Tighten Dockerfile

Signed-off-by: Nick Spinale <[email protected]>
seL4 · May 2, 2024 · f5e208f · f5e208f
1 parent dfa2d8f
commit f5e208f
Showing 1 changed file with 19 additions and 20 deletions.
diff --git a/hacking/docker/Dockerfile b/hacking/docker/Dockerfile
@@ -23,39 +23,38 @@ RUN apt-get update && apt-get install -y \
     bash-completion \
     && rm -rf /var/lib/apt/lists/*
 
-RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers # for convenience
+RUN echo '%sudo ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers
 
 ARG UID
 ARG GID
 
 RUN set -eux; \
-    if ! [ $UID = 0 -a $GID = 0 ]; then \
-        ! getent passwd $UID; \
-        # NOTE
-        # This is a bit of a hack. For example, GID for "staff" on MacOS is "dialout" on Debian. In
-        # an ideal world, we'd ensure that an already-occupied GID corresponds to either "users" or
-        # "staff" on Debian.
+    if [ $UID -eq 0 ]; then \
+        if [ $GID -ne 0 ]; then \
+            echo "error: \$UID == 0 but \$GID != 0" >&2; \
+            exit 1; \
+        fi; \
+    else \
+        if getent passwd $UID; then \
+            echo "error: \$UID $UID already exists" >&2; \
+            exit 1; \
+        fi; \
         if ! getent group $GID; then \
-            groupadd -g $GID x; \
+            groupadd --gid $GID x; \
         fi; \
-        useradd -u $UID -g $GID -G sudo -m -p x x; \
-    fi
-
-# So that they don't depend on $HOME
-ENV RUSTUP_HOME=/opt/rustup
-ENV CARGO_HOME=/opt/cargo
+        useradd --uid $UID --gid $GID --groups sudo --create-home x; \
+    fi;
 
 RUN set -eux; \
-    dirs="/nix $RUSTUP_HOME $CARGO_HOME"; \
-    mkdir -p -m 0755 $dirs; \
-    chown $UID:$GID $dirs
+    mkdir -p -m 0755 /nix; \
+    chown $UID:$GID /nix;
 
 USER $UID
 
 RUN curl -sSf -L https://sh.rustup.rs | \
         bash -s -- -y --no-modify-path --default-toolchain none
 
-ENV PATH=$CARGO_HOME/bin:$PATH
+ENV PATH=/root/x/.cargo/bin:/home/x/.cargo/bin:$PATH # account for both possible cases
 
 RUN curl -sSf -L https://nixos.org/nix/install | \
         bash -s -- --yes --no-modify-profile --no-channel-add
@@ -68,7 +67,7 @@ RUN set -eux; \
     nix-channel --update; \
     nix-env -i nix-bash-completions; \
     nix-channel --remove nixpkgs; \
-    nix-collect-garbage -d
+    nix-collect-garbage -d;
 
 # Add gcroot for store paths required by this image so that fresh images can use persistent /nix
 # volumes.
@@ -77,7 +76,7 @@ RUN set -eux; \
     . ~/.nix-profile/etc/profile.d/nix.sh; \
     nix-store -r \
         --add-root /nix/var/nix/gcroots-for-image/profile \
-        $(readlink --canonicalize-existing ~/.nix-profile)
+        $(readlink --canonicalize-existing ~/.nix-profile);
 
 COPY nix.conf /etc/nix/