[CI] Change docker user to ec2-user (#2834)

clee2000 · web-flow · commit c293e9dc0be3 · 2024-04-11T18:34:18.000-07:00
Add back in an explicitly defined user in the docker build because I can't figure out which user is being used by the docker image. If a user other than ec2-user is being used, then it is not possibly for the next job to clean up files from previous jobs because it lacks permission. Should fix the problems like https://github.com/pytorch/tutorials/actions/runs/8635938916/job/23674817847 ``` Cleaning the repository Warning: Unable to clean or reset the repository. The repository will be recreated instead. Deleting the contents of '/home/ec2-user/actions-runner/_work/tutorials/tutorials' Error: File was unable to be removed Error: EACCES: permission denied, unlink '/home/ec2-user/actions-runner/_work/tutorials/tutorials/.jenkins/__pycache__/get_files_to_run.cpython-310.pyc' ```
diff --git a/.ci/docker/Dockerfile b/.ci/docker/Dockerfile
@@ -7,6 +7,11 @@ ENV DEBIAN_FRONTEND noninteractive
 COPY ./common/install_base.sh install_base.sh
 RUN bash ./install_base.sh && rm install_base.sh
 
+# Setup user
+# TODO: figure out how to remove this part
+COPY ./common/install_user.sh install_user.sh
+RUN bash ./install_user.sh && rm install_user.sh
+
 COPY ./common/install_docs_reqs.sh install_docs_reqs.sh
 RUN bash ./install_docs_reqs.sh && rm install_docs_reqs.sh
 
@@ -20,4 +25,5 @@ COPY ./common/install_conda.sh install_conda.sh
 COPY ./common/common_utils.sh common_utils.sh
 RUN bash ./install_conda.sh && rm install_conda.sh common_utils.sh /opt/conda/requirements.txt
 
+USER ci-user
 CMD ["bash"]
diff --git a/.ci/docker/common/common_utils.sh b/.ci/docker/common/common_utils.sh
@@ -7,7 +7,7 @@ as_ci_user() {
   # NB: Pass on PATH and LD_LIBRARY_PATH to sudo invocation
   # NB: This must be run from a directory that the user has access to,
   # works around https://github.com/conda/conda-package-handling/pull/34
-  sudo -E -H env -u SUDO_UID -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER env "PATH=$PATH" "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" $*
+  sudo -E -H -u ci-user env -u SUDO_UID -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER env "PATH=$PATH" "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" $*
 }
 
 conda_install() {
diff --git a/.ci/docker/common/install_conda.sh b/.ci/docker/common/install_conda.sh
@@ -12,6 +12,7 @@ if [ -n "$ANACONDA_PYTHON_VERSION" ]; then
   CONDA_FILE="Miniconda3-latest-Linux-x86_64.sh"
 
   mkdir -p /opt/conda
+  chown ci-user:ci-user /opt/conda
 
   source "$(dirname "${BASH_SOURCE[0]}")/common_utils.sh"
 
diff --git a/.ci/docker/common/install_user.sh b/.ci/docker/common/install_user.sh
@@ -0,0 +1,26 @@
+#!/bin/bash
+# Copyright (c) Meta Platforms, Inc. and affiliates.
+# All rights reserved.
+#
+# This source code is licensed under the BSD-style license found in the
+# LICENSE file in the root directory of this source tree.
+
+# Copied from https://github.com/pytorch/executorch/blob/6e431355a554e5f84c3a05dfa2b981ead90c2b48/.ci/docker/common/install_user.sh#L1
+
+set -ex
+
+# Same as ec2-user
+echo "ci-user:x:1000:1000::/var/lib/ci-user:" >> /etc/passwd
+echo "ci-user:x:1000:" >> /etc/group
+# Needed on Focal or newer
+echo "ci-user:*:19110:0:99999:7:::" >> /etc/shadow
+
+# Create $HOME
+mkdir -p /var/lib/ci-user
+chown ci-user:ci-user /var/lib/ci-user
+
+# Allow sudo
+echo 'ci-user ALL=(ALL) NOPASSWD:ALL' > /etc/sudoers.d/ci-user
+
+# Test that sudo works
+sudo -u ci-user sudo -v
diff --git a/.github/workflows/build-tutorials.yml b/.github/workflows/build-tutorials.yml
@@ -93,7 +93,7 @@ jobs:
             "${DOCKER_IMAGE}"
           )
 
-          docker exec -t "${container_name}" sh -c ".jenkins/build.sh"
+          docker exec -u ci-user -t "${container_name}" sh -c ".jenkins/build.sh"
 
       - name: Teardown Linux
         uses: pytorch/test-infra/.github/actions/teardown-linux@main
@@ -162,9 +162,7 @@ jobs:
             "${DOCKER_IMAGE}"
           )
 
-          docker exec -u root -i "${container_name}" bash
-
-          docker exec -t "${container_name}" sh -c ".jenkins/build.sh"
+          docker exec -u ci-user -t "${container_name}" sh -c ".jenkins/build.sh"
 
       - name: Upload docs preview
         uses: seemethere/upload-artifact-s3@v5

Original file line number	Diff line number	Diff line change
`@@ -7,7 +7,7 @@ as_ci_user() {`
`7`	`7`	`# NB: Pass on PATH and LD_LIBRARY_PATH to sudo invocation`
`8`	`8`	`# NB: This must be run from a directory that the user has access to,`
`9`	`9`	`# works around https://github.com/conda/conda-package-handling/pull/34`
`10`		`- sudo -E -H env -u SUDO_UID -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER env "PATH=$PATH" "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" $*`
	`10`	`+ sudo -E -H -u ci-user env -u SUDO_UID -u SUDO_GID -u SUDO_COMMAND -u SUDO_USER env "PATH=$PATH" "LD_LIBRARY_PATH=$LD_LIBRARY_PATH" $*`
`11`	`11`	`}`
`12`	`12`
`13`	`13`	`conda_install() {`