mirror of
				https://github.com/flatcar/scripts.git
				synced 2025-10-23 13:21:54 +02:00 
			
		
		
		
	The docker and containerd copy files from the repository, which are owned by the sdk user. This ownership leaks into the final image, which means the first created user could edit systemd files. This is bad. Modify the cp invocation to copy files without preserving ownership. The sysext-mangle script is called by build_sysext, which is executed using sudo. Signed-off-by: Jeremi Piotrowski <jpiotrowski@microsoft.com>
		
			
				
	
	
		
			20 lines
		
	
	
		
			805 B
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
			
		
		
	
	
			20 lines
		
	
	
		
			805 B
		
	
	
	
		
			Bash
		
	
	
		
			Executable File
		
	
	
	
	
| #!/bin/bash
 | |
| 
 | |
| set -euo pipefail
 | |
| rootfs="${1}"
 | |
| 
 | |
| 
 | |
| # No manpages on Flatcar, no need to ship "stress" tool
 | |
| echo ">>> NOTICE: $0: removing 'gen-manpages', 'containerd-stress' from sysext"
 | |
| rm -f "${rootfs}/usr/bin/gen-manpages" "${rootfs}/usr/bin/containerd-stress"
 | |
| 
 | |
| script_root="$(cd "$(dirname "$0")/../"; pwd)"
 | |
| files_dir="${script_root}/sdk_container/src/third_party/coreos-overlay/coreos/sysext/containerd"
 | |
| 
 | |
| echo ">>> NOTICE $0: installing extra files from '${files_dir}'"
 | |
| # ATTENTION: don't preserve ownership as repo is owned by sdk user
 | |
| cp -vdR --preserve=mode,timestamps "${files_dir}/"* "${rootfs}"
 | |
| 
 | |
| mkdir -p "${rootfs}/usr/lib/systemd/system/multi-user.target.d"
 | |
| { echo "[Unit]"; echo "Upholds=containerd.service"; } > "${rootfs}/usr/lib/systemd/system/multi-user.target.d/10-containerd-service.conf"
 |