-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Apply ownership in unpacked entries #3
Conversation
Not super sure about this, ownership should be preserved regardless of whether the tool is run by root or now. (not sure how docker engine handles this also) |
On Thu, Sep 15, 2016 at 10:26:35AM -0700, Antonio Murdaca wrote:
It is usually not possible to preserve ownership when an unprivileged ea4e2ea just hard-codes that default, which is fine with me. |
then we should warn about running oci-unpack only with root (or any privileged user) instead of patching the code to check for uid 0. Just fail when trying to chown root:root it's sufficient for me. |
But we may need to reroll or add helper functions to avoid 1: $ make lint |
On Thu, Sep 15, 2016 at 10:37:10AM -0700, Antonio Murdaca wrote:
Sometimes you cannot become root, and it would be nice to support |
On Thu, Sep 15, 2016 at 10:37:10AM -0700, Antonio Murdaca wrote:
And if you take this perfect-unpack rule (which I want to relax, |
do you have any real example of a use case where you don't need to be root to unpack a rootfs with the correct ownership? I may be missing something... again, the uid == 0 is an ugly hack to me. |
you don't support "image-tools" - validate works w/o privileges for instance. if any of the tool needs privileges to run properly let's just document it instead of them running "unpack" with a normal user and having ownership broken on the image files. |
On Thu, Sep 15, 2016 at 10:43:07AM -0700, Antonio Murdaca wrote:
You're about to launch a container as an unprivileged user, and will |
but isn't files ownership broken because you did not chmod correctly when unpacking with an unpriv user? # this is wrong no?
root@vagrant:/tmp# ls -la ubuntu-unpacked-old/etc/shadow
-rw-r----- 1 root root 652 Sep 15 17:17 ubuntu-unpacked-old/etc/shadow |
On Thu, Sep 15, 2016 at 10:48:36AM -0700, Antonio Murdaca wrote:
Nope, the ownership (1000:1000, because I didn't have permission to
The unpacker should be applying the entry mode regardless of ownership |
@runcom I understand your concern. I chose this route because
@wking, GrootFS is already dealing with image translation for unprivileged users. It's doing so by making a user namespace and setting a UID map (using the @runcom is right. The file that should have been owned by the group That said, and given the complexity of translating images as a non-root user, I think this is not part of this PR. If |
wrong button :) |
On Thu, Sep 15, 2016 at 02:21:23PM -0700, George Lestaris wrote:
Is that a range of one? From user_namespaces(7):
If so, I don't see the point (you'll end up with everything owned by $ unshare -Ur chown 5:5 /
This doesn't matter, because unprivileged user namespaces will only |
On Thu, Sep 15, 2016 at 02:33:46PM -0700, W. Trevor King wrote:
Ah, you could get around this with /etc/subuid and newuidmap [1](which is presumably setuid root), assuming your sysadmin was kind |
For GrootFS doing it through Can someone explain to me what this means:
It's apparently the reason why the second commit didn't pass CI. Can someone restart the job or should I re-push something? Is it worth fixing this deadline? |
Also, it makes me a bit sad that the |
On Thu, Sep 15, 2016 at 03:15:58PM -0700, George Lestaris wrote:
type Unpacker { func (unpacker *Unpacker) Unpack(…) error { |
On Thu, Sep 15, 2016 at 03:14:06PM -0700, George Lestaris wrote:
I imagine Travis got stuck for too long, and we shoudn't worry about |
typ string // the type to bundle, can be empty string | ||
ref string | ||
root string | ||
noSameOwner bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
To avoid double-negatives, I'd prefer sameOwner
.
@@ -81,6 +82,11 @@ func newBundleCmd(stdout, stderr *log.Logger) *cobra.Command { | |||
It is strongly recommended to keep the default value.`, | |||
) | |||
|
|||
cmd.Flags().BoolVar( | |||
&v.noSameOwner, "no-same-owner", false, | |||
`Extract files as yourself instead of preserving the owner and group of each entry.`, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This would have to get turned around with a positive --same-owner
. Do cobra's boolean flags provide a way to set on/off?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The problem with having it --same-owner
is that the default behaviour will be ignoring the ownership. The user will need to explicitly provide the flag, which sounds error-prone.
