Thanks for the tool, it is really simple but powerful to use! Also, this may actually be a rkt issue, so please forgive me if that is the case : )
Some background on this issue is that I'm attempting to get nginx running fully as an unprivileged user, i.e. avoiding the master process from starting as root. I've been able to get everything setup correctly but am running into an issue with linking the logging to /dev/stdout and /dev/stderr. The following build script is a pared down approximation of what I'm doing:
acbuild begin docker://alpine:3.4
acbuild run -- addgroup -S nginx 2>/dev/null
acbuild run -- adduser -S -D -H -h /nginx -s /sbin/nologin -G nginx -g nginx nginx
## In the real aci I am doing something like this
# acbuild run -- ln -sf /dev/stderr /nginx/log/error.log
# acbuild run -- chown -R nginx:nginx /nginx
# acbuild set-exec -- /nginx/sbin/nginx -g 'error_log /nginx/log/error.log warn;'
acbuild set-user nginx
acbuild set-exec -- /bin/ls -la /dev
acbuild write bad_dev_console.aci
acbuild end
Now, as I understand it, /dev/stdout and /dev/stderr are bound automatically by acbuild during run commands. Also, as this comment points out, rkt does some different magic for us depending on if the --interactive flag is passed to rkt run.
It appears that the ownership only fails to be set correctly when running rkt run with no --interactive flag:
$ sudo rkt run --insecure-options=image bad_dev_console.aci
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
[24012.418194] alpine[5]: total 12
[24012.418438] alpine[5]: drwxr-xr-x 5 root root 4096 Dec 2 04:07 .
[24012.418582] alpine[5]: drwxr-xr-x 18 root root 4096 Jan 1 1970 ..
[24012.418702] alpine[5]: crw------- 1 root root 136, 0 Dec 2 04:07 console
[24012.418821] alpine[5]: lrwxrwxrwx 1 root root 13 Jan 1 1970 fd -> /proc/self/fd
[24012.418939] alpine[5]: crw-rw-rw- 1 root root 1, 7 Dec 2 04:07 full
[24012.419071] alpine[5]: lrwxrwxrwx 1 root root 28 Dec 2 04:07 log -> /run/systemd/journal/dev-log
[24012.419189] alpine[5]: drwxr-xr-x 2 root root 4096 Dec 2 04:07 net
[24012.419306] alpine[5]: crw-rw-rw- 1 root root 1, 3 Dec 2 04:07 null
[24012.419425] alpine[5]: lrwxrwxrwx 1 root root 13 Dec 2 04:07 ptmx -> /dev/pts/ptmx
[24012.419549] alpine[5]: drwxr-xr-x 2 root root 0 Dec 2 04:07 pts
[24012.419669] alpine[5]: crw-rw-rw- 1 root root 1, 8 Dec 2 04:07 random
[24012.419787] alpine[5]: drwxrwxrwt 2 root root 40 Dec 2 04:07 shm
[24012.419904] alpine[5]: lrwxrwxrwx 1 root root 12 Jan 1 1970 stderr -> /dev/console
[24012.420067] alpine[5]: lrwxrwxrwx 1 root root 15 Jan 1 1970 stdin -> /proc/self/fd/0
[24012.420256] alpine[5]: lrwxrwxrwx 1 root root 12 Jan 1 1970 stdout -> /dev/console
[24012.420381] alpine[5]: crw-rw-rw- 1 root root 5, 0 Dec 2 04:07 tty
[24012.420502] alpine[5]: crw-rw-rw- 1 root root 1, 9 Dec 2 04:07 urandom
[24012.420623] alpine[5]: crw-rw-rw- 1 root root 1, 5 Dec 2 04:07 zero
$ sudo rkt run --insecure-options=image bad_dev_console.aci --user root
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
[24016.308294] alpine[5]: total 12
[24016.308579] alpine[5]: drwxr-xr-x 5 root root 4096 Dec 2 04:07 .
[24016.308826] alpine[5]: drwxr-xr-x 18 root root 4096 Jan 1 1970 ..
[24016.309043] alpine[5]: crw------- 1 root root 136, 0 Dec 2 04:07 console
[24016.309313] alpine[5]: lrwxrwxrwx 1 root root 13 Jan 1 1970 fd -> /proc/self/fd
[24016.309547] alpine[5]: crw-rw-rw- 1 root root 1, 7 Dec 2 04:07 full
[24016.309741] alpine[5]: lrwxrwxrwx 1 root root 28 Dec 2 04:07 log -> /run/systemd/journal/dev-log
[24016.309920] alpine[5]: drwxr-xr-x 2 root root 4096 Dec 2 04:07 net
[24016.310105] alpine[5]: crw-rw-rw- 1 root root 1, 3 Dec 2 04:07 null
[24016.310276] alpine[5]: lrwxrwxrwx 1 root root 13 Dec 2 04:07 ptmx -> /dev/pts/ptmx
[24016.310483] alpine[5]: drwxr-xr-x 2 root root 0 Dec 2 04:07 pts
[24016.310707] alpine[5]: crw-rw-rw- 1 root root 1, 8 Dec 2 04:07 random
[24016.311039] alpine[5]: drwxrwxrwt 2 root root 40 Dec 2 04:07 shm
[24016.311242] alpine[5]: lrwxrwxrwx 1 root root 12 Jan 1 1970 stderr -> /dev/console
[24016.311485] alpine[5]: lrwxrwxrwx 1 root root 15 Jan 1 1970 stdin -> /proc/self/fd/0
[24016.311682] alpine[5]: lrwxrwxrwx 1 root root 12 Jan 1 1970 stdout -> /dev/console
[24016.311843] alpine[5]: crw-rw-rw- 1 root root 5, 0 Dec 2 04:07 tty
[24016.312175] alpine[5]: crw-rw-rw- 1 root root 1, 9 Dec 2 04:07 urandom
[24016.312488] alpine[5]: crw-rw-rw- 1 root root 1, 5 Dec 2 04:07 zero
$ sudo rkt run --insecure-options=image bad_dev_console.aci --user nginx
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
[24020.700875] alpine[5]: total 12
[24020.701137] alpine[5]: drwxr-xr-x 5 root root 4096 Dec 2 04:07 .
