Replase usage of `/bin/sh` with a shell that reads `/etc/profile`

martin-g commented 8 months ago

Describe the bug

I faced an issue while trying to build a bioconductor-** recipe at Bioconda: https://github.com/bioconda/bioconda-recipes/pull/46177 The issue is that the Linux ARM64/aarch64 Docker images used by default by mulled-build-tool:

DEFAULT_BASE_IMAGE=quay.io/bioconda/base-glibc-busybox-bash:latest" - https://github.com/galaxyproject/galaxy/blob/bc0d075d552cc10d9c452e9e0a4595b3e079301e/lib/galaxy/tool_util/deps/mulled/mulled_build.py#L61
CONDA_IMAGE=continuumio/miniconda3:latest - https://github.com/galaxyproject/galaxy/blob/bc0d075d552cc10d9c452e9e0a4595b3e079301e/lib/galaxy/tool_util/deps/mulled/mulled_build.py#L376C43-L376C72

use umask=027 by default.

Linux ARM64:

$ docker run -it --rm continuumio/miniconda3:latest bash -c umask
0027

The Linux x86_64 images use 022 as default:

docker run -it --rm continuumio/miniconda3:latest bash -c umask                                                                                                                                     
0022

Both images inherit this behavior from their respective base images (Debian/Ubuntu).

I haven't tried to find why Debian (and Ubuntu) did this. 027 is more secure, but why only the Linux ARM64 image uses it ?! No idea.

So, I tried to use custom Docker images that inherit from the default ones and set umask=022 in /etc/profile and /etc/bash.bashrc:

FROM quay.io/condaforge/mambaforge:latest

ENV ENV /etc/profile                    # for dash
ENV BASH_ENV /etc/profile        # for bash
RUN echo "umask 022" >> /etc/profile                             # non-interactive
RUN echo "umask 022" >> /etc/bash.bashrc                   # interactive

$ docker build . -f Dockerfile.mambaforge -t my-mambaforge-aarch64:latest
$ docker run -it --rm my-mambaforge-aarch64:latest bash -c umask                       # non-interactive
$ docker run -it --rm my-mambaforge-aarch64:latest bash  (+ `umask`)                  # interactive

Now docker run -it --rm my-mambaforge-aarch64:latest bash -c umask prints 0022 ! Good!

But mulled-build still fails me despite using my custom Docker images because the default invfile.lua uses /bin/sh ...:

I guess it uses /bin/sh because it is the most common one and should exist on every Linux out there.

Would it be possible to make this configurable via VAR. ?

Galaxy Version and/or server at which you observed the bug

mulled-build-tool 23.2.1

To Reproduce

Execute the following on Linux ARM64 machine/VM:

conda create -n test123
conda activate test123
conda install font-ttf-ubuntu involucro
mkdir /tmp/mulled && cd /tmp/mulled
mulled-build build 'font-ttf-ubuntu=0.83' --involucro-path $(which involucro) --verbose
ls -laR

It will fail with

drwxr-x--- 2 root      root       80 Mar  6 13:39 conda-meta
drwxr-x--- 2 root      root      320 Mar  6 13:39 fonts
ls: cannot open directory './build/dist/conda-meta': Permission denied
ls: cannot open directory './build/dist/fonts': Permission denied

Expected behavior

No Permission denied errors.

Screenshots N/A

Additional context

Please ask me if you need more details!

bgruening commented 8 months ago

@martin-g thanks for the detailed report. Yes it should be possible to make the shell configureable. And yes we have chosen this shell because this is the most common one that should be everywhere.

martin-g commented 8 months ago

In addition would be a good idea to make DIRNAME configurable as the images - https://github.com/galaxyproject/galaxy/blob/bc0d075d552cc10d9c452e9e0a4595b3e079301e/lib/galaxy/tool_util/deps/mulled/mulled_build.py#L60 ?

Something like

DIRNAME = os.environ.get("INVFILE_DIRNAME", os.path.dirname(__file__))

This way I could use a custom invfile.lua if needed.

martin-g commented 8 months ago

In the meantime if someone has an idea how to set umask for /bin/sh, I am all ears! :-)

galaxyproject / galaxy

Replase usage of `/bin/sh` with a shell that reads `/etc/profile` #17631