Fix codebuild task to work running as unpriviledged user

this stackoverflow answer provided some insight: https://stackoverflow.com/questions/51365622/aws-codebuild-as-non-root-user also reading the docker image of the base build helped a lot: https://github.com/aws/aws-codebuild-docker-images/blob/master/ubuntu/standard/7.0/Dockerfile and also making use of the session manager feature calling the `codebuild-breakpoint` command: https://docs.aws.amazon.com/codebuild/latest/userguide/session-manager.html
ooni · Mar 12, 2024 · 57d2bbf · 57d2bbf
1 parent 9134e0f
commit 57d2bbf
Showing 1 changed file with 22 additions and 9 deletions.
diff --git a/ooniapi/services/oonirun/buildspec.yml b/ooniapi/services/oonirun/buildspec.yml
@@ -3,32 +3,45 @@ env:
   variables:
     OONI_CODE_PATH: ooniapi/services/oonirun
     DOCKERHUB_SECRET_ID: oonidevops/dockerhub/access_token
-    LANG: "en_US.UTF-8"
-    LANGUAGE: "en_US.UTF-8"
-    LC_CTYPE: "en_US.UTF-8"
+    LANG: en_US.UTF-8
+    LANGUAGE: en_US.UTF-8
+    LC_CTYPE: en_US.UTF-8
+    LC_ALL: en_US.UTF-8
 
 phases:
   install:
     runtime-versions:
       python: 3.11
     commands:
-      - pip install hatch
+      - mkdir -p /home/codebuild-user
+      - cp -R ${CODEBUILD_SRC_DIR}/ooniapi /home/codebuild-user/ooniapi/
+      - locale-gen --purge "en_US.UTF-8"
+      - dpkg-reconfigure --frontend noninteractive locales
       - echo "deb https://apt.postgresql.org/pub/repos/apt $(lsb_release -cs)-pgdg main" > /etc/apt/sources.list.d/pgdg.list
       - wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add -
       - apt-get update
       - apt install -y postgresql-16
+      # run-as: codebuild-user is a mess: https://stackoverflow.com/questions/51365622/aws-codebuild-as-non-root-user
+      - chmod 666 /var/run/docker.sock
+      - chmod +x /home/codebuild-user
+      - chmod +x /root/
+      - chown -R codebuild-user:codebuild-user /root/.pyenv
+      - chown -R codebuild-user:codebuild-user /home/codebuild-user
+      - ls -ld /home/codebuild-user
 
   pre_build:
-    run-as: codebuild-user
     commands:
-      - aws --version
-      - echo "Logging in to ECR"
-      - aws secretsmanager get-secret-value --secret-id $DOCKERHUB_SECRET_ID --query SecretString --output text | docker login --username ooni --password-stdin
+      - echo "Logging in to dockerhub"
+      - >
+        aws secretsmanager get-secret-value --secret-id $DOCKERHUB_SECRET_ID --query SecretString --output text
+          | docker login --username ooni --password-stdin
 
   build:
     run-as: codebuild-user
     commands:
-      - cd $OONI_CODE_PATH
+      - pip install hatch
+      - export HOME=/home/codebuild-user
+      - cd /home/codebuild-user/$OONI_CODE_PATH
       - export GIT_FULL_SHA=${CODEBUILD_RESOLVED_SOURCE_VERSION}
       - make test
       - make clean