Fix PiP setup

2025-09-09 00:03:11 -04:00 · 2025-09-09 00:03:11 -04:00 · f3f80f2679
commit f3f80f2679
parent 1c4ac1fffb
1 changed files with 25 additions and 31 deletions
--- a/secure_pip_setup.sh
+++ b/secure_pip_setup.sh
@ -4,36 +4,32 @@ set -Eeuo pipefail
 RUN_ID="${RUN_ID:-${GITHUB_RUN_ID:-local}}"
 PIP_CONTAINER_NAME="ci-pip-${RUN_ID}"
 RUNTIME_DIR="${XDG_RUNTIME_DIR:-/run/user/$(id -u)}"
-SOCKET_PATH="${SOCKET_PATH:-${RUNTIME_DIR}/podman-host/podman.sock}"
-SOCKET_DIR="$(dirname "$SOCKET_PATH")"
+SOCKET_PATH="${RUNTIME_DIR}/podman/podman.sock"   # <- only standard rootless socket
 WORKSPACE="${GITHUB_WORKSPACE:-$PWD}"
-PIP_UID="${PIP_UID:-1000}"
-PIP_GID="${PIP_GID:-1000}"

-# Require pinned client image digest
+# Required: pinned client image digest
 PODMAN_CLIENT_IMG_DIGEST="${PODMAN_CLIENT_IMG_DIGEST:-}"
-if [[ -z "${PODMAN_CLIENT_IMG_DIGEST}" ]]; then
-  echo "ERROR: PODMAN_CLIENT_IMG_DIGEST (e.g., quay.io/podman/stable@sha256:...) is required and must be a digest." >&2
-  exit 1
-fi
+[[ -n "$PODMAN_CLIENT_IMG_DIGEST" ]] || { echo "ERROR: PODMAN_CLIENT_IMG_DIGEST is required"; exit 1; }

-# Clean any previous container for this run
+# Check the socket
+[[ -S "$SOCKET_PATH" ]] || {
+  echo "ERROR: Podman UNIX socket not found at $SOCKET_PATH"
+  echo "Fix: sudo -iu ci-service systemctl --user enable --now podman.socket"
+  exit 1
+}
+
+# Match the socket owner uid:gid (don’t use 0:0)
+read -r SOCK_UID SOCK_GID < <(stat -c '%u %g' "$SOCKET_PATH")
+PUID="${PIP_UID:-$SOCK_UID}"
+PGID="${PIP_GID:-$SOCK_GID}"
+
+# Clean previous container
 podman rm -f "${PIP_CONTAINER_NAME}" >/dev/null 2>&1 || true

-# Verify systemd-managed UNIX socket exists
-if [[ ! -S "${SOCKET_PATH}" ]]; then
-  echo "ERROR: Podman UNIX socket not found at ${SOCKET_PATH}." >&2
-  echo "Start it with: systemctl --user enable --now podman-host-socket.service" >&2
-  exit 1
-fi
-
-# Tighten socket perms (best-effort)
-chmod 660 "${SOCKET_PATH}" >/dev/null 2>&1 || true
-
-# Create ephemeral PiP client (no network, least privilege)
+# Start the PiP client: no net, no caps, read-only FS; mount socket dir at same path
 podman run -d \
  --name "${PIP_CONTAINER_NAME}" \
-  --user 0:0 \
+  --user "${PUID}:${PGID}" \
  -e HOME=/tmp \
  --security-opt=no-new-privileges \
  --cap-drop=ALL \
@ -41,18 +37,16 @@ podman run -d \
  --network=none \
  --tmpfs /run:rw,size=64M \
  --tmpfs /tmp:rw,size=256M \
-  -v "${SOCKET_DIR}:/run/podman-host:rw" \
+  -v "${RUNTIME_DIR}/podman:${RUNTIME_DIR}/podman:rw" \
  -v "${WORKSPACE}:/workspace:rw" \
-  -e CONTAINER_HOST="unix:///run/podman-host/podman.sock" \
+  -e CONTAINER_HOST="unix://${SOCKET_PATH}" \
  "${PODMAN_CLIENT_IMG_DIGEST}" \
  sleep infinity

-# Brief wait and health check
+# Health check
 sleep 3
-if ! podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running; then
-  echo "ERROR: PiP container failed to start" >&2
-  podman logs "${PIP_CONTAINER_NAME}" >&2 || true
-  exit 1
-fi
+podman inspect "${PIP_CONTAINER_NAME}" --format '{{.State.Status}}' | grep -q running \
+  || { echo "ERROR: PiP container failed to start"; podman logs "${PIP_CONTAINER_NAME}" || true; exit 1; }

 echo "PiP container ready: ${PIP_CONTAINER_NAME}"
+echo "Using socket: ${SOCKET_PATH}"