[v2,03/12] ci: allow skipping sudo on dockerized jobs

Message ID	16603d40fdf96948580c04a7c2b791a97ec64fe7.1712555682.git.ps@pks.im (mailing list archive)
State	Superseded
Headers	show Received: from fhigh3-smtp.messagingengine.com (fhigh3-smtp.messagingengine.com [103.168.172.154]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7B3E12561D for <git@vger.kernel.org>; Mon, 8 Apr 2024 06:46:26 +0000 (UTC) Feedback-ID: i197146af:Fastmail Date: Mon, 8 Apr 2024 08:46:22 +0200 From: Patrick Steinhardt <ps@pks.im> To: git@vger.kernel.org Cc: Han-Wen Nienhuys <hanwenn@gmail.com>, Josh Steadmon <steadmon@google.com>, Luca Milanesio <luca.milanesio@gmail.com>, Eric Sunshine <sunshine@sunshineco.com> Subject: [PATCH v2 03/12] ci: allow skipping sudo on dockerized jobs Message-ID: <16603d40fdf96948580c04a7c2b791a97ec64fe7.1712555682.git.ps@pks.im> References: <cover.1712235356.git.ps@pks.im> <cover.1712555682.git.ps@pks.im> Precedence: bulk MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="3vnunv4WQM5oem+q" Content-Disposition: inline In-Reply-To: <cover.1712555682.git.ps@pks.im>
Series	t: exercise Git/JGit reftable compatibility \| expand [v2,00/12] t: exercise Git/JGit reftable compatibility [v2,02/12] ci: expose distro name in dockerized GitHub jobs [v2,03/12] ci: allow skipping sudo on dockerized jobs [v2,04/12] ci: drop duplicate package installation for "linux-gcc-default" [v2,05/12] ci: convert "install-dependencies.sh" to use "/bin/sh" [v2,06/12] ci: merge custom PATH directories [v2,07/12] ci: merge scripts which install dependencies [v2,08/12] ci: make Perforce binaries executable for all users [v2,09/12] ci: install JGit dependency [v2,10/12] t06xx: always execute backend-specific tests [v2,11/12] t0610: fix non-portable variable assignment [v2,12/12] t0612: add tests to exercise Git/JGit reftable compatibility [v2,01/12] ci: rename "runs_on_pool" to "distro"

Message ID

16603d40fdf96948580c04a7c2b791a97ec64fe7.1712555682.git.ps@pks.im (mailing list archive)

State

Superseded

Headers

Feedback-ID: i197146af:Fastmail
Date: Mon, 8 Apr 2024 08:46:22 +0200
From: Patrick Steinhardt <ps@pks.im>
To: git@vger.kernel.org
Cc: Han-Wen Nienhuys <hanwenn@gmail.com>,
	Josh Steadmon <steadmon@google.com>,
	Luca Milanesio <luca.milanesio@gmail.com>,
	Eric Sunshine <sunshine@sunshineco.com>
Subject: [PATCH v2 03/12] ci: allow skipping sudo on dockerized jobs
Message-ID: 
 <16603d40fdf96948580c04a7c2b791a97ec64fe7.1712555682.git.ps@pks.im>
References: <cover.1712235356.git.ps@pks.im>
 <cover.1712555682.git.ps@pks.im>
Precedence: bulk
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha512;
	protocol="application/pgp-signature"; boundary="3vnunv4WQM5oem+q"
Content-Disposition: inline
In-Reply-To: <cover.1712555682.git.ps@pks.im>

Series

t: exercise Git/JGit reftable compatibility | expand

Commit Message

Patrick Steinhardt April 8, 2024, 6:46 a.m. UTC

Our "install-dependencies.sh" script is executed by non-dockerized jobs
to install dependencies. These jobs don't run with "root" permissions,
but with a separate user. Consequently, we need to use sudo(8) there to
elevate permissions when installing packages.

We're about to merge "install-docker-dependencies.sh" into that script
though, and our Docker containers do run as "root". Using sudo(8) is
thus unnecessary there, even though it would be harmless. On some images
like Alpine Linux though there is no sudo(8) available by default, which
would consequently break the build.

