Bug 1426445: Add sanity check that worker uid/gid is 1000 in run-task; r=dustin,gps
☠☠ backed out by a77c974e4c75 ☠ ☠
authorTom Prince <mozilla@hocat.ca>
Tue, 02 Jan 2018 14:22:36 -0700
changeset 449811 15a9e149f2dbd7be811eded6626600f6245a400b
parent 449810 6168b93583526bd6656b649eb5572b5a6869845d
child 449812 a77c974e4c757632469799a217660c723c75a7c3
push id8527
push userCallek@gmail.com
push dateThu, 11 Jan 2018 21:05:50 +0000
treeherdermozilla-beta@95342d212a7a [default view] [failures only]
perfherder[talos] [build metrics] [platform microbench] (compared to previous push)
reviewersdustin, gps
bugs1426445
milestone59.0a1
first release with
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
last release without
nightly linux32
nightly linux64
nightly mac
nightly win32
nightly win64
Bug 1426445: Add sanity check that worker uid/gid is 1000 in run-task; r=dustin,gps MozReview-Commit-ID: 7T7rQpLhJIN
taskcluster/docker/android-build/Dockerfile
taskcluster/docker/centos6-build/Dockerfile
taskcluster/docker/decision/Dockerfile
taskcluster/docker/desktop1604-test/Dockerfile
taskcluster/docker/funsize-balrog-submitter/Dockerfile
taskcluster/docker/funsize-update-generator/Dockerfile
taskcluster/docker/image_builder/Dockerfile
taskcluster/docker/lint/Dockerfile
taskcluster/docker/recipes/run-task
--- a/taskcluster/docker/android-build/Dockerfile
+++ b/taskcluster/docker/android-build/Dockerfile
@@ -1,15 +1,15 @@
 FROM debian:stretch-20170620
 MAINTAINER Nick Alexander <nalexander@mozilla.com>
 
 ### Add worker user and setup its workspace.
 RUN mkdir -p /builds && \
-    groupadd -g 500 worker && \
-    useradd -u 500 -g 500 -d /builds/worker -s /bin/bash -m worker && \
+    groupadd -g 1000 worker && \
+    useradd -u 1000 -g 1000 -d /builds/worker -s /bin/bash -m worker && \
     chown -R worker:worker /builds && \
     mkdir -p /builds/worker/workspace && \
     chown -R worker:worker /builds/worker/workspace
 
 # Declare default working folder
 WORKDIR /builds/worker
 
 VOLUME /builds/worker/checkouts
--- a/taskcluster/docker/centos6-build/Dockerfile
+++ b/taskcluster/docker/centos6-build/Dockerfile
@@ -1,15 +1,15 @@
 FROM          centos:6
 MAINTAINER    Dustin J. Mitchell <dustin@mozilla.com>
 
 RUN mkdir /builds
 
 ### add worker user and setup its workspace
-RUN useradd -d /builds/worker -s /bin/bash -m worker
+RUN useradd -d /builds/worker -s /bin/bash -m worker -u 1000 -g 1000
 # Declare default working folder
 WORKDIR       /builds/worker
 
 # This will create a host mounted filesystem when the cache is stripped
 # on Try. This cancels out some of the performance losses of aufs. See
 # bug 1291940.
 VOLUME /builds/worker/workspace
 VOLUME /builds/worker/tooltool-cache
--- a/taskcluster/docker/decision/Dockerfile
+++ b/taskcluster/docker/decision/Dockerfile
@@ -1,14 +1,14 @@
 FROM          ubuntu:16.04
 MAINTAINER    Greg Arndt <garndt@mozilla.com>
 
 # Add worker user
 RUN mkdir /builds
-RUN useradd -d /builds/worker -s /bin/bash -m worker
+RUN useradd -d /builds/worker -s /bin/bash -m worker -u 1000 -g 1000
 RUN mkdir /builds/worker/artifacts && chown worker:worker /builds/worker/artifacts
 
 # %include python/mozbuild/mozbuild/action/tooltool.py
 ADD topsrcdir/python/mozbuild/mozbuild/action/tooltool.py /tmp/tooltool.py
 
 # %include testing/mozharness/external_tools/robustcheckout.py
 ADD topsrcdir/testing/mozharness/external_tools/robustcheckout.py /usr/local/mercurial/robustcheckout.py
 
--- a/taskcluster/docker/desktop1604-test/Dockerfile
+++ b/taskcluster/docker/desktop1604-test/Dockerfile
@@ -1,13 +1,13 @@
 FROM          ubuntu:16.04
 MAINTAINER    Joel Maher <joel.maher@gmail.com>
 
 RUN mkdir /builds
-RUN useradd -d /builds/worker -s /bin/bash -m worker
+RUN useradd -d /builds/worker -s /bin/bash -m worker -u 1000 -g 1000
 WORKDIR /builds/worker
 
 # We need to declare all potentially cache volumes as caches. Also,
 # making high I/O paths volumes increase I/O throughput because of
 # AUFS slowness.
 VOLUME /builds/worker/.cache
 VOLUME /builds/worker/checkouts
 VOLUME /builds/worker/tooltool-cache
--- a/taskcluster/docker/funsize-balrog-submitter/Dockerfile
+++ b/taskcluster/docker/funsize-balrog-submitter/Dockerfile
@@ -14,17 +14,17 @@ RUN apt-get update -q && \
 COPY requirements.txt /tmp/
 # python-pip installs a lot of dependencies increasing the size of an image
 # drastically.
 RUN easy_install pip
 RUN pip install -r /tmp/requirements.txt
 
 RUN hg clone https://hg.mozilla.org/build/tools /home/worker/tools
 
-RUN useradd -d /home/worker -s /bin/bash -m worker
+RUN useradd -d /home/worker -s /bin/bash -m worker -u 1000 -g 1000
 
 RUN mkdir /home/worker/bin
 COPY scripts/* /home/worker/bin/
 RUN mkdir /home/worker/keys
 COPY *.pubkey /home/worker/keys/
 COPY runme.sh /runme.sh
 COPY submit_complete.sh /submit_complete.sh
 RUN chmod 755 /home/worker/bin/* /runme.sh /submit_complete.sh
--- a/taskcluster/docker/funsize-update-generator/Dockerfile
+++ b/taskcluster/docker/funsize-update-generator/Dockerfile
@@ -6,17 +6,17 @@ ENV DEBIAN_FRONTEND noninteractive
 # Chain apt-get commands with apt-get clean in a single docker RUN
 # to make sure that files are removed within a single docker layer
 RUN apt-get update -q && \
     apt-get install -yyq --no-install-recommends \
     python3.5 python3-setuptools python3-cryptography libgetopt-simple-perl \
     bzip2 clamav clamav-freshclam python3-requests python3-sh curl \
     python3-dev gcc liblzma-dev xz-utils jq && \
     apt-get clean
-RUN useradd -d /home/worker -s /bin/bash -m worker
+RUN useradd -d /home/worker -s /bin/bash -m worker -u 1000 -g 1000
 COPY requirements.txt /tmp/
 
 # Freshclam may be flaky, retry if it fails
 RUN for i in 1 2 3 4 5; do freshclam --verbose && break || sleep 15; done
 
 # python-pip installs a lot of dependencies increasing the size of an image
 # drastically. Using easy_install saves us almost 200M.
 RUN easy_install3 pip
--- a/taskcluster/docker/image_builder/Dockerfile
+++ b/taskcluster/docker/image_builder/Dockerfile
@@ -30,13 +30,13 @@ VOLUME /builds/worker/workspace
 ENV           HOME          /builds/worker
 ENV           SHELL         /bin/bash
 ENV           USER          worker
 ENV           LOGNAME       worker
 ENV           HOSTNAME      taskcluster-worker
 ENV           LC_ALL        C
 
 # Create worker user
-RUN useradd -d /builds/worker -s /bin/bash -m worker
+RUN useradd -d /builds/worker -s /bin/bash -m worker -u 1000 -g 1000
 
 # Set some sane defaults
 WORKDIR /builds/worker/
 CMD     build-image.sh
--- a/taskcluster/docker/lint/Dockerfile
+++ b/taskcluster/docker/lint/Dockerfile
@@ -1,13 +1,13 @@
 FROM          ubuntu:16.04
 MAINTAINER    Andrew Halberstadt <ahalberstadt@mozilla.com>
 
 RUN mkdir /builds
-RUN useradd -d /builds/worker -s /bin/bash -m worker
+RUN useradd -d /builds/worker -s /bin/bash -m worker -u 1000 -g 1000
 WORKDIR /builds/worker
 
 VOLUME /builds/worker/.cache
 VOLUME /builds/worker/checkouts
 
 RUN mkdir /build
 # %include python/mozbuild/mozbuild/action/tooltool.py
 ADD topsrcdir/python/mozbuild/mozbuild/action/tooltool.py /build/tooltool.py
--- a/taskcluster/docker/recipes/run-task
+++ b/taskcluster/docker/recipes/run-task
@@ -277,16 +277,23 @@ def main(args):
             return 1
         try:
             group = grp.getgrnam(args.group)
         except KeyError:
             print('could not find group %s; specify --group to a known group' %
                   args.group)
             return 1
 
+        if user.pw_name == 'worker' and user.pw_uid != 1000:
+            print('user `worker` must have uid=1000.')
+            return 1
+        if group.gr_name == 'worker' and group.gr_gid != 1000:
+            print('group `worker` must have gid=1000.')
+            return 1
+
         # Find all groups to which this user is a member.
         gids = [g.gr_gid for g in grp.getgrall() if args.group in g.gr_mem]
 
         uid = user.pw_uid
         gid = group.gr_gid
     else:
         uid = gid = gids = None