What do you mean by setting the flag on/off?
|
||
case tar.TypeDir: | ||
if err := os.Chown(path, hdr.Uid, hdr.Gid); err != nil { | ||
return errors.Wrap(err, "error chowing directory") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably not worth splitting cases just for file/directory in the error message. Can we roll this in with tar.TypeReg
? If the Chown
error doesn't already include it (I haven't checked), it would be nice to include the path.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed, I am not a big fun of it either. I would even go one step further into dropping the switch altogether§ and calling Lchown
for every entry (file, directory or symlink).
@@ -112,7 +112,7 @@ func TestUnpackLayer(t *testing.T) { | |||
Digest: fmt.Sprintf("sha256:%s", fmt.Sprintf("%x", h.Sum(nil))), | |||
}}, | |||
} | |||
err = testManifest.unpack(newPathWalker(tmp1), filepath.Join(tmp1, "rootfs")) | |||
err = testManifest.unpack(newPathWalker(tmp1), filepath.Join(tmp1, "rootfs"), false) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we get a new test for preserveOwnership == true
? I'm not sure what Go's test framework includes for skipping tests, but it would be nice to run that if the tests were run as root.
That is just misleading, as @glestaris pointed out above, you'll end up having wrong ownership on files and I don't think that's wanted - well, you're undergrad could probably go and learn how to do things right maybe. However, the inverted logic with a flag is working for me /cc @vbatts |
On Thu, Sep 15, 2016 at 11:56:28PM -0700, George Lestaris wrote:
Always calling Lchown sounds good to me. |
On Thu, Sep 15, 2016 at 11:54:01PM -0700, George Lestaris wrote:
You could have the default behavior switch on root-ness, and the flag
If you add a ‘same-owner’ boolean, do you get support for --same-owner |
|
On Fri, Sep 16, 2016 at 01:12:51AM -0700, Antonio Murdaca wrote:
What do you want them to do, kidnap the sysadmin and force them to
It's not wrong if you have only one GID to use. Say you had the power If unprivileged users have the image content automatically translated |
On Fri, Sep 16, 2016 at 02:13:53AM -0700, Antonio Murdaca wrote:
Maybe? Can you link to docs? I can't turn any up… |
it's |
I pushed a new set of commits. @wking it does not include the test for the ownership preservation case. I will try to add it in the next few days if you still think it's important. @runcom is correct. The
|
On Mon, Oct 03, 2016 at 02:50:44PM -0700, Aleksa Sarai wrote:
So for a given UID there are three cases:
But I don't think we need much special handling beyond 7d9350e for The only thing I think we're missing is a --no-same-owner, which you |
You get EINVAL in case 3. |
On Mon, Oct 03, 2016 at 03:20:49PM -0700, Aleksa Sarai wrote:
Ah, right. That may make the cases easier to distinguish, but I think |
besides a rebase, what is needed here? |
@vbatts I did the rebasing Pending the CI to run I think it should be alright. The latest side discussion on UID translation was redirected to #33. @runcom are you okay with the current interface/behaviour? This PR can be summed up to the following logic:
|
I don't understand the CI failures :P It fails in
|
I rebased this again :) Unfortunately, I still can't make Ping @vbatts @jonboulle @stevvooe PTAL |
On Tue, Oct 25, 2016 at 01:40:34PM -0700, George Lestaris wrote:
I bet your error 1 is another instance of Travis not setting $ git log '' Ping @vbatts. |
I would like to eventually see @runcom @vbatts Quickly regarding whether or not it is ever correct to extract a rootfs without changing the owner properly (as I mentioned in #33): I think you're missing the point. What matters to someone who is creating these images is that I can set the correct owners inside the diff layers (whether or not I had to cheat to do it is a separate issue -- and outside the concern of the extraction API). In particular, if you look at |
@cyphar that could be an easy next step. Given how stalled this PR is I don't want to add more context. I am willing to PR adding UID/GID translation once this is merged. At this point, though, approaching the two-month mark, I start to wonder if it would be better to close this and create a fresh one without the 67 comments which may or may not help maintainers get to the bottom of it faster :) |
Signed-off-by: George Lestaris <glestaris@gmail.com>
Signed-off-by: George Lestaris <glestaris@gmail.com>
The `--same-owner` flag can be used to force ownership preservation when `oci-create-runtime-bundle` or `oci-unpack` are run by a non-root user. When run by root, both commands with preserve ownership by default. Signed-off-by: George Lestaris <glestaris@gmail.com>
@glestaris Fair enough. For what it's worth I'm going to implement it my way inside |
type Unpacker struct { | ||
// If set, the ownership of files, directories and symblic links defined in | ||
// the layers, will be preserved in the unpacked root file system. | ||
PreserveOwnership bool |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Might it be better that this takes a function that translates the entries, rather than just a bool? There are a lot of different ways to do it and make this work with this bool may be a little awkward.