[24020.701284] alpine[5]: drwxr-xr-x 18 root root 4096 Jan 1 1970 ..
[24020.701407] alpine[5]: crw------- 1 root root 136, 0 Dec 2 04:07 console
[24020.701528] alpine[5]: lrwxrwxrwx 1 root root 13 Jan 1 1970 fd -> /proc/self/fd
[24020.701648] alpine[5]: crw-rw-rw- 1 root root 1, 7 Dec 2 04:07 full
[24020.701780] alpine[5]: lrwxrwxrwx 1 root root 28 Dec 2 04:07 log -> /run/systemd/journal/dev-log
[24020.701903] alpine[5]: drwxr-xr-x 2 root root 4096 Dec 2 04:07 net
[24020.702022] alpine[5]: crw-rw-rw- 1 root root 1, 3 Dec 2 04:07 null
[24020.702143] alpine[5]: lrwxrwxrwx 1 root root 13 Dec 2 04:07 ptmx -> /dev/pts/ptmx
[24020.702269] alpine[5]: drwxr-xr-x 2 root root 0 Dec 2 04:07 pts
[24020.702391] alpine[5]: crw-rw-rw- 1 root root 1, 8 Dec 2 04:07 random
[24020.702511] alpine[5]: drwxrwxrwt 2 root root 40 Dec 2 04:07 shm
[24020.702630] alpine[5]: lrwxrwxrwx 1 root root 12 Jan 1 1970 stderr -> /dev/console
[24020.702757] alpine[5]: lrwxrwxrwx 1 root root 15 Jan 1 1970 stdin -> /proc/self/fd/0
[24020.702880] alpine[5]: lrwxrwxrwx 1 root root 12 Jan 1 1970 stdout -> /dev/console
[24020.702999] alpine[5]: crw-rw-rw- 1 root root 5, 0 Dec 2 04:07 tty
[24020.703119] alpine[5]: crw-rw-rw- 1 root root 1, 9 Dec 2 04:07 urandom
[24020.703238] alpine[5]: crw-rw-rw- 1 root root 1, 5 Dec 2 04:07 zero
$ sudo rkt run --insecure-options=image --interactive bad_dev_console.aci
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
total 12
drwxr-xr-x 5 root root 4096 Dec 2 04:07 .
drwxr-xr-x 18 root root 4096 Jan 1 1970 ..
crw--w---- 1 nginx root 136, 0 Dec 2 04:07 console
lrwxrwxrwx 1 root root 13 Jan 1 1970 fd -> /proc/self/fd
crw-rw-rw- 1 root root 1, 7 Dec 2 04:07 full
lrwxrwxrwx 1 root root 28 Dec 2 04:07 log -> /run/systemd/journal/dev-log
drwxr-xr-x 2 root root 4096 Dec 2 04:07 net
crw-rw-rw- 1 root root 1, 3 Dec 2 04:07 null
lrwxrwxrwx 1 root root 13 Dec 2 04:07 ptmx -> /dev/pts/ptmx
drwxr-xr-x 2 root root 0 Dec 2 04:07 pts
crw-rw-rw- 1 root root 1, 8 Dec 2 04:07 random
drwxrwxrwt 2 root root 40 Dec 2 04:07 shm
lrwxrwxrwx 1 root root 12 Jan 1 1970 stderr -> /dev/console
lrwxrwxrwx 1 root root 15 Jan 1 1970 stdin -> /proc/self/fd/0
lrwxrwxrwx 1 root root 12 Jan 1 1970 stdout -> /dev/console
crw-rw-rw- 1 root root 5, 0 Dec 2 04:07 tty
crw-rw-rw- 1 root root 1, 9 Dec 2 04:07 urandom
crw-rw-rw- 1 root root 1, 5 Dec 2 04:07 zero
Is this surprising? Am I missing something? Thanks in advance!
sanmai-NL
commented
7 years ago
Thanks for the tool, it is really simple but powerful to use! Also, this may actually be a rkt issue, so please forgive me if that is the case : )
Some background on this issue is that I'm attempting to get nginx running fully as an unprivileged user, i.e. avoiding the master process from starting as root. I've been able to get everything setup correctly but am running into an issue with linking the logging to
/dev/stdoutand/dev/stderr. The following build script is a pared down approximation of what I'm doing:Now, as I understand it,
/dev/stdoutand/dev/stderrare bound automatically by acbuild duringruncommands. Also, as this comment points out, rkt does some different magic for us depending on if the--interactiveflag is passed torkt run.It appears that the ownership only fails to be set correctly when running
rkt runwith no--interactiveflag:Is this surprising? Am I missing something? Thanks in advance!