Merge bitcoin/bitcoin#25900: ci: run docker wrapper with a non-root user

849f20a ci: create and use non-root user for docker image (josibake)

Pull request description:

  Previously, everything in the ci docker image ran as the root user. This would lead to certain directories (`ci/scratch`, `depends`) being owned by `root` after running the ci locally which would lead to annoying behavior such as subsequent guix builds failing due to `depends/` being owned by root.

  This PR adds a non-root user in the container and chowns the mounted working directory. All the `docker exec` commands now run as the non-root user, except for the few that still need to run as root (mainly, installing packages).

  To test this I checked out a fresh copy of the repo, applied my changes, ran the CI, and verified all the local file permissions were unchanged after the CI was finished running.

ACKs for top commit:
  hebasto:
    ACK 849f20a, tested on Ubuntu 22.04 by running commands as follows:

Tree-SHA512: 734dca0f36157fce5fab243b4ff657fc17ba980e8e4e4644305f41002ff21bd5cef02c306ea1e0b5c841d4c07c095e8e4be16722e6a38c890717c60a3f5ec62a

Author: MarcoFalke

ci/test/04_install.sh

@@ -27,6 +27,11 @@ export P_CI_DIR="$PWD"
 
 if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
   echo "Creating $DOCKER_NAME_TAG container to run in"
+  LOCAL_UID=$(id -u)
+  LOCAL_GID=$(id -g)
+
+  # the name isn't important, so long as we use the same UID
+  LOCAL_USER=nonroot
   ${CI_RETRY_EXE} docker pull "$DOCKER_NAME_TAG"
 
   if [ -n "${RESTART_CI_DOCKER_BEFORE_RUN}" ] ; then
@@ -44,34 +49,47 @@ if [ -z "$DANGER_RUN_CI_ON_HOST" ]; then
                   --env-file /tmp/env \
                   --name $CONTAINER_NAME \
                   $DOCKER_NAME_TAG)
-  export DOCKER_CI_CMD_PREFIX="docker exec $DOCKER_ID"
+
+  # Create a non-root user inside the container which matches the local user.
+  #
+  # This prevents the root user in the container modifying the local file system permissions
+  # on the mounted directories
+  docker exec "$DOCKER_ID" useradd -u "$LOCAL_UID" -o -m "$LOCAL_USER"
+  docker exec "$DOCKER_ID" groupmod -o -g "$LOCAL_GID" "$LOCAL_USER"
+  docker exec "$DOCKER_ID" chown -R "$LOCAL_USER":"$LOCAL_USER" "${BASE_ROOT_DIR}"
+  export DOCKER_CI_CMD_PREFIX_ROOT="docker exec -u 0 $DOCKER_ID"
+  export DOCKER_CI_CMD_PREFIX="docker exec -u $LOCAL_UID $DOCKER_ID"
 else
   echo "Running on host system without docker wrapper"
 fi
 
 CI_EXEC () {
   $DOCKER_CI_CMD_PREFIX bash -c "export PATH=$BASE_SCRATCH_DIR/bins/:\$PATH && cd \"$P_CI_DIR\" && $*"
 }
+CI_EXEC_ROOT () {
+  $DOCKER_CI_CMD_PREFIX_ROOT bash -c "export PATH=$BASE_SCRATCH_DIR/bins/:\$PATH && cd \"$P_CI_DIR\" && $*"
+}
 export -f CI_EXEC
+export -f CI_EXEC_ROOT
 
 if [ -n "$DPKG_ADD_ARCH" ]; then
-  CI_EXEC dpkg --add-architecture "$DPKG_ADD_ARCH"
+  CI_EXEC_ROOT dpkg --add-architecture "$DPKG_ADD_ARCH"
 fi
 
 if [[ $DOCKER_NAME_TAG == *centos* ]]; then
-  ${CI_RETRY_EXE} CI_EXEC dnf -y install epel-release
-  ${CI_RETRY_EXE} CI_EXEC dnf -y --allowerasing install "$DOCKER_PACKAGES" "$PACKAGES"
+  ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y install epel-release
+  ${CI_RETRY_EXE} CI_EXEC_ROOT dnf -y --allowerasing install "$DOCKER_PACKAGES" "$PACKAGES"
 elif [ "$CI_USE_APT_INSTALL" != "no" ]; then
   if [[ "${ADD_UNTRUSTED_BPFCC_PPA}" == "true" ]]; then
     # Ubuntu 22.04 LTS and Debian 11 both have an outdated bpfcc-tools packages.
     # The iovisor PPA is outdated as well. The next Ubuntu and Debian releases will contain updated
     # packages. Meanwhile, use an untrusted PPA to install an up-to-date version of the bpfcc-tools
     # package.
     # TODO: drop this once we can use newer images in GCE
-    CI_EXEC add-apt-repository ppa:hadret/bpfcc
+    CI_EXEC_ROOT add-apt-repository ppa:hadret/bpfcc
   fi
-  ${CI_RETRY_EXE} CI_EXEC apt-get update
-  ${CI_RETRY_EXE} CI_EXEC apt-get install --no-install-recommends --no-upgrade -y "$PACKAGES" "$DOCKER_PACKAGES"
+  ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get update
+  ${CI_RETRY_EXE} CI_EXEC_ROOT apt-get install --no-install-recommends --no-upgrade -y "$PACKAGES" "$DOCKER_PACKAGES"
 fi
 
 if [ -n "$PIP_PACKAGES" ]; then
@@ -126,7 +144,7 @@ if [[ "${RUN_TIDY}" == "true" ]]; then
     CI_EXEC "mkdir -p ${DIR_IWYU}/build/"
     CI_EXEC "git clone --depth=1 https://github.com/include-what-you-use/include-what-you-use -b clang_14 ${DIR_IWYU}/include-what-you-use"
     CI_EXEC "cd ${DIR_IWYU}/build && cmake -G 'Unix Makefiles' -DCMAKE_PREFIX_PATH=/usr/lib/llvm-14 ../include-what-you-use"
-    CI_EXEC "cd ${DIR_IWYU}/build && make install $MAKEJOBS"
+    CI_EXEC_ROOT "cd ${DIR_IWYU}/build && make install $MAKEJOBS"
   fi
 fi
 

ci/test/05_before_script.sh

@@ -11,6 +11,7 @@ if [ "$CI_OS_NAME" == "macos" ]; then
   echo > "${HOME}/Library/Application Support/Bitcoin"
 else
   CI_EXEC echo \> \$HOME/.bitcoin
+  CI_EXEC_ROOT echo \> \$HOME/.bitcoin
 fi
 
 CI_EXEC mkdir -p "${DEPENDS_DIR}/SDKs" "${DEPENDS_DIR}/sdk-sources"