Permission denied on alpine

[muellerj]

I was trying to get the self-hosted server running Alpine 3.19 to work but ran into problems when accessing the temporary files from the docker image:

/srv/codapi # cat bin/test
#!/bin/sh

curl \
  -H "content-type: application/json" \
  -d '{ "sandbox": "sh", "command": "run", "files": {"": "echo hello" }}' \
  http://localhost:1313/v1/exec
/srv/codapi # bin/test | jq
{
  "id": "sh_run_b3a94e77",
  "ok": false,
  "duration": 416,
  "stdout": "",
  "stderr": "sh: can't open 'main.sh': Permission denied\n (exit status 2)"
}

The logs look similar:

/var/lib/codapi # tail -n2 /var/log/codapi/openrc.log 
2024/01/15 22:23:50 [run --rm --name sh_run_b3a94e77 --runtime runc --cpus 1 --memory 64m --network none --pids-limit 64 --user sandbox --read-only --volume /tmp/1851081613:/sandbox:ro --cap-drop all --ulimit nofile=96 codapi/alpine sh main.sh]
2024/01/15 22:23:50 ✗ sh_run_b3a94e77: sh: can't open 'main.sh': Permission denied (exit status 2)

The folder /tmp has the usual permissions.

I've documented my setup [here][1]. Is there something I've misconfigured?

Thanks for your help in advance!

[1]: https://git.tigger.cloud/public/codapi-setup-alpine

[muellerj]

One more indicator that might help: The file does get created and it looks to me as if it has the correct permissions:

/var/lib/codapi # while true; do ls -l /tmp/* | grep codapi; done

# This prints nothing until a request arrives an then lots of the following line

-r--r--r--    1 codapi   docker          10 Jan 15 22:48 main.sh
# ...

One thing I don't understand is the discrepancy between the id of the sandbox user and the ownership of /sandbox:

/var/lib/codapi # doas -u codapi docker run --rm --name sh_run_68222003 --runtime runc --cpus 1 --memory 64m --network none --pids-limit 64 --user sandbox --read-only --volume /tmp/foo:/sandbox:ro --cap-d
rop all --ulimit nofile=96 codapi/alpine sh -c "ls -l /"
total 56
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 bin
drwxr-xr-x    5 root     root           320 Jan 15 22:13 dev
drwxr-xr-x   18 root     root          4096 Jan 15 22:13 etc
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 home
drwxr-xr-x    7 root     root          4096 Nov 30 09:32 lib
drwxr-xr-x    5 root     root          4096 Nov 30 09:32 media
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 mnt
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 opt
dr-xr-xr-x  148 root     root             0 Jan 15 22:13 proc
drwx------    2 root     root          4096 Nov 30 09:32 root
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 run
drwx------    2 1001     sandbox         60 Jan 15 21:53 sandbox
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 sbin
drwxr-xr-x    2 root     root          4096 Nov 30 09:32 srv
dr-xr-xr-x   13 root     root             0 Jan 15 22:13 sys
drwxrwxrwt    2 root     root          4096 Nov 30 09:32 tmp
drwxr-xr-x    7 root     root          4096 Nov 30 09:32 usr
drwxr-xr-x   12 root     root          4096 Nov 30 09:32 var
/var/lib/codapi # doas -u codapi docker run --rm --name sh_run_68222003 --runtime runc --cpus 1 --memory 64m --network none --pids-limit 64 --user sandbox --read-only --volume /tmp/foo:/sandbox:ro --cap-d
rop all --ulimit nofile=96 codapi/alpine sh -c "id -u"
1000

[nalgeon]

https://git.tigger.cloud/public/codapi-setup-alpine - this link requires authorization.

[muellerj]

Cloning in `/public` works without authentication. I haven't gotten around to building an unauthenticated section of the web UI 😉

[muellerj]

If you'd like, I can mirror the repo on GitHub.

[nalgeon]

No, it's fine, thank you. Now I need some time to investigate, probably be back tomorrow.

[nalgeon]

Fixed in 0.7.0, please try the new codapi binary.

[muellerj]

Indeed! Thank you very much for the fast response 😄 Please feel free to close this.

[nalgeon]

Great! Thanks for reporting the issue.