From ac75bd11cfd9ca927b38b51e08a55d626e5a3131 Mon Sep 17 00:00:00 2001
From: Tim Hockin <thockin@google.com>
Date: Wed, 11 May 2016 23:55:21 -0700
Subject: [PATCH] Run builds as the calling user

This means no 'sudo' is needed to copy files out.
---
 build/build-image/Dockerfile                 | 9 ++++++++-
 build/common.sh                              | 9 ++++++---
 hack/update-generated-protobuf-dockerized.sh | 7 +++++--
 hack/update-generated-protobuf.sh            | 8 +-------
 hack/verify-generated-protobuf.sh            | 9 +--------
 5 files changed, 21 insertions(+), 21 deletions(-)

diff --git a/build/build-image/Dockerfile b/build/build-image/Dockerfile
index 2adbd5ae1c..60cd464ed9 100644
--- a/build/build-image/Dockerfile
+++ b/build/build-image/Dockerfile
@@ -18,7 +18,14 @@ FROM gcr.io/google_containers/kube-cross:KUBE_BUILD_IMAGE_CROSS_TAG
 # Mark this as a kube-build container
 RUN touch /kube-build-image
 
-WORKDIR /go/src/k8s.io/kubernetes
+# TO run as non-root we sometimes need to rebuild go stdlib packages.
+RUN chmod -R a+rwx /usr/local/go/pkg
+
+# The kubernetes source is expected to be mounted here.  This will be the base
+# of operations.
+ENV HOME /go/src/k8s.io/kubernetes
+WORKDIR ${HOME}
+RUN chmod -R a+rwx ${HOME}
 
 # Propagate the git tree version into the build image
 ADD kube-version-defs /kube-version-defs
diff --git a/build/common.sh b/build/common.sh
index 864c9cd129..7f585143a9 100755
--- a/build/common.sh
+++ b/build/common.sh
@@ -565,6 +565,7 @@ function kube::build::ensure_data_container() {
       "${DOCKER[@]}" run
       "${DOCKER_DATA_MOUNT_ARGS[@]}"
       --name "${KUBE_BUILD_DATA_CONTAINER_NAME}"
+      --user "$(id -u):$(id -g)"
       "${KUBE_BUILD_IMAGE}"
       true
     )
@@ -583,6 +584,7 @@ function kube::build::run_build_command() {
 
   local -a docker_run_opts=(
     "--name=${KUBE_BUILD_CONTAINER_NAME}"
+    "--user=$(id -u):$(id -g)"
     "${DOCKER_MOUNT_ARGS[@]}"
   )
 
@@ -635,9 +637,10 @@ function kube::build::copy_output() {
     # Bug: https://github.com/docker/docker/pull/8509
     local -a docker_run_opts=(
       "--name=${KUBE_BUILD_CONTAINER_NAME}"
-       "${DOCKER_MOUNT_ARGS[@]}"
-       -d
-      )
+      "--user=$(id -u):$(id -g)"
+      "${DOCKER_MOUNT_ARGS[@]}"
+      -d
+    )
 
     local -ra docker_cmd=(
       "${DOCKER[@]}" run "${docker_run_opts[@]}" "${KUBE_BUILD_IMAGE}"
diff --git a/hack/update-generated-protobuf-dockerized.sh b/hack/update-generated-protobuf-dockerized.sh
index fa9294cd54..447bf27146 100755
--- a/hack/update-generated-protobuf-dockerized.sh
+++ b/hack/update-generated-protobuf-dockerized.sh
@@ -23,7 +23,9 @@ source "${KUBE_ROOT}/hack/lib/init.sh"
 
 kube::golang::setup_env
 
-hack/build-go.sh cmd/libs/go2idl/go-to-protobuf cmd/libs/go2idl/go-to-protobuf/protoc-gen-gogo
+hack/build-go.sh \
+    cmd/libs/go2idl/go-to-protobuf \
+    cmd/libs/go2idl/go-to-protobuf/protoc-gen-gogo
 
 if [[ -z "$(which protoc)" || "$(protoc --version)" != "libprotoc 3.0."* ]]; then
   echo "Generating protobuf requires protoc 3.0.0-beta1 or newer. Please download and"
@@ -39,7 +41,8 @@ gotoprotobuf=$(kube::util::find-binary "go-to-protobuf")
 
