Make linux user configurable for Git operations

Author: csweichel

components/content-service/pkg/executor/executor.go

@@ -44,7 +44,7 @@ func Prepare(req *csapi.WorkspaceInitializer, urls map[string]string) ([]byte, e
 
 // Execute runs an initializer to place content in destination based on the configuration read
 // from the cfgin stream.
-func Execute(ctx context.Context, destination string, cfgin io.Reader, forceGitUser bool, opts ...initializer.InitializeOpt) (src csapi.WorkspaceInitSource, err error) {
+func Execute(ctx context.Context, destination string, cfgin io.Reader, runAs *initializer.User, opts ...initializer.InitializeOpt) (src csapi.WorkspaceInitSource, err error) {
 	var cfg config
 	err = json.NewDecoder(cfgin).Decode(&cfg)
 	if err != nil {
@@ -64,7 +64,7 @@ func Execute(ctx context.Context, destination string, cfgin io.Reader, forceGitU
 
 		rs = &storage.NamedURLDownloader{URLs: cfg.URLs}
 		ilr, err = initializer.NewFromRequest(ctx, destination, rs, &req, initializer.NewFromRequestOpts{
-			ForceGitpodUserForGit: forceGitUser,
+			RunAs: runAs,
 		})
 		if err != nil {
 			return "", err

components/content-service/pkg/git/git.go

@@ -13,6 +13,7 @@ import (
 	"os/exec"
 	"path/filepath"
 	"strings"
+	"syscall"
 
 	"github.com/opentracing/opentracing-go"
 	"golang.org/x/xerrors"
@@ -93,8 +94,12 @@ type Client struct {
 	// UpstreamCloneURI is the fork upstream of a repository
 	UpstreamRemoteURI string
 
-	// if true will run git command as gitpod user (should be executed as root that has access to sudo in this case)
-	RunAsGitpodUser bool
+	// RunAs runs the Git commands as a particular user - if not nil
+	RunAs *User
+}
+
+type User struct {
+	UID, GID uint32
 }
 
 // Status describes the status of a Git repo/working copy akin to "git status"
@@ -201,13 +206,19 @@ func (c *Client) GitWithOutput(ctx context.Context, ignoreErr *string, subcomman
 	span.LogKV("args", fullArgs)
 
 	cmdName := "git"
-	if c.RunAsGitpodUser {
-		cmdName = "sudo"
-		fullArgs = append([]string{"-u", "gitpod", "git"}, fullArgs...)
-	}
 	cmd := exec.Command(cmdName, fullArgs...)
 	cmd.Dir = c.Location
 	cmd.Env = env
+	if c.RunAs != nil {
+		if cmd.SysProcAttr == nil {
+			cmd.SysProcAttr = &syscall.SysProcAttr{}
+		}
+		if cmd.SysProcAttr.Credential == nil {
+			cmd.SysProcAttr.Credential = &syscall.Credential{}
+		}
+		cmd.SysProcAttr.Credential.Uid = c.RunAs.UID
+		cmd.SysProcAttr.Credential.Gid = c.RunAs.UID
+	}
 
 	res, err := cmd.CombinedOutput()
 	if err != nil {

components/content-service/pkg/initializer/git.go

@@ -95,8 +95,8 @@ func (ws *GitInitializer) Run(ctx context.Context, mappings []archive.IDMapping)
 
 		// make sure that folder itself is owned by gitpod user prior to doing git clone
 		// this is needed as otherwise git clone will fail if the folder is owned by root
-		if ws.RunAsGitpodUser {
-			args := []string{"gitpod", ws.Location}
+		if ws.RunAs != nil {
+			args := []string{fmt.Sprintf("%d:%d", ws.RunAs.UID, ws.RunAs.GID), ws.Location}
 			cmd := exec.Command("chown", args...)
 			res, cerr := cmd.CombinedOutput()
 			if cerr != nil && !process.IsNotChildProcess(cerr) {

components/content-service/pkg/initializer/initializer.go

@@ -99,11 +99,13 @@ func (e CompositeInitializer) Run(ctx context.Context, mappings []archive.IDMapp
 
 // NewFromRequestOpts configures the initializer produced from a content init request
 type NewFromRequestOpts struct {
-	// ForceGitpodUserForGit forces gitpod:gitpod ownership on all files produced by the Git initializer.
-	// For FWB workspaces the content init is run from supervisor which runs as UID 0. Using this flag, the
-	// Git content is forced to the Gitpod user. All other content (backup, prebuild, snapshot) will already
-	// have the correct user.
-	ForceGitpodUserForGit bool
+	// RunAs - if not nil - decides the user with which the initiallisation will be executed
+	RunAs *User
+}
+
+type User struct {
+	UID uint32
+	GID uint32
 }
 
