Permission issues using the docker image with podman

[marcalff]

I am trying to migrate opentelemetry-cpp to use weaver.

To do this, I am using the docker image, and looked at the scripts used in opentelemetry-rust as an example.

Using this:

# SELINUX
# https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

USE_MOUNT_OPTION=""

if [ -x "$(command -v getenforce)" ]; then
  SELINUXSTATUS=$(getenforce);
  if [ "${SELINUXSTATUS}" == "Enforcing" ]; then
    echo "Detected SELINUX"
    USE_MOUNT_OPTION=":z"
  fi;
fi

generate() {
  TARGET=$1
  OUTPUT=$2
  FILTER=$3
  docker run --rm \
    -v ${SCRIPT_DIR}/semantic-conventions/model:/source${USE_MOUNT_OPTION} \
    -v ${SCRIPT_DIR}/templates:/templates${USE_MOUNT_OPTION} \
    -v ${ROOT_DIR}/wip/:/output${USE_MOUNT_OPTION} \
    otel/weaver:$WEAVER_VERSION_TAG \
    registry \
    generate \
    --registry=/source \
    --templates=/templates \
    ${TARGET} \
    /output/${TARGET} \
    --param output=${OUTPUT} \
    --param filter=${FILTER}
}

# stable attributes and metrics
mkdir -p ${ROOT_DIR}/wip/attributes
mkdir -p ${ROOT_DIR}/wip/metrics
generate "./" "./" "stable"

mkdir -p ${ROOT_DIR}/wip/${INCUBATING_DIR}/attributes
mkdir -p ${ROOT_DIR}/wip/${INCUBATING_DIR}/metrics
generate "./" "./${INCUBATING_DIR}/" "any"

I get:

Detected SELINUX
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
✔ `main` semconv registry `/source` loaded (151 files)
✔ No `before_resolution` policy violation
✔ `default` semconv registry resolved

Diagnostic report:

  × Writing of the generated code /output/././attributes/client_attributes.h
  │ failed: Permission denied (os error 13)
...

This is because the docker command can not write to the ${ROOT_DIR}/wip/attributes directory, which is owned by my user account (malff).

Doing a chmod to allow everyone to write there allows files to be written, but then they have a different ownership.

When using the docker image for build-tools, the image did write files owned by my own account, and I did not have to open permissions or to adjust file ownership, it just worked.

I am NOT willing to add a chmod o+w just to make the script pass, so this is blocking.

How can I use weaver with docker, to generate files with the proper file ownership ?

[lquerel]

I believe the following documentation explains how to set up an environment similar to the one you’re describing. Please let me know if it doesn’t work for you. Thanks!

https://github.com/open-telemetry/weaver/blob/main/docs/docker-guide.md

[marcalff]

Bonjour Laurent.

I also tried using:

-u $(id -u ${USER}):$(id -g ${USER})

but the docker image still wrote files with a different user, this did not work.

My UID:GID is 1000:1000 locally, the docker image creates files with 100999:100999, even when invoking docker with --user 1000:1000.

The doc also mention:

        --mount 'type=bind,source=$(HOME)/.weaver,target=/tmp/weaver/.weaver' \
        --mount 'type=bind,source=$(PWD)/templates,target=/home/weaver/templates,readonly' \
        --mount 'type=bind,source=$(PWD)/src,target=/home/weaver/target' \

This does not work for SELinux, which is why I used:

    -v ${SCRIPT_DIR}/semantic-conventions/model:/source${USE_MOUNT_OPTION} \

with USE_MOUNT_OPTION being :z

Ref: https://docs.docker.com/engine/storage/bind-mounts/

[lquerel]

Bonjour Marc! Let me loop in @jsuereth on this thread. I recall him mentioning a workaround for SELinux, but I don’t remember the exact trick.

[marcalff]

The SELinux part is solved, I mentioned it because what is in the doc does not work for SELinux.

To clarify, I am using podman instead of docker.

Running with:

podman --user 0:0 ...

actually creates files using my own local account (malff, 1000:1000), without the need to use chmod.

[malff@malff-desktop ~]$ which docker
/usr/bin/docker
[malff@malff-desktop ~]$ docker --version
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
podman version 4.9.4-rhel

[jsuereth]

I think we will update the docs to have recommendations for SELinux users. I didn't include them earlier because the :z option on -v volume mounts came with a load of caveats and concerning comments in docker docs, but I believe it's the ONLY option to support SELinux today. I found a still-open issue to that effect on Docker itself.

Thanks for calling this out!

[marcalff]

Thanks @jsuereth

I was affected by 2 issues:

• SELinux, having to use -v with :z, as you mentioned,
• podman, for which --user ${UID}::${GID} does not work, I had to use --user 0:0 instead.

I am mostly concerned about the second, because I do not know how to write a script that will work for both docker and podman, to be checked in the opentelemetry-cpp repository.