Removed --privileged Flag from Docker Container Run

[original-brownbear]

This removes the use of the --privileged flag from the script starting the Docker run.

Reason

The privileged flag creates a significant security issue for Rultor as it causes the host machine's devices to be fully accessible to the container run.
An attacker could take advantage of this fact and provide an image/script combination to Rultor that mounts the host's hard drive(s) (now available as a standard /dev/... ) into the container.
Combined with the fact that the Docker daemon does run under the root user, an attacker can trivially gain full control of the host via a privileged container.

[alex-palevsky]

@original-brownbear Let me find a reviewer for this pull request, thanks for submitting it

[alex-palevsky]

@yegor256 the pull request is rather small, pls review it

[yegor256]

@rultor try to merge

[rultor]

@rultor try to merge

@yegor256 OK, I'll try to merge now. You can check the progress of the merge here

[original-brownbear]

@yegor256 the Docker daemon is stuck here, I think you need to restart it manually.

[rultor]

@rultor try to merge

@original-brownbear @yegor256 Oops, I failed. You can see the full log here (spent 2hr)

+ '[' only == default ']'
+ '[' only == no ']'
+ '[' only == only ']'
+ args=' --ff-only'
+ export BRANCH=__rultor
+ BRANCH=__rultor
++ wc -l
++ git show-branch __rultor
+ '[' 0 -gt 0 ']'
+ git checkout fork/no-privileged-mode
Note: checking out 'fork/no-privileged-mode'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b new_branch_name

HEAD is now at 5d7e373... removed --privileged flag from docker container run
+ git checkout -b __rultor
Switched to a new branch '__rultor'
+ git checkout master
Switched to branch 'master'
+ '[' true == true ']'
+ git checkout __rultor
Switched to branch '__rultor'
+ git rebase master
Current branch __rultor is up to date.
+ git checkout master
Switched to branch 'master'
+ '[' false == true ']'
+ git merge --ff-only __rultor
Updating c0647b9..5d7e373
Fast-forward
 src/main/resources/com/rultor/agents/req/_head.sh | 1 -
 1 file changed, 1 deletion(-)
+ docker_when_possible
+ true
++ tail -n 1
++ uptime
++ sed 's/ /\n/g'
+ load=8.27
++ bc
++ echo 8.27 '>' 30
+ '[' 0 -eq 1 ']'
+ echo 'load average is 8.27, low enough to run a new Docker container'
load average is 8.27, low enough to run a new Docker container
+ break
+ cd ..
+ '[' -n '' ']'
+ use_image=yegor256/rultor
+ docker pull yegor256/rultor
Using default tag: latest
Trying to pull repository docker.io/yegor256/rultor ... Repository docker.io/yegor256/rultor already being pulled by another client. Waiting.
unexpected EOF
'cid' file is absent, container wasn't started correctly

[yegor256]

@rultor try to merge

[rultor]

@rultor try to merge

@yegor256 OK, I'll try to merge now. You can check the progress of the merge here

[rultor]

@rultor try to merge

@yegor256 Done! FYI, the full log is here (took me 14min)

[alex-palevsky]

@yegor256 done, I added 17 mins in payment 000-bb25d3b9, 27 hours and 1 min spent to complete this... you're getting extra minutes here (c=2)... +17 added to your rating, at the moment it is: +1617

[alex-palevsky]

@rultor deploy pls

[rultor]

@rultor deploy pls

@alex-palevsky OK, I'll try to deploy now. You can check the progress here

[rultor]

@rultor deploy pls

@alex-palevsky Done! FYI, the full log is here (took me 8min)

[yegor256]

@original-brownbear everything still works fine :) we're good. thanks!

[yegor256]

@original-brownbear current problem with Docker is caused by this change. I have no idea why/how it worked before, but now I have to use --privileged in order to make Docker work again... I'll put it back and let's investigate why it didn't work without it.

[original-brownbear]

@yegor256 you do remember my email from like January though right? ;) If you need privileged maybe you just need to turn off SeLinux (I think the old server was on CentOs right?)?

[yegor256]

@original-brownbear yes, the old server is on CentOS. that's why emails suck :) let's stay away from them and use only GitHub. no, I don't remember... what was it about?

[original-brownbear]

@yegor256 security ;) But now I see the same is explained in less detail on explicit actions to take :P in the PR description.

[yegor256]

@original-brownbear maybe it would be good to add an extra check into Rultor, to verify that this SeLinux is actually turned OFF. To prevent this from happening in the future..

[original-brownbear]

@yegor256 not so sure about that, I mean that's a long way from Rultor should be able to work on any ssh host :) All these issues are coming from the single point of us using Docker in a slightly dirty way with the mounting of a host volume to run the build inside.
Imo we shouldn't be messing around with this kind of thing. We simply need to find some time to eventually just fix #1094 first, then adjust the build script to always send a build context to Docker (we have that in issues already).
Better to use Docker in a more portable way than checking if our not so portable way of using it will work on a host right ? :)