Skip to content
This repository has been archived by the owner on Feb 24, 2020. It is now read-only.

stage2: permissions on / being changed to 711 #1703

Closed
cgonyeo opened this issue Oct 30, 2015 · 7 comments
Closed

stage2: permissions on / being changed to 711 #1703

cgonyeo opened this issue Oct 30, 2015 · 7 comments
Labels
component/stage1 kind/bug priority/P1
Milestone
v0.11.0

Comments

@cgonyeo
Copy link
Member

cgonyeo commented Oct 30, 2015

rkt appears to be changing the permissions of the ACI's / directory to 711, which breaks things like apache:

[Fri Oct 30 23:51:10.827521 2015] [core:error] [pid 7] (13)Permission denied: [client ::1:39776] AH00035: access to /favicon.ico denied (filesystem path '/var') because search permissions are missing on a component of the path, referer: http://localhost/

If the exec command for the ACI includes /bin/bash -c "chmod 755 / && ..." then apache works. I believe rkt should keep the permissions on / set to whatever they were in the ACI.
@cgonyeo
Copy link
Member Author

cgonyeo commented Oct 31, 2015

To see this issue in action, here's an acbuild script:
https://gist.github.com/dgonyeo/bcaa4361ef6aed1041cb

Run the resulting ACI, rkt enter [ID] /bin/sh, and ls -lah /

@jonboulle jonboulle added this to the v0.11.0 milestone Oct 31, 2015
@yifan-gu
Copy link
Contributor

To be clear, here the / is the rootfs of the stage2

@cgonyeo
Copy link
Member Author

cgonyeo commented Nov 1, 2015

I just happened across a far easier test for this, writing it down for posterity.

sudo rkt run --interactive quay.io/coreos/alpine-sh
echo "" | adduser test
su test

will produce:

su: can't execute '/bin/sh': Permission denied

workaround:

chmod 755 /
su test

@alban
Copy link
Member

alban commented Nov 1, 2015

The incorrect permission 711 comes from the archive:

$ wget -O - https://quay.io/c1/aci/quay.io/coreos/alpine-sh/latest/aci/linux/amd64/ | tar tvz
-rw-r--r-- 0/0             757 1970-01-01 01:00 manifest
drw-r--r-- 0/0               0 1970-01-01 01:00 rootfs/
drwxr-xr-x 0/0               0 2015-09-14 21:17 rootfs/bin/
...

I think the archive is incorrect and the rootfs directory should have 755. Since #1607, rkt respects the permissions defined in the archive.

The acbuild script uses the same coreos/alpine-sh image so it inherits the same permissions for /.

@eyakubovich: do you know how that coreos/alpine-sh image is created?

@alban
Copy link
Member

alban commented Nov 2, 2015

The image generated by docker2aci has 755:

$ docker2aci docker://quay.io/coreos/alpine-sh
$ tar tvf coreos-alpine-sh-latest.aci |grep rootfs$
drwxr-xr-x 0/0               0 1970-01-01 01:00 rootfs

And Docker images don't have information about the permissions of / because there is no entries in the archive for it, see:

$ sudo docker save quay.io/coreos/alpine-sh | tar xv
$ find -name layer.tar | xargs -n 1 tar tvf

So I guess that 711 comes from quay.io.

@iaguis
Copy link
Member

iaguis commented Nov 2, 2015

FTR, the 755 of docker2aci is hardcoded.

@cgonyeo
Copy link
Member Author

cgonyeo commented Nov 2, 2015

After looking more closely I agree that rkt appears to be fine, the image coming from quay is just wonky. Nevermind.

@cgonyeo cgonyeo closed this as completed Nov 2, 2015
@alban alban mentioned this issue Nov 14, 2015
Merged
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
component/stage1 kind/bug priority/P1
Projects
None yet
Milestone
v0.11.0
Development

No branches or pull requests
5 participants
@alban @iaguis @cgonyeo @jonboulle @yifan-gu