Re: [Sound-open-firmware] [PATCH V2 2/2] scripts: docker: Simplify docker build
On Wed, 2018-06-06 at 12:06 +0800, Pan, Xiuli wrote:
-RUN useradd --create-home -d /home/sof -u $UID -G sudo sof -RUN echo "sof:test0000" | chpasswd -RUN adduser sof sudo +# Set up sof user +RUN useradd --create-home -d /home/sof -u $UID -G sudo sof && \ +echo "sof:test0000" | chpasswd && adduser sof sudo && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
Does this mean rimage is installed on the Docker FS overlay with no password now ?
The rimage is installed every time when we run scripts/xtensa-build-all.sh. And the docker-run recommend to use scripts to build the sof. This change just make sudo need no password in docker. The rimage install need sudo with password, either we change the scripts or make sudo need no password. I just choose to use no password to make docker easier to use.
We can't compromise security. Maybe the easiest thing is to make xtensa-build.sh take a -l flag to install rimage to ~/bin and use this version.
Liam
On 6/7/2018 19:26, Liam Girdwood wrote:
On Wed, 2018-06-06 at 12:06 +0800, Pan, Xiuli wrote:
-RUN useradd --create-home -d /home/sof -u $UID -G sudo sof -RUN echo "sof:test0000" | chpasswd -RUN adduser sof sudo +# Set up sof user +RUN useradd --create-home -d /home/sof -u $UID -G sudo sof && \ +echo "sof:test0000" | chpasswd && adduser sof sudo && echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
Does this mean rimage is installed on the Docker FS overlay with no password now ?
The rimage is installed every time when we run scripts/xtensa-build-all.sh. And the docker-run recommend to use scripts to build the sof. This change just make sudo need no password in docker. The rimage install need sudo with password, either we change the scripts or make sudo need no password. I just choose to use no password to make docker easier to use.
We can't compromise security. Maybe the easiest thing is to make xtensa-build.sh
So even if we are running in a docker we could not make the NOPASSWD to make life easier. It only influence the docker container.
take a -l flag to install rimage to ~/bin and use this version.
Or maybe I will add a ENV in docker like export DOCKERRUN=1. The xtensa-build.sh then check the ENV, if it had the ENV then we install the rimage into ~/bin, otherwise the scripts goes like the normal way.
Thanks Xiuli
Liam
On Thu, 2018-06-07 at 20:33 +0800, Pan, Xiuli wrote:
We can't compromise security. Maybe the easiest thing is to make xtensa- build.sh
So even if we are running in a docker we could not make the NOPASSWD to make life easier. It only influence the docker container.
Yes, but what happens if we also use the container for security testing/fuzzing of FW/driver/alsa/userspace components ? Need to keep security consistent.
take a -l flag to install rimage to ~/bin and use this version.
Or maybe I will add a ENV in docker like export DOCKERRUN=1. The xtensa-build.sh then check the ENV, if it had the ENV then we install the rimage into ~/bin, otherwise the scripts goes like the normal way.
Adding -l to xtensa-build.sh will be easy, you can then make sure ~/bin is first in it's $PATH and then ./configure rimage --prexix=~/bin
Liam
On 6/7/2018 22:47, Liam Girdwood wrote:
On Thu, 2018-06-07 at 20:33 +0800, Pan, Xiuli wrote:
We can't compromise security. Maybe the easiest thing is to make xtensa- build.sh
So even if we are running in a docker we could not make the NOPASSWD to make life easier. It only influence the docker container.
Yes, but what happens if we also use the container for security testing/fuzzing of FW/driver/alsa/userspace components ? Need to keep security consistent.
I think the docker is designed to make sure the host and container are isolated. This change just make password not needed for sudo. Actually the password for the docker user is just store in text in Dockerfile. I do not see any security issue here if we just make sudo without password
take a -l flag to install rimage to ~/bin and use this version.
Or maybe I will add a ENV in docker like export DOCKERRUN=1. The xtensa-build.sh then check the ENV, if it had the ENV then we install the rimage into ~/bin, otherwise the scripts goes like the normal way.
Adding -l to xtensa-build.sh will be easy, you can then make sure ~/bin is first in it's $PATH and then ./configure rimage --prexix=~/bin
Then we should run the scripts with a flag? I think the docker may be more complex then a native build environment. I just hope to keep the docker more easy to use.
