Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

permission denied in unpriv.create when creating rootless image #222

Closed
lukasheinrich opened this issue Jan 8, 2018 · 6 comments
Closed

permission denied in unpriv.create when creating rootless image #222

lukasheinrich opened this issue Jan 8, 2018 · 6 comments
Labels
bug

Comments

@lukasheinrich
Copy link

lukasheinrich commented Jan 8, 2018
edited
Loading

Hi,

we're trying to test the skopeo / umoci / runc toolchain for usage within high energy physics usecases (ATLAS experiment). We publish images on Docker Hub that we'd like to run in rootless mode

hub.docker.com/r/atlas/

but unpacking them with umoci hrows this error (unpacking e.g. busybox works fine)

create runtime bundle: unpack layer: unpack entry: etc/gshadow: create regular: unpriv.create: open unpacked_atlas/rootfs/etc/gshadow: permission denied

steps to reproduce

skopeo copy docker://atlas/analysisbase oci:atlas_analysisbase:latest
umoci unpack --rootless --image $PWD/atlas_analysisbase:latest unpacked_atlas

any pointers what could be amiss?

(cc'ing @davidlt)
@cyphar
Copy link
Member

cyphar commented Jan 8, 2018
edited
Loading

First off, cool. 😸

I think this is happening because the mode of /etc/gshadow in the image is 000 (though I could've sworn this is a case we already handled), and umoci is trying to truncate the file in order to overwrite it. The fix is either to remove "regular" files when unpacking over them rather than truncating, or to make unpriv.Wrap also chmod the final path. I'll take a look and add a test for this.

@cyphar
Copy link
Member

cyphar commented Jan 8, 2018
edited
Loading

I just realised that these two possible options have different semantics in the case of hard-linked files (which the spec doesn't help clarify). If you have a hard-linked file, and then you have a new layer that modifies the file, should the other hard-links see the modifications?

In theory, the new layer should have tar.TypeLink files as well, so I guess we should remove the old file? But then this makes implementing unpacking more difficult...

@cyphar cyphar mentioned this issue Jan 8, 2018
Merged
@cyphar
Copy link
Member

cyphar commented Jan 8, 2018

I've gone with the removal option in #223. PTAL and double-check it fixes the issue (that patch fixed the issue on my machine).

@lukasheinrich
Copy link
Author

Thanks @cyphar for the very quick turn-around. I'll try to check this later today.

L

@lukasheinrich
Copy link
Author

@cyphar any ETA on the 0.4.0 release? Thanks.

@cyphar
Copy link
Member

cyphar commented Jan 16, 2018

https://github.com/openSUSE/umoci/milestone/9 tracks the remaining issues I would like to fix before 0.4.0. Only one of them requires significant work (#224) and I'm working on it at the moment. The plan would be to release it end of next week.

@taylorsilva taylorsilva mentioned this issue Dec 25, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@lukasheinrich @cyphar