 # requires the 'proto' tag to build (will remove when ready)
 # searches for the protoc-gen-gogo extension in the output directory
-# satisfies import of github.com/gogo/protobuf/gogoproto/gogo.proto and the core Google protobuf types
+# satisfies import of github.com/gogo/protobuf/gogoproto/gogo.proto and the
+# core Google protobuf types
 PATH="${KUBE_ROOT}/_output/local/go/bin:${PATH}" \
   "${gotoprotobuf}" \
   --proto-import="${KUBE_ROOT}/vendor" \
diff --git a/hack/update-generated-protobuf.sh b/hack/update-generated-protobuf.sh
index 9686cec974..78ef8757f3 100755
--- a/hack/update-generated-protobuf.sh
+++ b/hack/update-generated-protobuf.sh
@@ -37,13 +37,7 @@ function prereqs() {
   KUBE_BUILD_CONTAINER_NAME="kube-build-${KUBE_ROOT_HASH}"
   KUBE_BUILD_DATA_CONTAINER_NAME="kube-build-data-${KUBE_ROOT_HASH}"
   DOCKER_MOUNT_ARGS=(
-    --volume "${REPO_DIR:-${KUBE_ROOT}}/cluster:/go/src/${KUBE_GO_PACKAGE}/cluster"
-    --volume "${REPO_DIR:-${KUBE_ROOT}}/cmd:/go/src/${KUBE_GO_PACKAGE}/cmd"
-    --volume "${REPO_DIR:-${KUBE_ROOT}}/vendor:/go/src/${KUBE_GO_PACKAGE}/vendor"
-    --volume "${REPO_DIR:-${KUBE_ROOT}}/hack:/go/src/${KUBE_GO_PACKAGE}/hack"
-    --volume "${REPO_DIR:-${KUBE_ROOT}}/pkg:/go/src/${KUBE_GO_PACKAGE}/pkg"
-    --volume "${REPO_DIR:-${KUBE_ROOT}}/federation:/go/src/${KUBE_GO_PACKAGE}/federation"
-    --volume "${REPO_DIR:-${KUBE_ROOT}}/third_party:/go/src/${KUBE_GO_PACKAGE}/third_party"
+    --volume "${REPO_DIR:-${KUBE_ROOT}}:/go/src/${KUBE_GO_PACKAGE}"
     --volume /etc/localtime:/etc/localtime:ro
     --volumes-from "${KUBE_BUILD_DATA_CONTAINER_NAME}"
   )
diff --git a/hack/verify-generated-protobuf.sh b/hack/verify-generated-protobuf.sh
index c76ee2956d..5cc3af125c 100755
--- a/hack/verify-generated-protobuf.sh
+++ b/hack/verify-generated-protobuf.sh
@@ -38,20 +38,13 @@ for APIROOT in ${APIROOTS}; do
   cp -a "${KUBE_ROOT}/${APIROOT}" "${_tmp}/${APIROOT}"
 done
 
-# If not running as root, we need to use sudo to restore the original generated
-# protobuf files.
-SUDO=""
-if [[ "$(id -u)" != '0' ]]; then
-  SUDO="sudo"
-fi
-
 "${KUBE_ROOT}/hack/update-generated-protobuf.sh"
 for APIROOT in ${APIROOTS}; do
   TMP_APIROOT="${_tmp}/${APIROOT}"
   echo "diffing ${APIROOT} against freshly generated protobuf"
   ret=0
   diff -Naupr -I 'Auto generated by' "${KUBE_ROOT}/${APIROOT}" "${TMP_APIROOT}" || ret=$?
-  ${SUDO} cp -a "${TMP_APIROOT}" "${KUBE_ROOT}/${APIROOT%/*}"
+  cp -a "${TMP_APIROOT}" "${KUBE_ROOT}/${APIROOT%/*}"
   if [[ $ret -eq 0 ]]; then
     echo "${APIROOT} up to date."
   else