Use docker images with non-root user

That image creates an unprivileged user to run the test suite under.

Use docker images with non-root user
That image creates an unprivileged user to run the test suite under.
648cb28f · Mark Karpov · Ben Gamari · d9d46328 · 648cb28f · 648cb28f
Commit 648cb28f authored 7 years ago by Mark Karpov Committed by Ben Gamari 7 years ago
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -3,16 +3,6 @@ version: 2
 aliases:
  - &defaults
    working_directory: ~/ghc
-
-  # Make sure we have proper openssh before checkout: CircleCI git
-  # does not check the repository out properly without it and also
-  # takes 20 times longer than it should be.
-  - &precheckout
-    run:
-      name: Install OpenSSH client
-      command: |
-        apt-get update -qq
-        apt-get install -qy openssh-client
  - &prepare
    run:
      name: prepare-system
@@ -92,11 +82,10 @@ jobs:
  "validate-x86_64-linux":
    resource_class: xlarge
    docker:
-      - image: haskell:8.2
+      - image: mrkkrp/ghcci-x86_64-linux:0.0.4
    environment:
      <<: *buildenv
    steps:
-      - *precheckout
      - checkout
      - *prepare
      - *submodules
@@ -111,12 +100,11 @@ jobs:
  "validate-x86_64-freebsd":
    resource_class: xlarge
    docker:
-      - image: tweag/toolchain-x86_64-freebsd
+      - image: mrkkrp/ghcci-x86_64-freebsd
    environment:
      TARGET: FreeBSD
      <<: *buildenv
    steps:
-      - *precheckout
      - checkout
      - *prepare
      - *submodules
@@ -152,11 +140,10 @@ jobs:
  "validate-hadrian-x86_64-linux":
    resource_class: xlarge
    docker:
-      - image: haskell:8.2
+      - image: mrkkrp/ghcci-x86_64-linux:0.0.4
    environment:
      <<: *buildenv
    steps:
-      - *precheckout
      - checkout
      - *prepare
      - *submodules
@@ -167,11 +154,10 @@ jobs:
  "validate-x86_64-linux-unreg":
    resource_class: xlarge
    docker:
-      - image: haskell:8.2
+      - image: mrkkrp/ghcci-x86_64-linux:0.0.4
    environment:
      <<: *buildenv
    steps:
-      - *precheckout
      - checkout
      - *prepare
      - *submodules
@@ -183,7 +169,7 @@ jobs:
  "validate-x86_64-linux-llvm":
    resource_class: xlarge
    docker:
-      - image: haskell:8.2
+      - image: mrkkrp/ghcci-x86_64-linux:0.0.4
    environment:
      <<: *buildenv
      BUILD_FLAVOUR: perf-llvm
@@ -191,15 +177,11 @@ jobs:
      - run:
          name: Install LLVM
          command: |
-            apt-get update
-            apt-get install -y curl xz-utils
            curl http://releases.llvm.org/5.0.0/clang+llvm-5.0.0-x86_64-linux-gnu-debian8.tar.xz | tar -xJC ..
-            # See https://discuss.circleci.com/t/how-to-add-a-path-to-path-in-circle-2-0/11554/3
            echo "export PATH=`pwd`/../clang+llvm-5.0.0-x86_64-linux-gnu-debian8/bin:\$PATH" >> $BASH_ENV
      - run:
          name: Verify that llc works
          command: llc
-      - *precheckout
      - checkout
      - *prepare
      - *submodules
@@ -212,12 +194,11 @@ jobs:
  "validate-x86_64-linux-debug":
    resource_class: xlarge
    docker:
-      - image: haskell:8.2
+      - image: mrkkrp/ghcci-x86_64-linux:0.0.4
    environment:
      BUILD_FLAVOUR: devel2
      <<: *buildenv
    steps:
-      - *precheckout
      - checkout
      - *prepare
      - *submodules

--- a/.circleci/images/x86_64-linux/Dockerfile
+++ b/.circleci/images/x86_64-linux/Dockerfile
 FROM haskell:8.2
-RUN adduser ghc --gecos 'GHC builds' --disabled-password
+
+# Make sure we have proper openssh before checkout: CircleCI git
+# does not check the repository out properly without it and also
+# takes 20 times longer than it should be.
+RUN apt-get update -qq
+RUN apt-get install -qy git make automake autoconf gcc perl python3 texinfo xz-utils lbzip2 patch openssh-client sudo -qq curl
+
+# Create a normal user.
+RUN adduser ghc --gecos "GHC builds" --disabled-password
+RUN echo "ghc ALL = NOPASSWD : ALL" > /etc/sudoers.d/ghc
 USER ghc
+
+WORKDIR /home/ghc/
+
+CMD ["bash"]
--- a/.circleci/prepare-system.sh
+++ b/.circleci/prepare-system.sh
@@ -42,23 +42,25 @@ case "$(uname)" in
        fail "TARGET=$target not supported"
      fi
    else
-      # assuming Ubuntu
-      apt-get install -qy git make automake autoconf gcc perl python3 texinfo xz-utils lbzip2 patch
      cabal update
-      cabal install --reinstall hscolour --index-state=$hackage_index_state
+      cabal install --reinstall hscolour
+      sudo ln -s /home/ghc/.cabal/bin/HsColour /usr/local/bin/HsColour || true
    fi
    ;;
  Darwin)
    if [[ -n ${TARGET:-} ]]; then
      fail "uname=$(uname) not supported for cross-compilation"
    fi
-    brew install ghc cabal-install python3 ncurses gmp
+    # It looks like we already have python2 here and just installing python3
+    # does not work.
+    brew upgrade python
+    brew install ghc cabal-install ncurses gmp
    cabal update
    cabal install --reinstall alex happy haddock hscolour --index-state=$hackage_index_state
    # put them on the $PATH, don't fail if already installed
    ln -s $HOME/.cabal/bin/alex /usr/local/bin/alex || true
    ln -s $HOME/.cabal/bin/happy /usr/local/bin/happy || true
-    ln -s $HOME/.cabal/bin/hscolour /usr/local/bin/hscolour || true
+    ln -s $HOME/.cabal/bin/HsColour /usr/local/bin/HsColour || true
    ;;
  *)
    fail "uname=$(uname) not supported"