Run as unprivileged user in container in a new user namespace This prevents the build from accidentally modifying system files in the container, and increases security. Test Plan: scripts/destroy_container.sh; scripts/create_container.sh && scripts/run_in_container.sh id # uid=1000(1000) gid=1000 groups=1000 bazel run scripts:launch # works X-Origin-Diff: phab/D212 GitOrigin-RevId: 74af18ee49cf48e45440e12e9efe36e57be5f18d

commit: 52804a1970bf8633c216fea4e165df4e88a16acc [log] [tgz]
author: Leopold Schabel <leo@nexantic.com> Thu Oct 24 02:17:13 2019 +0200
committer: Leopold Schabel <leo@nexantic.com> Thu Oct 24 02:17:13 2019 +0200
tree: e6be5233989911dd21f2d74a170199a396793054
parent: b51250a42b51b8dc6509c7dc57522d42bced2c00 [diff] [blame]
diff --git a/scripts/create_container.sh b/scripts/create_container.sh
index 359d2ee..80f4581 100755
--- a/scripts/create_container.sh
+++ b/scripts/create_container.sh

@@ -28,11 +28,12 @@
 # https://github.com/containers/libpod/issues/4318
 podman run -it -d \
     -v $(pwd):/work \
-    -v smalltown-gomodcache:/root/go/pkg/mod/cache \
+    -v smalltown-gopath:/root/go/pkg \
     -v smalltown-gobuildcache:/root/.cache/go-build \
     -v smalltown-bazelcache:/root/.cache/bazel/_bazel_root/cache \
     --tmpfs=/root/.cache/bazel:exec \
     --device /dev/kvm \
     --privileged \
+    --userns=keep-id \
     --name=smalltown-dev \
     smalltown-builder
commit	52804a1970bf8633c216fea4e165df4e88a16acc	[log] [tgz]
author	Leopold Schabel <leo@nexantic.com>	Thu Oct 24 02:17:13 2019 +0200
committer	Leopold Schabel <leo@nexantic.com>	Thu Oct 24 02:17:13 2019 +0200
tree	e6be5233989911dd21f2d74a170199a396793054
parent	b51250a42b51b8dc6509c7dc57522d42bced2c00 [diff] [blame]