Skip to content
This repository has been archived by the owner on Oct 16, 2020. It is now read-only.

rkt container generates 403 on coreos #926

Closed
NeilW opened this issue Oct 15, 2015 · 3 comments
Closed

rkt container generates 403 on coreos #926

NeilW opened this issue Oct 15, 2015 · 3 comments
Labels
component/rkt

Comments

@NeilW
Copy link

NeilW commented Oct 15, 2015

CoreOS alpha (833.0.0)

I've created an ACI conversion of a Docker image created from https://github.com/deis/example-dockerfile-http

I run the image with both docker and rkt using host networking.

The docker image runs fine under Docker on CoreOs but if you convert it to ACI with docker2aci and run with with rkt (version 0.9.0) then accessing the simple http server via 'curl http://localhost' gives a 403 forbidden response.

nginx in the container changes to the nginx user id which doesn't seem to have access to the file tree.

tail /var/log/nginx/error.log 
2015/10/15 14:49:16 [error] 6#0: *1 "/usr/share/nginx/html/index.html" is forbidden (13: Permission denied), client: ::ffff:127.0.0.1, server: , request: "GET / HTTP/1.1", host: "localhost"
2015/10/15 14:54:26 [error] 6#0: *2 open() "/usr/share/nginx/html/README" failed (13: Permission denied), client: ::ffff:127.0.0.1, server: , request: "GET /README HTTP/1.1", host: "localhost"
2015/10/15 14:54:36 [error] 6#0: *3 open() "/usr/share/nginx/html/README" failed (13: Permission denied), client: ::ffff:127.0.0.1, server: , request: "HEAD /README HTTP/1.1", host: "localhost"

The permissions on the pod's rootfs are different from that you get on ubuntu:

core@srv-jnt3l /var/lib/rkt/pods/run/01138045-5c1b-4a8f-bee7-72ed9b114f6b/stage1
 $ ls -la
total 36
drwxr-s--- 3 root rkt 4096 Oct 15 15:15 .
-rw------- 1 root rkt    0 Oct 15 15:15 .#rootfs.lck
drwxr-s--- 6 root rkt 4096 Oct 15 15:15 ..
-rw-r----- 1 root rkt  367 Oct 15 15:14 manifest
drwxr-x--- 1 root rkt 4096 Oct 15 15:15 rootfs

root@ubuntu-vm:/var/lib/rkt/pods/run/6eff0ad5-07e6-4526-b01d-ac645e31205b/stage1# ls -la
total 16
drwxr-s---  3 root rkt 4096 Oct 15 16:09 .
drwxr-s---  5 root rkt 4096 Oct 15 16:09 ..
-rw-r-----  1 root rkt  367 Oct 15 16:09 manifest
drwxrwxr-x 13 root rkt 4096 Oct 15 16:09 rootfs
-rw-------  1 root rkt    0 Oct 15 16:09 .#rootfs.lck

which means in the actual container 'other' permssions on the root of the filesystem are completely missing.

In additon the links to /dev/stdout and /dev/stderr for logging in the docker image Dockerfile don't work in ACI due to lack of the corresponding devices.
@NeilW
Copy link
Author

NeilW commented Oct 15, 2015

Possibly the main issue is addressed by rkt/rkt#1607

So just the missing stdout and stderr devices breaking the logging on the Docker image then.

@NeilW NeilW mentioned this issue Oct 16, 2015
Closed
@mischief
Copy link

mischief commented Dec 2, 2015

@NeilW can you try this in the latest alpha? it has rkt 0.11.0.

@NeilW
Copy link
Author

NeilW commented Dec 2, 2015 

srv-ks3dg stage1 # ls -la
total 36
drwxr-x--- 3 root root 4096 Dec  2 09:13 .
-rw------- 1 root root    0 Dec  2 09:13 .#rootfs.lck
drwxr-x--- 6 root root 4096 Dec  2 09:13 ..
-rw-r----- 1 root root  368 Dec  2 09:13 manifest
drwxr-xr-x 1 root root 4096 Dec  2 09:13 roots

LGTM

@NeilW NeilW closed this as completed Dec 2, 2015
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
component/rkt
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@NeilW @crawford @mischief