diff --git a/src/ci/docker/host-x86_64/x86_64-gnu-distcheck/Dockerfile b/src/ci/docker/host-x86_64/x86_64-gnu-distcheck/Dockerfile index 2217e6ee7043a..1685d21bdafe5 100644 --- a/src/ci/docker/host-x86_64/x86_64-gnu-distcheck/Dockerfile +++ b/src/ci/docker/host-x86_64/x86_64-gnu-distcheck/Dockerfile @@ -1,4 +1,4 @@ -FROM ubuntu:22.04 +FROM ghcr.io/rust-lang/ubuntu:22.04 ARG DEBIAN_FRONTEND=noninteractive RUN apt-get update && apt-get install -y --no-install-recommends \ diff --git a/src/ci/docker/run.sh b/src/ci/docker/run.sh index 36f7df2b06907..df0dfd52e39f9 100755 --- a/src/ci/docker/run.sh +++ b/src/ci/docker/run.sh @@ -296,16 +296,20 @@ else args="$args --volume $objdir:/checkout/obj" args="$args --volume $HOME/.cargo:/cargo" args="$args --volume /tmp/toolstate:/tmp/toolstate" +fi - id=$(id -u) - if [[ "$id" != 0 && "$(docker version)" =~ Podman ]]; then - # Rootless podman creates a separate user namespace, where an inner - # LOCAL_USER_ID will map to a different subuid range on the host. - # The "keep-id" mode maps the current UID directly into the container. - args="$args --env NO_CHANGE_USER=1 --userns=keep-id" - else - args="$args --env LOCAL_USER_ID=$id" - fi +id=$(id -u) +if [[ "$id" != 0 && "$(docker version)" =~ Podman ]]; then + # Rootless podman creates a separate user namespace, where an inner + # LOCAL_USER_ID will map to a different subuid range on the host. + # The "keep-id" mode maps the current UID directly into the container. + args="$args --env NO_CHANGE_USER=1 --userns=keep-id" +elif [[ "$id" != 0 ]]; then + args="$args --env LOCAL_USER_ID=$id" +else + # We're running as root. + # We set the user id to `1001` instead of `0` to avoid running the container as root. + args="$args --env LOCAL_USER_ID=1001" fi if [ "$dev" = "1" ] diff --git a/src/ci/github-actions/jobs.yml b/src/ci/github-actions/jobs.yml index 88b29d2df56ae..d9910d2e8ee02 100644 --- a/src/ci/github-actions/jobs.yml +++ b/src/ci/github-actions/jobs.yml @@ -309,7 +309,7 @@ auto: <<: *job-linux-4c - name: x86_64-gnu-distcheck - <<: *job-linux-8c + <<: *job-linux-36c-codebuild # The x86_64-gnu-llvm-20 job is split into multiple jobs to run tests in parallel. # x86_64-gnu-llvm-20-1 skips tests that run in x86_64-gnu-llvm-20-{2,3}. diff --git a/src/ci/run.sh b/src/ci/run.sh index b6143af632ddc..853b11cad4cc8 100755 --- a/src/ci/run.sh +++ b/src/ci/run.sh @@ -2,6 +2,29 @@ set -e +# Change ownership of the given path to the user if the filesystem is writable +change_ownership_if_writable() { + local path=$1 + local owner="user:user" + local current_owner + current_owner=$(stat -f "%Su:%Sg" "$path" 2>/dev/null) + + local test_file="$path/.write_test" + echo "Testing if $path is writable by $owner" + # Test if filesystem is writable by attempting to touch a temporary file + if touch "$test_file" 2>/dev/null; then + # We wrote the file just for testing. We can remove it now. + rm "$test_file" + if [ "$current_owner" != "$owner" ]; then + echo "Changing ownership of $path to $owner" + chown -R $owner "$path" + fi + else + echo "$path is read-only, skipping ownership change" + fi + echo "Ownership of $path is $current_owner" +} + if [ -n "$CI_JOB_NAME" ]; then echo "[CI_JOB_NAME=$CI_JOB_NAME]" fi @@ -16,6 +39,12 @@ if [ "$NO_CHANGE_USER" = "" ]; then export HOME=/home/user unset LOCAL_USER_ID + # Give ownership of necessary directories to the user + change_ownership_if_writable . + mkdir -p /cargo + change_ownership_if_writable /cargo + change_ownership_if_writable /checkout + # Ensure that runners are able to execute git commands in the worktree, # overriding the typical git protections. In our docker container we're running # as root, while the user owning the checkout is not root.