Adapt the script to make "sudo" a no-op when running as "root" user.
This allows us to easily reuse the script for our dockerized jobs.

Signed-off-by: Patrick Steinhardt <ps@pks.im>
---
 ci/install-dependencies.sh | 11 +++++++++++
 1 file changed, 11 insertions(+)

Comments

Toon claes April 10, 2024, 4:53 p.m. UTC | #1

> [PATCH v2 03/12] ci: allow skipping sudo on dockerized jobs

I think this title is somewhat misleading. While it's true, I don't
think it's limited to dockerized jobs. Something more along the lines of
"allow running install-dependencies.sh as root" would make more sense to
me.

That's the only tiny remark I have on this patch series.

Junio C Hamano April 10, 2024, 5:21 p.m. UTC | #2

Toon claes <toon@iotcl.com> writes:

>> [PATCH v2 03/12] ci: allow skipping sudo on dockerized jobs
>
> I think this title is somewhat misleading. While it's true, I don't
> think it's limited to dockerized jobs. Something more along the lines of
> "allow running install-dependencies.sh as root" would make more sense to
> me.

It is true that dockerized is not the essential part of this change;
and it is that we skip sudo when we are already root.  So I agree
with you that the original title is misleading.

"allow running as root" is somehow a bit unsatisfactory, though.  It
sounds as if _we_ were not allowing it before---what was preventing
us from doing so was a system without sudo.

Stepping back a bit, I wonder if install-dependencies.sh will stay
to be the only one among ci/ scripts that need to run things as
root.  If we moved the new logic in this patch to ci/lib.sh that is
included by everybody, then the title of the patch can become a
short and sweet

    ci: skip sudo when we are already root

> That's the only tiny remark I have on this patch series.

Thanks.

Patrick Steinhardt April 11, 2024, 8:55 a.m. UTC | #3

On Wed, Apr 10, 2024 at 10:21:48AM -0700, Junio C Hamano wrote:
> Toon claes <toon@iotcl.com> writes:
> 
> >> [PATCH v2 03/12] ci: allow skipping sudo on dockerized jobs
> >
> > I think this title is somewhat misleading. While it's true, I don't
> > think it's limited to dockerized jobs. Something more along the lines of
> > "allow running install-dependencies.sh as root" would make more sense to
> > me.
> 
> It is true that dockerized is not the essential part of this change;
> and it is that we skip sudo when we are already root.  So I agree
> with you that the original title is misleading.
> 
> "allow running as root" is somehow a bit unsatisfactory, though.  It
> sounds as if _we_ were not allowing it before---what was preventing
> us from doing so was a system without sudo.
> 
> Stepping back a bit, I wonder if install-dependencies.sh will stay
> to be the only one among ci/ scripts that need to run things as
> root.  If we moved the new logic in this patch to ci/lib.sh that is
> included by everybody, then the title of the patch can become a
> short and sweet
> 
>     ci: skip sudo when we are already root

Agreed, this title reads much better than what I had.

> > That's the only tiny remark I have on this patch series.
> 
> Thanks.

Thanks to both of you!

Patrick

diff --git a/ci/install-dependencies.sh b/ci/install-dependencies.sh
index 7d247b5ef4..7dfd3e50ed 100755
--- a/ci/install-dependencies.sh
+++ b/ci/install-dependencies.sh
@@ -11,6 +11,17 @@  UBUNTU_COMMON_PKGS="make libssl-dev libcurl4-openssl-dev libexpat-dev
  tcl tk gettext zlib1g-dev perl-modules liberror-perl libauthen-sasl-perl
  libemail-valid-perl libio-socket-ssl-perl libnet-smtp-ssl-perl"
 
+# Make sudo a no-op and execute the command directly when running as root.
+# While using sudo would be fine on most platforms when we are root already,
+# some platforms like e.g. Alpine Linux do not have sudo available by default
+# and would thus break.
+if test "$(id -u)" -eq 0
+then
+	sudo () {
+		"$@"
+	}
+fi
+
 case "$distro" in
 ubuntu-*)
 	sudo apt-get -q update

[v2,03/12] ci: allow skipping sudo on dockerized jobs

Commit Message

Comments

Patch