itamae-kitchen / itamae

Configuration management tool inspired by Chef, but simpler and lightweight. Formerly known as Lightchef.
https://itamae.kitchen/
MIT License
1.12k stars 125 forks source link

'itamae docker' fails on remote_file resource when the image is created with non-root user #322

Open fuminori-ido opened 4 years ago

fuminori-ido commented 4 years ago

When Dockerfile is:

FROM  centos:7
USER  games

and create image by:

docker build --tag itamae-docker-test:base - <Dockerfile

Then, the following recipe:

remote_file '/tmp/x.remote_user' do
  source '/etc/group'
end

fails as follows:

$  itamae docker --image itamae-docker-test:base --tag itamae-docker-test:remote_user recipe-remote_file.rb
 INFO : Starting Itamae... 
 INFO : Recipe: /home/.../recipe-remote_file.rb
ERROR :     stderr | chmod: changing permissions of '/tmp/itamae_tmp/1598837380.5531852/group': Operation not permitted
ERROR :     Command `chmod 0600 /tmp/itamae_tmp/1598837380.5531852/group` failed. (exit status: 1)
ERROR :   remote_file[/tmp/x.remote_user] Failed.

while 'execution' resource works fine under the same USER.

fuminori-ido commented 4 years ago

I traced step by step and Intermediate file in image looks root owner as follows:

-rw-r--r-- 1 root root 1350 Aug 31 05:16 /tmp/itamae_tmp/1598851010.8555338/group

at Specinfra::Backend::Docker#docker_run!. This is why chmod root file by USER fails.

Next; why this intermediate file is root:root ?

fuminori-ido commented 4 years ago

Now I found out that is why.

  1. Specinfra::Backend::Docker#send_file uses Docker::Image#insert_local
  2. Docker::Image#insert_local generates Dockerfile ADD command in memory as: ADD base dest

Dockerfile ADD command supports --chown as mentioned here, but docker gem looks not used this option so that owner:group become root:root.