-
Notifications
You must be signed in to change notification settings - Fork 138
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid errors when the process does not have enough permissions #120
Conversation
I wonder, is there a chance we might mask some future issues when suppressing warnings and errors while running There is also #112 that might get influenced by this change. How about making |
I share the general worry, but thinking more about it it looks to me like the only real issue that we might mask is when some directory we pass to the script does not exist. That's why there is a check
I don't think it would make all errors disappeared, because symlinks mentioned in #112 that point to root-owned files (correctly read-only) would still produce warnings/errors IMO.. the reason of not having enough permissions is different there. |
Problem is that the user is not in @hhorak For example for mongodb-container - adding |
Is this something that we want to have/is expected of containers running in Openshift? |
Copies of [1] https://github.com/sclorg/mongodb-container/blob/master/3.2/root/usr/libexec/fix-permissions
We should not change file attributes of similar files. Warning makes sense in this case IMPOV. |
In OpenShift all containers are running under |
sort of. The assemble script actually runs as the default user for the image, and if the default user for the image has specifically assigned groups, then those are the groups they will have, not necessarily the root group. But if the user is not listed in /etc/groups, then yes they get the root group. |
@bparees So when running container in OpenShift with "random" UID gets always root GID, or not? Is it possible that "random" UIG will be already listed in Is it problem to add default user to root group from OpenShift POV ? |
it's theoretically possible the user could be listed (and thus not have root group permissions) but pretty unlikely. the assigned/random uid range starts at like 10000 or something. i've never seen an image that defines user 10000 in their /etc/passwd and /etc/groups files.
no i don't think that should be a problem (but again you don't need to add the default user explicitly as long as the default user isn't otherwise already listed. for most of our images we use the default user 1001, which is why this works ok for us). |
In database images default user is different. So without random UID it causes problems. So solution it to also use 1001 user in database images or to add current default users to root group. @hhorak What to choose? |
I prefer to add the default users to the root group, since this issue does not seem worth changing the default user. So, it should remove the need to hide errors in case of |
We will make sure that the script calling the fix-permissions scripts are always part of the root group, so we don't need to solve 'not enough permissions' issue in case of chgrp calls.
A fixed solution with suggestions from #112 (comment) is available. |
[test] |
|
You are right! Build scripts for this image does not support I suggest to fix this by using https://github.com/sclorg/container-common-scripts (for example by accepting #121) |
Change image namespace according to provided TARGET
We will make sure that the script calling the fix-permissions scripts are always part of the root group, so we don't need to solve 'not enough permissions' issue in case of chgrp calls.
Sometimes there is not enough permissions to change attributes by
fix-permissions
. It was for example reported in sclorg/mariadb-container#32. This change should make these warnings disappeared.