diff --git a/.circleci/config.yml b/.circleci/config.yml index a06c106ff..796d59e3e 100644 --- a/.circleci/config.yml +++ b/.circleci/config.yml @@ -38,8 +38,22 @@ jobs: - run: name: "Bootstrap test environment" + working_directory: "/tmp" command: | + # Avoid the /nonexistent home directory in nobody's /etc/passwd + # entry. + usermod --home /tmp/nobody nobody + + # Grant read access to nobody, the user which will eventually try + # to test this checkout. + mv /root/project /tmp/project + + # Python build/install toolchain wants to write to the source + # checkout, too. + chown --recursive nobody:nogroup /tmp/project + apt-get --quiet --yes install \ + sudo \ build-essential \ python2.7 \ python2.7-dev \ @@ -47,13 +61,23 @@ jobs: libssl-dev \ libyaml-dev \ virtualenv - virtualenv --python python2.7 tests - tests/bin/pip install tox + + # Set up the virtualenv as a non-root user so we can run the test + # suite as a non-root user. See below. + sudo -u nobody virtualenv --python python2.7 /tmp/tests + sudo -u nobody /tmp/tests/bin/pip install tox - run: name: "Run test suite" command: | - tests/bin/tox -e py27 + # Run the test suite as a non-root user. This is the expected + # usage some small areas of the test suite assume non-root + # privileges (such as unreadable files being unreadable). + # + # Also run with /tmp as a workdir because the non-root user won't + # be able to create the tox working filesystem state in the source + # checkout because it is owned by root. + sudo -u nobody /tmp/tests/bin/tox -c /tmp/project/tox.ini --workdir /tmp -e py27 debian-9: docker: