Use gid=1000 in -rootless images

Fixes open-policy-agent#4380 Signed-off-by: Anders Eknert <anders@eknert.com>
anderseknert · Mar 4, 2022 · ca4f64a · ca4f64a
1 parent 495cdee
commit ca4f64a
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 2 deletions.
diff --git a/.github/workflows/pull-request.yaml b/.github/workflows/pull-request.yaml
@@ -195,6 +195,9 @@ jobs:
       - name: Check out code
         uses: actions/checkout@v3
 
+      - name: Download OPA
+        uses: open-policy-agent/setup-opa@v1
+
       - name: Set up QEMU
         uses: docker/setup-qemu-action@v1
         with:

diff --git a/Makefile b/Makefile
@@ -349,7 +349,7 @@ ifneq ($(GOARCH),arm64) # build only static images for arm64
 		.
 	$(DOCKER) build \
 		-t $(DOCKER_IMAGE):$(VERSION)-rootless \
-		--build-arg USER=1000 \
+		--build-arg USER=1000:1000 \
 		--build-arg BASE=gcr.io/distroless/cc \
 		--build-arg BIN_DIR=$(RELEASE_DIR) \
 		--platform linux/$* \
@@ -382,7 +382,7 @@ push-manifest-list-%: ensure-executable-bin
 		.
 	$(DOCKER) buildx build \
 		--tag $(DOCKER_IMAGE):$*-rootless \
-		--build-arg USER=1000 \
+		--build-arg USER=1000:1000 \
 		--build-arg BASE=gcr.io/distroless/cc \
 		--build-arg BIN_DIR=$(RELEASE_DIR) \
 		--platform $(DOCKER_PLATFORMS) \
@@ -407,6 +407,8 @@ ifneq ($(GOARCH),arm64) # we build only static images for arm64
 	$(DOCKER) run --platform linux/$* $(DOCKER_IMAGE):$(VERSION) version
 	$(DOCKER) run --platform linux/$* $(DOCKER_IMAGE):$(VERSION)-debug version
 	$(DOCKER) run --platform linux/$* $(DOCKER_IMAGE):$(VERSION)-rootless version
+
+	$(DOCKER) image inspect $(DOCKER_IMAGE):$(VERSION)-rootless | opa eval --fail --format raw --stdin-input 'input[0].Config.User = "1000:1000"'
 endif
 	$(DOCKER) run --platform linux/$* $(DOCKER_IMAGE):$(VERSION)-static version