-
Notifications
You must be signed in to change notification settings - Fork 34
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Wrap use of skopeo to avoid its unwanted side effects. #570
fix: Wrap use of skopeo to avoid its unwanted side effects. #570
Conversation
2 things are fixed here. 1. Running skopeo as root creates /run/containers with 700 permissions. That causes a problem when you run skopeo as root and then run stacker as non-root. The error would look like this: > error: initializing source ... getting username and password: 1 error occurred: > * reading JSON file "/run/containers/0/auth.json": > open /run/containers/0/auth.json: permission denied > couldn't import base layer base > stackerbuild.io/stacker/pkg/stacker.importContainersImage > /stacker-tree/pkg/stacker/base.go:141 > stackerbuild.io/stacker/pkg/stacker.GetBase > /stacker-tree/pkg/stacker/base.go:49 > stackerbuild.io/stacker/pkg/stacker.(*Builder).build > /stacker-tree/pkg/stacker/build.go:407 > stackerbuild.io/stacker/pkg/stacker.(*Builder).BuildMultiple > /stacker-tree/pkg/stacker/build.go:622 > main.doBuild 2. skopeo copy containers-registry populates ~/.local/share/containers/ This is an unwanted side effect of running the test. Further annoying is that it ends up getting directories with 555 perms on them. That means rm -Rf .local/share/containers/storage/vfs-layers will fail like: rm: cannot remove '.local/share/containers/storage/vfs/dir/HASH': Permission denied We don't want someone's HOME getting populated with artifacts from stacker test, and there are probably also race conditions here in that we run stacker tests in parallel. Signed-off-by: Scott Moser <smoser@brickies.net>
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #570 +/- ##
==========================================
+ Coverage 56.36% 57.12% +0.75%
==========================================
Files 64 64
Lines 7505 7505
==========================================
+ Hits 4230 4287 +57
+ Misses 2553 2477 -76
- Partials 722 741 +19 ☔ View full report in Codecov by Sentry. |
@@ -261,5 +279,5 @@ EOF | |||
stacker clean | |||
rm -rf folder1 | |||
cd "$ROOT_DIR" | |||
rm -rf "tmpdir" | |||
rm -rf "$tmpdir" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
worth mentioning you fixed a case where we left a tmpdir around when using test_copy_buffer_size
I think.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
lgtm
2 things are fixed here.
Running skopeo as root creates /run/containers with 700 permissions. That causes a problem when you run skopeo as root and then run stacker as non-root.
The error would look like this:
skopeo copy containers-registry populates ~/.local/share/containers/ This is an unwanted side effect of running the test. Further annoying is that it ends up getting directories with 555 perms on them. That means rm -Rf .local/share/containers/storage/vfs-layers will fail like:
rm: cannot remove '.local/share/containers/storage/vfs/dir/HASH':
Permission denied
We don't want someone's HOME getting populated with artifacts from stacker test, and there are probably also race conditions here in that we run stacker tests in parallel.
What type of PR is this?
Which issue does this PR fix:
What does this PR do / Why do we need it:
If an issue # is not available please add repro steps and logs showing the issue:
Testing done on this change:
Automation added to e2e:
Will this break upgrades or downgrades?
Does this PR introduce any user-facing change?:
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.