search

Azure / iotedgedev

The Azure IoT Edge Dev Tool greatly simplifies your Azure IoT Edge development process. It has everything you need to get started and helps with your day-to-day Edge development.
https://aka.ms/iotedgedev
Other
160 stars 71 forks source link

Missing permissions for a user specified in the dockerfile #480

Closed MagdaPaj closed 3 years ago

MagdaPaj commented 3 years ago

I have a module dockerfile, where I build my dotnet console app and I specify a user moduleuser. Similar to this:

FROM mcr.microsoft.com/dotnet/sdk:5.0 AS build-env
WORKDIR /app

COPY ["./foo.csproj", "."]
RUN dotnet restore "foo.csproj"

COPY . .
RUN dotnet publish foo.csproj -c Release -o out

FROM mcr.microsoft.com/dotnet/runtime:5.0-buster-slim
RUN useradd -ms /bin/bash moduleuser
USER moduleuser

WORKDIR /app
COPY --from=build-env /app/out ./
RUN ls -la

ENTRYPOINT ["dotnet", "foo.dll"]

When I build the image with docker build command the moduleuser has write permissions in the app folder. See here image

But when I build it using iotedgedev tool, it doesn't have write permissions in the app folder. moduleuser is not listed, and it doesn't have any write permissions image

I'm running iotedgedev tool in the container from Windows (as explained here) and with the following build command: sudo iotedgedev build --file deployment.template.json --platform amd64.

However, I noticed the same behavior in Azure Pipelines where IoT Edge Dev Tool is installed with pip, on the hosted agent with ubuntu latest.

As a workaround, I set explicitly permissions for the moduleuser to access the /app folder with chown -R moduleuser /app. And it works correctly. But I would like to know if those missing permissions for the user are expected, and why the behavior is not the same as with docker build command.

marianan commented 3 years ago

@MagdaPaj thanks for reporting this issue, we added it to our backlog and will update the thread when more details are available.

konichi3 commented 3 years ago

Hi @MagdaPaj

Are we supposed to see any errors? I tried to build using iotedgedev build but couldn't seem to repro.

Here is my docker file for AMD64.

FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build-env WORKDIR /app

COPY *.csproj ./ RUN dotnet restore

COPY . ./ RUN dotnet publish -c Release -o out

FROM mcr.microsoft.com/dotnet/core/runtime:3.1-buster-slim WORKDIR /app COPY --from=build-env /app/out ./

RUN useradd -ms /bin/bash moduleuser USER moduleuser

image

MagdaPaj commented 3 years ago

Thank you @konichi3 for checking this.

No, there are no errors. My point is that there is a difference in permissions when you build an image using docker build vs when you build it using iotedgedev tool. And I would like to understand why.

So steps you need to do:

  1. Update your docker file. Move user creation and assignment before setting WORKDIR to \app. So you should have it like this: 
    
FROM mcr.microsoft.com/dotnet/core/sdk:3.1-buster AS build-env
WORKDIR /app

COPY *.csproj ./ RUN dotnet restore

COPY . ./ RUN dotnet publish -c Release -o out

FROM mcr.microsoft.com/dotnet/core/runtime:3.1-buster-slim RUN useradd -ms /bin/bash moduleuser USER moduleuser

WORKDIR /app COPY --from=build-env /app/out ./


2. Build your image using `docker build` command.
3. Start the container and enter to it. You should see that `moduleuser` has write permissions in the `\app` folder.
![inside-container-build-by-docker-build](https://user-images.githubusercontent.com/25376553/122746332-31ef0580-d28a-11eb-9fa8-fa54321ce0f2.png)
4. Now using the same docker file build your image using `iotedgedev` tool
3. Start the container and enter to it. I'm getting this result
![inside-container-build-by-iotedgedev](https://user-images.githubusercontent.com/25376553/122746009-e0467b00-d289-11eb-9659-864f50380407.png)
Only root has write permissions in the `\app` folder and `moduleuser` does not have write permissions.

So my concern is about this difference in write permissions for the `\app` folder. Is this expected? And if so, why?
mhshami01 commented 3 years ago

Hello @MagdaPaj. Thank you for contacting us with your question.

We depend on docker SDK internally to interact with the docker engine. Specifically, we call docker_client.api.build method.

mhshami01 commented 3 years ago

Closing since there has been no activities on this issue for the last 8 days.

Salazander commented 3 years ago

Hi @mhshami01 We've double-checked the behavior on our end and set up a repository to reproduce and illustrate the issue: Repro

Since USER moduleuser is executed before WORKDIR /app, we would expect that the ownership of the /app-folder in the container is set accordingly (i.e. moduleuser). But as can be reproduced with the linked repo, the ownership is still set to root when building the image with iotedgedev.

As a consequence, the sample module cannot write to its local folder.

This has lead to situations where developers pushed code changes that worked fine locally (Visual Studio Code + iotedgehubdev) but failed during smoke tests run in Azure DevOps Pipelines.

Sidenote: iotedgehubdev seems to be setting the ownership correctly.

Running native-build-works.ps1 yields: image

Running iotedgedev-build-doesnt-work.ps1 yields: image

Salazander commented 3 years ago

@marianan @konichi3 @mhshami01

Have you had the chance to look at my repo with all the steps to reproduce the issue ?