PreserveOwnership
, the default (I guess) would this:
func PreserveOwnship(uid, gid string) (string, string, error) {
u, err := os/user.Current()
if err { return "", "", err }
return u.Uid, u.Gid, nil
}
Result of this function can be memoized to minimize the number of calls during the unpacking process.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cyphar has something closer to this in cyphar/umoci@9f88dd9a, see here. I'm fine with that as an end goal, but this PR is certainly better than what we have now. I'm fine with it landing while someone works up a PR for an explicit ID-mapping approach.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Introducing the --same-owner
tag introduces an oversimplification to this problem that may be limiting. This model is getting enshrined into the depths of this package, which is the path to permanence.
This needs to be fixed before this PR lands.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd like to note that actually the implementation of a --same-owner
flag is harder than you might think, and it's not just a matter of chown
ing all of the files to the same owner. I don't really mind how the mapping of users is done (though I feel like the functional approach will end up being overkill when what you actually want is to have explicit rspec.LinuxIDMapping
with an option to ignore errors [meaning to default to root] during the mapping).
If you're an unprivileged user (which is the goal of this PR) you have a bunch of restrictions that mean you have to hack around things like files which give you no read permission even though you are their owner.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Fri, Nov 18, 2016 at 06:41:55PM -0800, Aleksa Sarai wrote:
I'd like to note that actually the implementation of a
--same-owner
flag is harder than you might think, and it's not just a matter ofchown
ing all of the files to the same owner.
What's wrong with this PR's current --same-owner
implementation? It's not chowning files to the same owner, it's just not chown
ing them at all. Can you propose a test exposing flaws in that approach?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
On Fri, Nov 18, 2016 at 08:27:16PM -0800, Aleksa Sarai wrote:
% chmod 0000 some
That does looks awkward, but this PR is just about ownership. Mode bits seem orthogonal, although both are mentioned in #17. Since this PR is already two months old, I'd rather limit the scope creep. We can always address mode bits in follow-up work.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That does looks awkward, but this PR is just about ownership.
Sure. But my point was that unprivileged unpacking has problems that are beyond just coming up with a nice mapping function. It was an aside, not a complaint about the current PR.
I'd rather limit the scope creep.
Pot, meet kettle.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@cyphar While the IDMapping approach is sufficient, a callback function seems like a first step in getting this right without propagating the data structure with a bool
too widely. There may be lots of ways to map these ids in the future but this is orthogonal to how they're applied.
Indeed, there is more complexity to applying uid/gid, but I don't see how this affects where we get them from.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@stevvoe I don't mind making PreserveOwnership
a callback. What changes would you like in the CLI? The --same-owner
is mostly inspired by the tar
CLI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@glestaris Making this a callback/interface is sufficient.
I was just worried about having policy embedded deep in the unpacking layer.
Bump to v0.1.0. Vote was +7 -0 #3. Closes #116 LGTMs: @cyphar @coolljt0725 @vbatts
@glestaris wondering what happened to this patch? |
It hasn't been worked on in a while. In the meantime you now have tools like umoci which handle this and other things much better. I would recommend using those for general purpose image manipulation. There was a plan to merge most of these changes back into image-tools but those discussions stalled very quickly. (Disclaimer: I wrote umoci.) |
Aleksa, have you thought about just moving umoci to oci?
…On Thu, Sep 13, 2018 at 6:00 PM Aleksa Sarai ***@***.***> wrote:
It hasn't been worked on in a while. In the meantime you now have tools
like umoci <https://github.com/openSUSE/umoci> which handle this and
other things much better. I would recommend using those for general purpose
image manipulation.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#3 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD5IeXtudbols_BEaZq3UShwPyYtwfRks5uauOSgaJpZM4J-H6j>
.
