From f3f80f2679bd878aac4d258f2c27e345b596d107 Mon Sep 17 00:00:00 2001 From: continuist Date: Tue, 9 Sep 2025 00:03:11 -0400 Subject: [PATCH] Fix PiP setup --- secure_pip_setup.sh | 56 ++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 31 deletions(-) diff --git a/secure_pip_setup.sh b/secure_pip_setup.sh index e597a56..2177f9e 100755 --- a/secure_pip_setup.sh +++ b/secure_pip_setup.sh @@ -4,36 +4,32 @@ set -Eeuo pipefail RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-local}}" PIP_CONTAINER_NAME="ci-pip-${RUN_ID}" RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}" -SOCKET_PATH="${SOCKET_PATH:-${RUNTIME_DIR}/podman-host/podman.sock}" -SOCKET_DIR="$(dirname "$SOCKET_PATH")" +SOCKET_PATH="${RUNTIME_DIR}/podman/podman.sock" # <- only standard rootless socket WORKSPACE="${GITHUB_WORKSPACE:-$PWD}" -PIP_UID="${PIP_UID:-1000}" -PIP_GID="${PIP_GID:-1000}" -# Require pinned client image digest +# Required: pinned client image digest PODMAN_CLIENT_IMG_DIGEST="${PODMAN_CLIENT_IMG_DIGEST:-}" -if [[ -z "${PODMAN_CLIENT_IMG_DIGEST}" ]]; then - echo "ERROR: PODMAN_CLIENT_IMG_DIGEST (e.g., quay.io/podman/stable@sha256:...) is required and must be a digest." >&2 - exit 1 -fi +[[ -n "$PODMAN_CLIENT_IMG_DIGEST" ]] || { echo "ERROR: PODMAN_CLIENT_IMG_DIGEST is required"; exit 1; } -# Clean any previous container for this run +# Check the socket +[[ -S "$SOCKET_PATH" ]] || { + echo "ERROR: Podman UNIX socket not found at $SOCKET_PATH" + echo "Fix: sudo -iu ci-service systemctl --user enable --now podman.socket" + exit 1 +} + +# Match the socket owner uid:gid (don’t use 0:0) +read -r SOCK_UID SOCK_GID < <(stat -c '%u %g' "$SOCKET_PATH") +PUID="${PIP_UID:-$SOCK_UID}" +PGID="${PIP_GID:-$SOCK_GID}" + +# Clean previous container podman rm -f "${PIP_CONTAINER_NAME}" >/dev/null 2>&1 || true -# Verify systemd-managed UNIX socket exists -if [[ ! -S "${SOCKET_PATH}" ]]; then - echo "ERROR: Podman UNIX socket not found at ${SOCKET_PATH}." >&2 - echo "Start it with: systemctl --user enable --now podman-host-socket.service" >&2 - exit 1 -fi - -# Tighten socket perms (best-effort) -chmod 660 "${SOCKET_PATH}" >/dev/null 2>&1 || true - -# Create ephemeral PiP client (no network, least privilege) +# Start the PiP client: no net, no caps, read-only FS; mount socket dir at same path podman run -d \ --name "${PIP_CONTAINER_NAME}" \ - --user 0:0 \ + --user "${PUID}:${PGID}" \ -e HOME=/tmp \ --security-opt=no-new-privileges \ --cap-drop=ALL \ @@ -41,18 +37,16 @@ podman run -d \ --network=none \ --tmpfs /run:rw,size=64M \ --tmpfs /tmp:rw,size=256M \ - -v "${SOCKET_DIR}:/run/podman-host:rw" \ + -v "${RUNTIME_DIR}/podman:${RUNTIME_DIR}/podman:rw" \ -v "${WORKSPACE}:/workspace:rw" \ - -e CONTAINER_HOST="unix:///run/podman-host/podman.sock" \ + -e CONTAINER_HOST="unix://${SOCKET_PATH}" \ "${PODMAN_CLIENT_IMG_DIGEST}" \ sleep infinity -# Brief wait and health check +# Health check sleep 3 -if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then - echo "ERROR: PiP container failed to start" >&2 - podman logs "${PIP_CONTAINER_NAME}" >&2 || true - exit 1 -fi +podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running \ + || { echo "ERROR: PiP container failed to start"; podman logs "${PIP_CONTAINER_NAME}" || true; exit 1; } -echo "PiP container ready: ${PIP_CONTAINER_NAME}" \ No newline at end of file +echo "PiP container ready: ${PIP_CONTAINER_NAME}" +echo "Using socket: ${SOCKET_PATH}"