search

containers / build

another build tool for container images (archived, see https://github.com/rkt/rkt/issues/4024)
Apache License 2.0
342 stars 80 forks source link

`acbuild end` accepts running as non-superuser, then fails because of that #284

Closed sanmai-NL closed 7 years ago

sanmai-NL commented 7 years ago

Context

acbuild.sh:

#!/bin/sh
set -e
tear_down() {
    set +e
    status=$?
    acbuild end
    set -e
    return $status
}
trap tear_down INT TERM EXIT
set -x
sudo -v
acbuild begin
acbuild dep add 'quay.io/baselibrary/ubuntu:14.04'
sudo acbuild run -- "true"
acbuild set-name 'test/test'
acbuild write 'test.aci'
acbuild version 0.4.0
appc version 0.8.5

rkt Version: 1.22.0
appc Version: 0.8.9
Go Version: go1.7.4
Go OS/Arch: linux/amd64
Features: -TPM +SDJOURNAL

Linux #1 SMP PREEMPT Fri Dec 9 07:24:34 CET 2016 x86_64 unknown unknown GNU/Linux

Action

As user who is member of rkt group on an XFS filesystem:

sh acbuild.sh

Expected

acbuild end succeeds or reports error that it must be run as superuser, similar to acbuild run.

Actual

+ sudo -v
+ acbuild begin
+ acbuild dep add quay.io/baselibrary/ubuntu:14.04
+ sudo acbuild run -- true
Downloading quay.io/baselibrary/ubuntu: [======================] 88.1 MB/88.1 MB
+ acbuild set-name test/test
+ acbuild write test.aci
+ tear_down
+ set +e
+ status=0
+ acbuild end
end: remove .acbuild/currentaci/rootfs/usr/share/zoneinfo/Europe/Amsterdam: permission denied
+ set -e
+ return 0

Alternative case

The previous script with the image name and tag sudo acbuild end instead succeeds.

cgonyeo commented 7 years ago

The reason that acbuild end doesn't error out when run as non-root is that it may be able to succeed depending on the permissions inside the image being built. The rkt getting started guide is one such scenario where root is not needed.

One option to make this nicer would be to walk over the image being built looking for files with permissions acbuild can't delete, but that would be expensive.

I think I'm just going to make a PR that, when a permission denied error is encountered, just prints out a line suggesting that acbuild end be re-run as root, which will at least provide a little direction to the user.

sanmai-NL commented 7 years ago

One nitpick though, please make it say ‘a user with appropriate privileges’ not ‘root’.