search

mantidproject / dockerfiles

Docker images relating to Mantid
https://hub.docker.com/u/mantidproject/
GNU General Public License v3.0
3 stars 7 forks source link

mantid_development.sh: --ipc=host needed for chown permission #12

Open ajjackson opened 5 years ago

ajjackson commented 5 years ago

The recent updates (specifically commit 329090d) break mantid_development.sh for me, failing to mount readable volumes with the following output:

+ TARGET_USERNAME=abc
+ for rule in /etc/entrypoint.d/*.sh
+ env TARGET_USERNAME=abc /etc/entrypoint.d/10_change_user_ids.sh
+ PUID=1000
+ PGID=1000
+ groupmod --non-unique --gid 1000 abc
+ usermod --non-unique --uid 1000 abc
+ for rule in /etc/entrypoint.d/*.sh
+ env TARGET_USERNAME=abc /etc/entrypoint.d/20_abc_own_directories.sh
+ chown abc:abc /mantid_src
chown: changing ownership of '/mantid_src': Permission denied
+ chown abc:abc /mantid_build
chown: changing ownership of '/mantid_build': Permission denied
+ chown abc:abc /mantid_data
chown: changing ownership of '/mantid_data': Permission denied
+ chown abc:abc /ccache
+ CMD=bash
+ runuser -u abc -- bash
abc@ee926268edd1:/mantid_build$

The former behaviour is restored (without "permission denied" errors) if I reintroduce the --icp=host argument to docker within this script. This option is mentioned in the updated docs as being necessary for X windowing, but seems to have a wider impact?

A factor that is probably relevant is that I don't run docker as root but use a docker group instead. Perhaps the recent updates make an assumption that docker was run by root?

DanNixon commented 5 years ago

The former behaviour is restored (without "permission denied" errors) if I reintroduce the --icp=host argument to docker within this script. This option is mentioned in the updated docs as being necessary for X windowing, but seems to have a wider impact?

That is odd. IPC namespacing should not affect being able to change filesystem attributes AFAIK.

This option may imply other security attributes that do allow certain filesystem modifications.

A factor that is probably relevant is that I don't run docker as root but use a docker group instead. Perhaps the recent updates make an assumption that docker was run by root?

No. In fact membership of the docker group is pretty much equivalent of being a sudoer anyway.

sf1919 commented 1 year ago

@ajjackson is this still an issue?

ajjackson commented 1 year ago

No idea, I've switched away from using the development dockerfiles to the Conda option.