@@ -347,6 +347,9 @@ public static Path findInContainer(Path base, String type, String pattern) throw
347347 * @param containerPath The path to mount localPath inside the container.
348348 */
349349 private static void executePrivilegeEscalatedShellCmd (String shellCmd , Path localPath , Path containerPath ) {
350+ final String image = "alpine:3.13" ;
351+ ensureImageIsPulled (image );
352+
350353 final List <String > args = new ArrayList <>();
351354
352355 args .add ("docker run" );
@@ -358,7 +361,7 @@ private static void executePrivilegeEscalatedShellCmd(String shellCmd, Path loca
358361 args .add ("--volume \" " + localPath .getParent () + ":" + containerPath .getParent () + "\" " );
359362
360363 // Use a lightweight musl libc based small image
361- args .add ("alpine:3.13" );
364+ args .add (image );
362365
363366 // And run inline commands via the POSIX shell
364367 args .add ("/bin/sh -c \" " + shellCmd + "\" " );
@@ -368,6 +371,33 @@ private static void executePrivilegeEscalatedShellCmd(String shellCmd, Path loca
368371 sh .run (command );
369372 }
370373
374+ private static void ensureImageIsPulled (String image ) {
375+ // Don't pull if the image already exists. This does also mean that we never refresh it, but that
376+ // isn't an issue in CI.
377+ if (sh .runIgnoreExitCode ("docker image inspect -f '{{ .Id }}' " + image ).isSuccess ()) {
378+ return ;
379+ }
380+
381+ Shell .Result result = null ;
382+ int i = 0 ;
383+ while (true ) {
384+ result = sh .runIgnoreExitCode ("docker pull " + image );
385+ if (result .isSuccess ()) {
386+ return ;
387+ }
388+
389+ if (++i == 3 ) {
390+ throw new RuntimeException ("Failed to pull Docker image [" + image + "]: " + result );
391+ }
392+
393+ try {
394+ Thread .sleep (10_000L );
395+ } catch (InterruptedException e ) {
396+ // ignore
397+ }
398+ }
399+ }
400+
371401 /**
372402 * Create a directory with specified uid/gid using Docker backed privilege escalation.
373403 * @param localPath The path to the directory to create.
0 commit comments