 // NewFromRequest picks the initializer from the request but does not execute it.
@@ -132,7 +134,7 @@ func NewFromRequest(ctx context.Context, loc string, rs storage.DirectDownloader
 			return nil, status.Error(codes.InvalidArgument, "missing Git initializer spec")
 		}
 
-		initializer, err = newGitInitializer(ctx, loc, ir.Git, opts.ForceGitpodUserForGit)
+		initializer, err = newGitInitializer(ctx, loc, ir.Git, opts.RunAs)
 	} else if ir, ok := spec.(*csapi.WorkspaceInitializer_Prebuild); ok {
 		if ir.Prebuild == nil {
 			return nil, status.Error(codes.InvalidArgument, "missing prebuild initializer spec")
@@ -146,7 +148,7 @@ func NewFromRequest(ctx context.Context, loc string, rs storage.DirectDownloader
 		}
 		var gits []*GitInitializer
 		for _, gi := range ir.Prebuild.Git {
-			gitinit, err := newGitInitializer(ctx, loc, gi, opts.ForceGitpodUserForGit)
+			gitinit, err := newGitInitializer(ctx, loc, gi, opts.RunAs)
 			if err != nil {
 				return nil, err
 			}
@@ -249,7 +251,7 @@ func (bi *fromBackupInitializer) Run(ctx context.Context, mappings []archive.IDM
 
 // newGitInitializer creates a Git initializer based on the request.
 // Returns gRPC errors.
-func newGitInitializer(ctx context.Context, loc string, req *csapi.GitInitializer, forceGitpodUser bool) (*GitInitializer, error) {
+func newGitInitializer(ctx context.Context, loc string, req *csapi.GitInitializer, runAs *User) (*GitInitializer, error) {
 	if req.Config == nil {
 		return nil, status.Error(codes.InvalidArgument, "Git initializer misses config")
 	}
@@ -294,6 +296,11 @@ func newGitInitializer(ctx context.Context, loc string, req *csapi.GitInitialize
 		return
 	})
 
+	var user *git.User
+	if runAs != nil {
+		user = &git.User{UID: runAs.UID, GID: runAs.GID}
+	}
+
 	log.WithField("location", loc).Debug("using Git initializer")
 	return &GitInitializer{
 		Client: git.Client{
@@ -303,7 +310,7 @@ func newGitInitializer(ctx context.Context, loc string, req *csapi.GitInitialize
 			Config:            req.Config.CustomConfig,
 			AuthMethod:        authMethod,
 			AuthProvider:      authProvider,
-			RunAsGitpodUser:   forceGitpodUser,
+			RunAs:             user,
 		},
 		TargetMode:  targetMode,
 		CloneTarget: req.CloneTaget,

components/supervisor/pkg/supervisor/supervisor.go

@@ -54,6 +54,7 @@ import (
 	csapi "github.com/gitpod-io/gitpod/content-service/api"
 	"github.com/gitpod-io/gitpod/content-service/pkg/executor"
 	"github.com/gitpod-io/gitpod/content-service/pkg/git"
+	"github.com/gitpod-io/gitpod/content-service/pkg/initializer"
 	gitpod "github.com/gitpod-io/gitpod/gitpod-protocol"
 	"github.com/gitpod-io/gitpod/supervisor/api"
 	"github.com/gitpod-io/gitpod/supervisor/pkg/config"
@@ -1537,8 +1538,22 @@ func startContentInit(ctx context.Context, cfg *Config, wg *sync.WaitGroup, cst
 	}
 
 	log.Info("supervisor: running content service executor with content descriptor")
-	var src csapi.WorkspaceInitSource
-	src, err = executor.Execute(ctx, "/workspace", bytes.NewReader(contentFile), true)
+	var (
+		src  csapi.WorkspaceInitSource
+		user *initializer.User
+	)
+	if cfg.WorkspaceRuntime == WorkspaceRuntimeNextgen {
+		user = &initializer.User{
+			UID: cfg.WorkspaceLinuxUID,
+			GID: cfg.WorkspaceLinuxGID,
+		}
+	} else {
+		user = &initializer.User{
+			UID: legacyGitpodUID,
+			GID: legacyGitpodGID,
+		}
+	}
+	src, err = executor.Execute(ctx, "/workspace", bytes.NewReader(contentFile), user)
 	if err != nil {
 		return
 	}