Differentiate password-less sycl vs sycl-ci user

AlexeySachkov · AlexeySachkov · commit 0964ce8c4d64 · 2024-12-16T09:41:16.000-08:00
diff --git a/devops/containers/ubuntu2204_base.Dockerfile b/devops/containers/ubuntu2204_base.Dockerfile
@@ -16,6 +16,6 @@ COPY actions/cleanup /actions/cleanup
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 COPY scripts/install_drivers.sh /opt/install_drivers.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/docker_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2204_build.Dockerfile b/devops/containers/ubuntu2204_build.Dockerfile
@@ -35,7 +35,7 @@ RUN --mount=type=secret,id=sycl_passwd /user-setup.sh
 
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/docker_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2204_intel_drivers.Dockerfile b/devops/containers/ubuntu2204_intel_drivers.Dockerfile
@@ -27,7 +27,7 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2204_preinstalled.Dockerfile b/devops/containers/ubuntu2204_preinstalled.Dockerfile
@@ -12,6 +12,9 @@ ADD sycl_linux.tar.gz /opt/sycl/
 ENV PATH /opt/sycl/bin:$PATH
 ENV LD_LIBRARY_PATH /opt/sycl/lib:$LD_LIBRARY_PATH
 
+# For preinstalled containers we create a different user which has
+# password-less sudo access
+RUN /user-setup.sh --regular
 USER sycl
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_base.Dockerfile b/devops/containers/ubuntu2404_base.Dockerfile
@@ -16,6 +16,6 @@ COPY actions/cleanup /actions/cleanup
 COPY scripts/docker_entrypoint.sh /docker_entrypoint.sh
 COPY scripts/install_drivers.sh /opt/install_drivers.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/docker_entrypoint.sh"]
diff --git a/devops/containers/ubuntu2404_intel_drivers.Dockerfile b/devops/containers/ubuntu2404_intel_drivers.Dockerfile
@@ -27,7 +27,7 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile b/devops/containers/ubuntu2404_intel_drivers_igc_dev.Dockerfile
@@ -22,7 +22,7 @@ RUN --mount=type=secret,id=github_token \
 
 COPY scripts/drivers_entrypoint.sh /drivers_entrypoint.sh
 
-USER sycl
+USER sycl_ci
 
 ENTRYPOINT ["/bin/bash", "/drivers_entrypoint.sh"]
 
diff --git a/devops/scripts/create-sycl-user.sh b/devops/scripts/create-sycl-user.sh
@@ -1,30 +1,50 @@
 #!/bin/bash
 
-# By default Ubuntu sets an arbitrary UID value, that is different from host
-# system. When CI passes default UID value of 1001, some of LLVM tools fail to
-# discover user home directory and fail a few LIT tests. Fixes UID and GID to
-# 1001, that is used as default by GitHub Actions.
-groupadd -g 1001 sycl && useradd sycl -u 1001 -g 1001 -m -s /bin/bash
-# Add sycl user to video/irc groups so that it can access GPU
-usermod -aG video sycl
-usermod -aG irc sycl
-
-# group 109 is required for sycl user to access PVC card.
-groupadd -g 109 render
-usermod -aG render sycl
-
-if [[ -f /run/secrets/sycl_passwd ]]; then
-  # When running in our CI environment, we restrict access to root.
-
-  # Set password for sycl user
-  cat /run/secrets/sycl_passwd | passwd -s sycl
-
-  # Allow sycl user to run as sudo, but only with password
-  echo "sycl  ALL=(root) PASSWD:ALL" >> /etc/sudoers
+set -e
+
+if [[ $# -eq 0 ]]; then
+  # When launched without arguments, we assume that it was launched as part of
+  # CI workflow and therefore a different kind of user is created
+  USER_NAME=sycl_ci
+  SET_PASSWD=true
+
+  # By default Ubuntu sets an arbitrary UID value, that is different from host
+  # system. When CI passes default UID value of 1001, some of LLVM tools fail to
+  # discover user home directory and fail a few LIT tests. Fixes UID and GID to
+  # 1001, that is used as default by GitHub Actions.
+  USER_ID=1001
 else
-  # Otherwise, we allow password-less root to simplify building other
-  # containers on top.
+  if [[ "${1:-}" != "--regular" ]]; then
+    echo "The only supported argument is --regular!"
+    exit 1
+  fi
+  USER_NAME=sycl
+  SET_PASSWD=false
+
+  # Some user id which is different from the one assigned to sycl_ci user
+  USER_ID=1234
+fi
+
+groupadd -g $USER_ID $USER_NAME && useradd $USER_NAME -u $USER_ID -g $USER_ID -m -s /bin/bash
+# Add user to video/irc groups so that it can access GPU
+usermod -aG video $USER_NAME
+usermod -aG irc $USER_NAME
 
-  # Allow sycl user to run as sudo passwrod-less
-  echo "sycl  ALL=(root) NOPASSWD:ALL" >> /etc/sudoers
+# group 109 is required for user to access PVC card.
+groupadd -f -g 109 render
+usermod -aG render $USER_NAME
+
+if [[ $SET_PASSWD == true ]]; then
+  if [[ ! -f /run/secrets/sycl_ci_passwd ]]; then
+    echo "Password is requested, but /run/secrtes/sycl_ci_passwd doesn't exists!"
+    exit 2
+  fi
+
+  # Set password for user
+  echo "$USER_NAME:$(cat /run/secrets/sycl_ci_passwd)" | chpasswd
+
+  # Allow user to run as sudo, but only with password
+  echo "$USER_NAME  ALL=(ALL) PASSWD:ALL" >> /etc/sudoers
+else
+  echo "$USER_NAME  ALL=(ALL) NOPASSWD:ALL" >> /etc/sudoers
 fi
