/Readme.md index 9ecaebd26..a5a0b4d35 100644 --- a/contrib/android/Readme.md +++ b/contrib/android/Readme.md @@ -13,12 +13,7 @@ similar system. 1. Install Docker - ``` - $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - $ sudo apt-get update - $ sudo apt-get install -y docker-ce - ``` + See `contrib/docker_notes.md`. 2. Build binaries diff --git a/contrib/build-linux/appimage/README.md b/contrib/build-linux/appimage/README.md index 838777b87..7680aafc6 100644 --- a/contrib/build-linux/appimage/README.md +++ b/contrib/build-linux/appimage/README.md @@ -14,12 +14,7 @@ see [issue #5159](https://github.com/spesmilo/electrum/issues/5159). 1. Install Docker - ``` - $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - $ sudo apt-get update - $ sudo apt-get install -y docker-ce - ``` + See `contrib/docker_notes.md`. 2. Build binary diff --git a/contrib/build-linux/sdist/README.md b/contrib/build-linux/sdist/README.md index 2ff3ed011..96f8bb82b 100644 --- a/contrib/build-linux/sdist/README.md +++ b/contrib/build-linux/sdist/README.md @@ -9,12 +9,7 @@ similar system. 1. Install Docker - ``` - $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - $ sudo apt-get update - $ sudo apt-get install -y docker-ce - ``` + See `contrib/docker_notes.md`. 2. Build source tarball diff --git a/contrib/build-wine/README.md b/contrib/build-wine/README.md index 61fdf205d..617dd9b12 100644 --- a/contrib/build-wine/README.md +++ b/contrib/build-wine/README.md @@ -9,12 +9,7 @@ similar system. 1. Install Docker - ``` - $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - - $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" - $ sudo apt-get update - $ sudo apt-get install -y docker-ce - ``` + See `contrib/docker_notes.md`. Note: older versions of Docker might not work well (see [#6971](https://github.com/spesmilo/electrum/issues/6971)). diff --git a/contrib/docker_notes.md b/contrib/docker_notes.md new file mode 100644 index 000000000..e1ab3b8a7 --- /dev/null +++ b/contrib/docker_notes.md @@ -0,0 +1,21 @@ +# Notes about using Docker in the build scripts + +- To install Docker: + + This assumes an Ubuntu (x86_64) host, but it should not be too hard to adapt to another similar system. + + ``` + $ curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo apt-key add - + $ sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" + $ sudo apt-get update + $ sudo apt-get install -y docker-ce + ``` + +- To communicate with the docker daemon, the build scripts either need to be called via sudo, + or the unix user on the host system (e.g. the user you run as) needs to be + part of the `docker` group. i.e.: + ``` + $ sudo usermod -aG docker ${USER} + ``` + (and then reboot or similar for it to take effect) +