Thanks Xiuli
Liam
On Fri, 2018-06-08 at 02:18 +0800, Pan, Xiuli wrote:
On 6/7/2018 22:47, Liam Girdwood wrote:
On Thu, 2018-06-07 at 20:33 +0800, Pan, Xiuli wrote:
We can't compromise security. Maybe the easiest thing is to make xtensa- build.sh
So even if we are running in a docker we could not make the NOPASSWD to make life easier. It only influence the docker container.
Yes, but what happens if we also use the container for security testing/fuzzing of FW/driver/alsa/userspace components ? Need to keep security consistent.
I think the docker is designed to make sure the host and container are isolated. This change just make password not needed for sudo. Actually the password for the docker user is just store in text in Dockerfile. I do not see any security issue here if we just make sudo without password
The point here is that the container must behave like a typical OS installation and follow the same rules/settings.
take a -l flag to install rimage to ~/bin and use this version.
Or maybe I will add a ENV in docker like export DOCKERRUN=1. The xtensa-build.sh then check the ENV, if it had the ENV then we install the rimage into ~/bin, otherwise the scripts goes like the normal way.
Adding -l to xtensa-build.sh will be easy, you can then make sure ~/bin is first in it's $PATH and then ./configure rimage --prexix=~/bin
Then we should run the scripts with a flag? I think the docker may be more complex then a native build environment. I just hope to keep the docker more easy to use.
Yes, we will run the script with a flag inside or outside of Docker. This is an easy change for xtensa-build.sh, because all you are doing is modifying --prefix for rimage and setting $PATH.
Liam
Thanks Xiuli
Liam
Sound-open-firmware mailing list Sound-open-firmware@alsa-project.org http://mailman.alsa-project.org/mailman/listinfo/sound-open-firmware
On 6/8/2018 03:48, Liam Girdwood wrote:
On Fri, 2018-06-08 at 02:18 +0800, Pan, Xiuli wrote:
On 6/7/2018 22:47, Liam Girdwood wrote:
On Thu, 2018-06-07 at 20:33 +0800, Pan, Xiuli wrote:
We can't compromise security. Maybe the easiest thing is to make xtensa- build.sh
So even if we are running in a docker we could not make the NOPASSWD to make life easier. It only influence the docker container.
Yes, but what happens if we also use the container for security testing/fuzzing of FW/driver/alsa/userspace components ? Need to keep security consistent.
I think the docker is designed to make sure the host and container are isolated. This change just make password not needed for sudo. Actually the password for the docker user is just store in text in Dockerfile. I do not see any security issue here if we just make sudo without password
The point here is that the container must behave like a typical OS installation and follow the same rules/settings.
OK I will remove this setting.
take a -l flag to install rimage to ~/bin and use this version.
Or maybe I will add a ENV in docker like export DOCKERRUN=1. The xtensa-build.sh then check the ENV, if it had the ENV then we install the rimage into ~/bin, otherwise the scripts goes like the normal way.
Adding -l to xtensa-build.sh will be easy, you can then make sure ~/bin is first in it's $PATH and then ./configure rimage --prexix=~/bin
Then we should run the scripts with a flag? I think the docker may be more complex then a native build environment. I just hope to keep the docker more easy to use.
Yes, we will run the script with a flag inside or outside of Docker. This is an easy change for xtensa-build.sh, because all you are doing is modifying --prefix for rimage and setting $PATH.
I still want to add a ENV flag check in the xtensa-build.sh to make life easier. User may forget to add a flag and may have some error, but using a ENV flag in container will do no harm and just like a flag in scripts.
Thanks Xiuli
Liam
Thanks Xiuli
Liam
Sound-open-firmware mailing list Sound-open-firmware@alsa-project.org http://mailman.alsa-project.org/mailman/listinfo/sound-open-firmware
On Fri, 2018-06-08 at 11:36 +0800, Pan, Xiuli wrote:
easy change for xtensa-build.sh, because all you are doing is modifying -- prefix for rimage and setting $PATH.
I still want to add a ENV flag check in the xtensa-build.sh to make life easier. User may forget to add a flag and may have some error, but using a ENV flag in container will do no harm and just like a flag in scripts.
Setting the ENV is a PITA outside the container if anyone want to run xtensa- buildall.sh. Please add a switch to the shell script as previously discussed.
Thanks
Liam
participants (2)
-
Liam Girdwood -
Pan, Xiuli