Build sudo-rs outside of the docker container

This significantly reduces the size of the container.

.github/workflows/ci.yaml

@@ -29,6 +29,11 @@ jobs:
           key: docker-buildx-rs-${{ github.sha }}
           restore-keys: docker-buildx-rs-
 
+      - name: Install dependencies
+        run: |
+          sudo apt update
+          sudo apt install libpam0g-dev
+
       - name: Rust Cache
         uses: Swatinem/rust-cache@v2
         with:
@@ -97,6 +102,11 @@ jobs:
           key: docker-buildx-rs-${{ github.sha }}
           restore-keys: docker-buildx-rs-
 
+      - name: Install dependencies
+        run: |
+          sudo apt update
+          sudo apt install libpam0g-dev
+
       - name: Rust Cache
         uses: Swatinem/rust-cache@v2
         with:

test-framework/sudo-test/src/docker.rs

@@ -2,7 +2,7 @@ use core::str;
 use std::{
     env,
     fs::{self, File},
-    io::{Seek, SeekFrom, Write},
+    io::{Seek, SeekFrom, Write, ErrorKind},
     path::{Path, PathBuf},
     process::{self, Command as StdCommand, Stdio},
 };
@@ -146,6 +146,29 @@ pub fn build_base_image() -> Result<()> {
 
     match SudoUnderTest::from_env()? {
         SudoUnderTest::Ours => {
+            // Build sudo-rs
+            let mut cargo_cmd = StdCommand::new("cargo");
+            cargo_cmd.args(["build", "--locked", "--features=dev", "--bins"]);
+            cargo_cmd.current_dir(&repo_root);
+            if env::var_os("SUDO_TEST_VERBOSE_DOCKER_BUILD").is_none() {
+                cargo_cmd.stderr(Stdio::null()).stdout(Stdio::null());
+            }
+            if !cargo_cmd.status()?.success() {
+                return Err("`cargo build --locked --features=dev --bins` failed".into());
+            }
+
+            // Copy all binaries to a single place where the Dockerfile will find them
+            let target_debug_dir = repo_root.join("target").join("debug");
+            let build_dir = repo_root.join("target").join("build");
+            match fs::create_dir(&build_dir) {
+                Ok(()) => {}
+                Err(e) if e.kind() == ErrorKind::AlreadyExists => {}
+                Err(e) => return Err(e.into()),
+            }
+            for f in ["sudo", "su", "visudo"] {
+                fs::copy(target_debug_dir.join(f), build_dir.join(f))?;
+            }
+
             // needed for dockerfile-specific dockerignore (e.g. `Dockerfile.dockerignore`) support
             cmd.current_dir(repo_root);
             cmd.args(["-f", "test-framework/sudo-test/src/ours.Dockerfile", "."]);

test-framework/sudo-test/src/ours.Dockerfile

@@ -1,18 +1,13 @@
-FROM rust:1-slim-bookworm
+FROM debian:bookworm-slim
 RUN apt-get update && \
-    apt-get install -y --no-install-recommends clang libclang-dev libpam0g-dev procps sshpass rsyslog
-# cache the crates.io index in the image for faster local testing
-RUN cargo search sudo
+    apt-get install -y --no-install-recommends procps sshpass rsyslog
 WORKDIR /usr/src/sudo
-COPY . .
-RUN --mount=type=cache,target=/usr/src/sudo/target cargo build --locked --features="dev" --bins && mkdir -p build && cp target/debug/sudo build/sudo && cp target/debug/su build/su && cp target/debug/visudo build/visudo
+COPY target/build build
 # set setuid on install
 RUN install --mode 4755 build/sudo /usr/bin/sudo
 RUN install --mode 4755 build/su /usr/bin/su
 RUN install --mode 755 build/visudo /usr/sbin/visudo
 # `apt-get install sudo` creates this directory; creating it in the image saves us the work of creating it in each compliance test
 RUN mkdir -p /etc/sudoers.d
-# remove build dependencies
-RUN apt-get autoremove -y clang libclang-dev
 # set the default working directory to somewhere world writable so sudo / su can create .profraw files there
 WORKDIR /tmp

test-framework/sudo-test/src/ours.Dockerfile.dockerignore

@@ -2,8 +2,4 @@
 *
 
 # but these
-!Cargo.lock
-!Cargo.toml
-!src/**/*
-!bin/**/*
-!build.rs
+!/target/build