Closed lox closed 7 years ago
OT but should https://buildkite.com/buildkite/docker-buildkite-agent/ be publicly visible?
@lox did you mean to commit changes to scripts/build.sh
in this PR?
Also, as a test I ran scripts/build.sh
through http://www.shellcheck.net/ and it flagged several things. Do you want me to report it as a separate issue? (or does it not matter? I'm not sure about your internal coding guidelines)
I found another problem with this docker container. Specifically the buildkite user's .ssh
directory is not executable so the buidkite user can't access it to append to ~/.ssh/known_hosts
, which it does when pulling down a repo from github, eg:
$ ls -al /home/buildkite/
total 12
drwxr-sr-x 3 buildkit buildkit 4096 Jan 15 19:53 .
drwxr-xr-x 4 root root 4096 Jan 15 19:53 ..
drw------- 2 buildkit buildkit 4096 Jan 15 19:53 .ssh
It looks like this is cause by the ssh-env-config.sh script setting the directory explicitly to 0600
: https://github.com/buildkite/docker-ssh-env-config/blob/master/ssh-env-config.sh#L17
This probably never caused any issues before when running everything as root, but it would affect the buildkite
user.
It looks like this is cause by the ssh-env-config.sh script setting the directory explicitly to 0600
I created a pull request to fix this at: https://github.com/buildkite/docker-ssh-env-config/pull/1
Ooops, I didn't mean to commit the build.sh changes, no.
RE: shellcheck, I get those in my IDE, and AFAIK I've deal with any that aren't spurious (like unquoted $@).
Hrm. I wonder how this should work with docker-in-docker, as the buildkite-agent user would need to be in the docker group, which is effectively root. Thoughts @dkubb?
This is ready to go pending review @toolmantim
:+1: Looks good, let's do it. Thanks for figuring out the magic sudo
incantations and handling 1.8, 1.9 and DIND!
@dkubb any feedback on this?
is this still a thing?
It is, yeah, I'm a bit nervous about what effect it will have though. I'll rebase and get it perhaps into some experimental images.
Dropping privileges of the buildkite-agent provides some extra level of protection against third-party code being executed by the agent.