--
Cheers,
Chris Aniszczyk
http://aniszczyk.org
+1 512 961 6719
|
I feel like he has proposed that and some folks weren't in favor.
On Fri, Sep 14, 2018, 12:03 Chris Aniszczyk <notifications@github.com>
wrote:
… Aleksa, have you thought about just moving umoci to oci?
On Thu, Sep 13, 2018 at 6:00 PM Aleksa Sarai ***@***.***>
wrote:
> It hasn't been worked on in a while. In the meantime you now have tools
> like umoci <https://github.com/openSUSE/umoci> which handle this and
> other things much better. I would recommend using those for general
purpose
> image manipulation.
>
> —
> You are receiving this because you are subscribed to this thread.
> Reply to this email directly, view it on GitHub
> <
#3 (comment)
>,
> or mute the thread
> <
https://github.com/notifications/unsubscribe-auth/AAD5IeXtudbols_BEaZq3UShwPyYtwfRks5uauOSgaJpZM4J-H6j
>
> .
>
--
Cheers,
Chris Aniszczyk
http://aniszczyk.org
+1 512 961 6719
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#3 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAEF6RXD6rY76KgZ73sUsX02ccVC6hdXks5ua9NdgaJpZM4J-H6j>
.
|
times have changed though, wonder if it would warrant another discussion
On Fri, Sep 14, 2018 at 11:06 AM Vincent Batts <notifications@github.com>
wrote:
… I feel like he has proposed that and some folks weren't in favor.
On Fri, Sep 14, 2018, 12:03 Chris Aniszczyk ***@***.***>
wrote:
> Aleksa, have you thought about just moving umoci to oci?
>
> On Thu, Sep 13, 2018 at 6:00 PM Aleksa Sarai ***@***.***>
> wrote:
>
> > It hasn't been worked on in a while. In the meantime you now have tools
> > like umoci <https://github.com/openSUSE/umoci> which handle this and
> > other things much better. I would recommend using those for general
> purpose
> > image manipulation.
> >
> > —
> > You are receiving this because you are subscribed to this thread.
> > Reply to this email directly, view it on GitHub
> > <
>
#3 (comment)
> >,
> > or mute the thread
> > <
>
https://github.com/notifications/unsubscribe-auth/AAD5IeXtudbols_BEaZq3UShwPyYtwfRks5uauOSgaJpZM4J-H6j
> >
> > .
> >
>
>
> --
> Cheers,
>
> Chris Aniszczyk
> http://aniszczyk.org
> +1 512 961 6719
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <
#3 (comment)
>,
> or mute the thread
> <
https://github.com/notifications/unsubscribe-auth/AAEF6RXD6rY76KgZ73sUsX02ccVC6hdXks5ua9NdgaJpZM4J-H6j
>
> .
>
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#3 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AAD5ITAMe_tgunHFkkQgg9gLMfZcGzWVks5ua9P8gaJpZM4J-H6j>
.
--
Cheers,
Chris Aniszczyk
http://aniszczyk.org
+1 512 961 6719
|
https://groups.google.com/a/opencontainers.org/forum/#!topic/dev/GZ2q3jGlI0w Honestly we should just deprecate image-tools and if Aleksa is still open to it then umoci should be the official replacement |
I wouldn't have a problem with re-opening the discussion of merging umoci into OCI again. In the past two years, umoci has progressed quite a bit and I'm still happily working on some new stuff within it. My main two questions would be:
|
/ping @caniszczyk ^^ Did you want to discuss this on the ML again? |
@cyphar I'm happy to kickstart the discussion, I see two approaches:
|
@caniszczyk I would prefer (1), but the key question about (2) is how would that work -- would the idea be that we just copy over the entire project and rename it? Is this not sort of abusing the rules for project inclusion 😉? |
This patch will apply the user/group, found in the tar entry, to the unpacked
files, directories, and symlinks. It will only do so if the user running the
oci-unpack
tool is root.To test the patch, I used latest Ubuntu from Dockerhub, converted to OCI
format with
skopeo
:skopeo copy docker://ubuntu oci://$PWD/ubuntu
With the current
oci-unpack
, all files and directories are owned by the userthat does the unpacking:
With the proposed patch, the correct ownership is applied: