-
Notifications
You must be signed in to change notification settings - Fork 166
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
update otomi with workaround for docker run in linux #353
Comments
Will research this on my linux machine to see if this is an issue or a non-issue |
I bake my own container image and don't use the |
Can you provide more details for others here to help them? |
For development purposes:
docker build -t otomi/tools:my-tools -e NPM_TOKEN=$NPM_TOKEN .
COPY --chown=app . . with COPY . .
docker build -t otomi/core:my-core .
clouds:
aws:
domain: eks.otomi.cloud
clusters:
dev:
enabled: true
apiName: eks_otomi-cloud_eu-central-1_otomi-eks-dev
apiServer: BFE1BC8655F2C73189DCE38F5E40D0AC.gr7.eu-central-1.eks.amazonaws.com
k8sVersion: '1.19'
otomiVersion: my-core |
This effectively makes it use the base image user, which is root. Not wanted. |
assigning to Sebastiaan as he is into this. Don't reassign! |
tl;dr: There is a project that changes ownership on the fly, basically what OSXFS does for Docker for Mac: https://github.com/tianon/gosu. For reference, this post: https://stackoverflow.com/a/54787364/8357826. SummaryFor others that see this issue with containers running as a different user, you need to ensure the uid/gid of the user inside the container has permissions to the file on the host. On production servers, this is often done by controlling the uid/gid in the image build process to match a uid/gid on the host that has access to the files (or even better, do not use host mounts in production). A named volume is often preferred to host mounts because it will initialize the volume directory from the image directory, including any file ownership and permissions. This happens when the volume is empty and the container is created with the named volume. MacOS users now have OSXFS which handles uid/gid's automatically between the Mac host and containers. One place it doesn't help with are files from inside the embedded VM that get mounted into the container, like /var/lib/docker.sock. For development environments where the host uid/gid may change per developer, my preferred solution is to start the container with an entrypoint running as root, fix the uid/gid of the user inside the container to match the host volume uid/gid, and then use gosu to drop from root to the container user to run the application inside the container. The important script for this is fix-perms in my base image scripts, which can be found at: https://github.com/sudo-bmitch/docker-base The important bit from the fix-perms script is:
That gets the uid of the user inside the container, and the uid of the file, and if they do not match, calls usermod to adjust the uid. Lastly it does a recursive find to fix any files which have not changed uid's. I like this better than running a container with a -u You can also have docker initialize a host directory from an image by using a named volume that performs a bind mount. This directory must exist in advance, and you need to provide an absolute path to the host directory, unlike host volumes in a compose file which can be relative paths. The directory must also be empty for docker to initialize it. Three different options for defining a named volume to a bind mount look like:
Lastly, if you try using user namespaces, you'll find that host volumes have permission issues because uid/gid's of the containers are shifted. In that scenario, it's probably easiest to avoid host volumes and only use named volumes. |
I agree, it isn't a permanent solution. |
can you test and document that for the outside world then? |
There are actually two options he suggests:
Which do we prefer? Personally, I think named volumes would be more flexible for our stack. |
You choose ;) You don't have to involve me in all of these decisions. Just explain your choices if that is informative. If I need to be involved I hope you can explain why and what is expected of me. |
This is a proposal for named volumes: function named_volume() {
[ -z "$NAMED_VOLUME" ] && volume_name='otomi-volume'
helper_container_name="named-volume-tmp-helper-container"
source_files=$1
destination_path=$2
docker container inspect $helper_container_name >/dev/null 2>&1 && docker rm $helper_container_name
docker container create --name $helper_container_name -v $volume_name:$destination_path hello-world >/dev/null 2>&1 &&
docker cp $source_files $helper_container_name:$destination_path >/dev/null 2>&1 &&
docker rm $helper_container_name >/dev/null 2>&1
retval="$volume_name:$destination_path"
} I tested it, and it sets the correct permissions into the named volume. It would enable us to mount everything separately (or everything with named_volume /tmp /tmp E.g. docker run $docker_terminal_params --network host --rm \
-v $(named_volume /tmp /tmp && echo $retval) \
... It's just an example and not conclusive yet but curious about your thoughts. |
Follow-up sprint planning: create aforementioned proposal IF not on "Darwin" (or something similar). |
Sorry guys, my hack didn't work as expected. It seems rootless containers on a Linux host is still an open issue, read moby/moby#2259. Please note the distinction between NEW volumes and run-time/bind volumes. And to me this is the expected behaviour. Why would the This is by design, right? If the container is compromised, it should not be possible to To recap what happens on MacOS: OSXFS changes ownership on the fly. I've tried this approach as well, but I guess this only makes sense in the context of MacOS, where Docker-for-Mac runs a VM just for Docker, so there is no opening for compromise. If you change ownership on-the-fly in Linux you can access files in the container, but then they become unavailable on the host. |
tl;dr Makes sense to me if the user running is on its own host and knows what he is doing? |
Seems like a valid hack to me for non-osx systems. Please go ahead |
See last comments
The text was updated successfully, but these errors were encountered: