diskimage-builder/elements/rhel/root.d/10-rhel-cloud-image
Ian Wienand 672705831f Add a best-effort sudo safety check
As motivation for this; we have had two breakouts of dib in recent
memory.  One was a failure to unmount through symlinks in the core
code (I335316019ef948758392b03e91f9869102a472b9) and the other was
removing host keys on the build-system
(Ib01d71ff9415a0ae04d963f6e380aab9ac2260ce).

For the most part, dib runs unprivileged.  Bits of the core code are
hopefully well tested (modulo bugs like the first one!).  We give free
reign inside the chroot (although there is still some potential there
for adverse external affects via bind mounts).  Where we could be a
bit safer (and could have prevented at least the second of these
breakouts) is with some better checking that the "sudo" calls
*outside* the chroot at least looked sane.

This adds a basic check that we're using chroot or image paths when
calling sudo in those parts of elements that run *outside* the chroot.
Various files are updated to accomodate this check; mostly by just
ignoring it for existing code (I have not audited these calls).

Nobody is pretending this type of checking makes dib magically safe,
or removes the issues with it needing to do things as root during the
build.  But this can help find egregious errors like the key removal.

Change-Id: I161a5aea1d29dcdc7236f70d372c53246ec73749
2016-05-09 15:41:38 +10:00

66 lines
2.5 KiB
Bash
Executable File

#!/bin/bash
# dib-lint: disable=safe_sudo
if [ ${DIB_DEBUG_TRACE:-0} -gt 0 ]; then
set -x
fi
set -eu
set -o pipefail
[ -n "$ARCH" ]
[ -n "$TARGET_ROOT" ]
if [ 'amd64' = "$ARCH" ] ; then
ARCH="x86_64"
fi
DIB_RELEASE=${DIB_RELEASE:-"6.5-20140603.0"}
DIB_CLOUD_IMAGES=${DIB_CLOUD_IMAGES:-http://rhn.redhat.com}
BASE_IMAGE_FILE=${BASE_IMAGE_FILE:-rhel-guest-image-$DIB_RELEASE.x86_64.qcow2}
BASE_IMAGE_TAR=$DIB_RELEASE-rhel-server-$ARCH-latest.tgz
CACHED_TAR=$DIB_IMAGE_CACHE/$BASE_IMAGE_TAR
if [ -n "$DIB_OFFLINE" -a -f "$CACHED_TAR" ] ; then
echo "Not checking freshness of cached $CACHED_TAR."
else
echo "Fetching Base Image"
$TMP_HOOKS_PATH/bin/cache-url $DIB_CLOUD_IMAGES/$BASE_IMAGE_FILE $DIB_IMAGE_CACHE/$BASE_IMAGE_FILE
if [ ! -f $CACHED_TAR -o \
$DIB_IMAGE_CACHE/$BASE_IMAGE_FILE -nt $CACHED_TAR ] ; then
echo "Repacking base image as tarball."
WORKING=$(mktemp -d)
EACTION="rm -r $WORKING"
trap "$EACTION" EXIT
RAW_FILE=$(mktemp --tmpdir=$WORKING XXXXXX.raw)
qemu-img convert -f qcow2 -O raw $DIB_IMAGE_CACHE/$BASE_IMAGE_FILE $RAW_FILE
MAGIC_BIT=p1
# NOTE: On RHEL, partprobe of /dev/loop0 does not create /dev/loop0p2,
# while kpartx at least creates /dev/mapper/loop0p2.
LOOPDEV=$(sudo kpartx -av $RAW_FILE | awk "/loop[0-9]+$MAGIC_BIT/ {print \$3}")
# If running inside Docker, make our nodes manually, because udev will not be working.
if [ -f /.dockerenv ]; then
sudo dmsetup --noudevsync mknodes
fi
export LOOPDEV=$LOOPDEV
echo "Loop device is set to: $LOOPDEV"
if ! timeout 5 sh -c "while ! [ -e /dev/mapper/$LOOPDEV ]; do sleep 1; done"; then
echo "Error: Could not find /dev/mapper/$LOOPDEV"
exit 1
fi
EACTION="sudo kpartx -d $RAW_FILE;$EACTION"
trap "$EACTION" EXIT
mkdir $WORKING/mnt
sudo mount /dev/mapper/$LOOPDEV $WORKING/mnt
EACTION="sudo umount -f $WORKING/mnt;$EACTION"
trap "$EACTION" EXIT
# Chroot in so that we get the correct uid/gid
sudo chroot $WORKING/mnt bin/tar -cz . > $WORKING/tmp.tar
mv $WORKING/tmp.tar $DIB_IMAGE_CACHE/$BASE_IMAGE_TAR
fi
fi
# Extract the base image (use --numeric-owner to avoid UID/GID mismatch between
# image tarball and host OS e.g. when building RHEL image on an openSUSE host)
sudo tar -C $TARGET_ROOT --numeric-owner -xzf $DIB_IMAGE_CACHE/$BASE_IMAGE_TAR