Open jperville opened 3 years ago
- hardcode the value of
rmInjectionsScript
in https://github.com/openshift/source-to-image/blob/30d81a9440f30b472bb32e592b12c1a83a396edd/pkg/build/strategies/sti/sti.go#L35 to a path that is not tmp-like, for example to/var/rm-injections
.
This is the most viable solution.
Given that this is a bug that happens on Ubuntu, we should probably wire up a Github action to test this (our tests currently run in RHEL/UBI8 containers iirc).
PS thank you @jperville for your thoroughly detailed bug report!
Issues go stale after 90d of inactivity.
Mark the issue as fresh by commenting /remove-lifecycle stale
.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen
.
If this issue is safe to close now please do so with /close
.
/lifecycle stale
/lifecycle frozen
This bug is happening to me today.
» s2i version
s2i v1.3.9
My builder Dockerfile:
FROM python:3.11-slim as base
ARG S2IDIR="/s2i"
ARG APPDIR="/opt/program"
LABEL io.openshift.s2i.scripts-url="image://$S2IDIR/bin" \
io.openshift.s2i.destination="/tmp"
ENV PIP_NO_CACHE_DIR=off \
PIP_DISABLE_PIP_VERSION_CHECK=on \
PIP_DEFAULT_TIMEOUT=100 \
POETRY_PATH=/opt/poetry \
VENV_PATH=/opt/venv \
POETRY_VERSION=1.5.0 \
PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1
ENV PATH="$POETRY_PATH/bin:$VENV_PATH/bin:$APPDIR:$PATH"
WORKDIR $APPDIR
FROM base as builder
RUN python3 -m pip install "poetry==$POETRY_VERSION" \
&& python3 -m venv $VENV_PATH
COPY poetry.lock pyproject.toml $APPDIR
RUN poetry export --without-hashes -o /tmp/requirements.txt \
&& $VENV_PATH/bin/pip install -r /tmp/requirements.txt
COPY . .
RUN poetry build && $VENV_PATH/bin/pip install dist/*.whl
FROM base as final
COPY .s2i $S2IDIR
COPY --from=builder $VENV_PATH $VENV_PATH
the error happens when I'm trying to run s2i build
within GitHub Actions, although it does not happen when running s2i build
command locally (same machine I've built the builder image.
error message is the same as OP:
truncate: cannot open '/tmp/rm-injections' for writing: Permission denied
Build failed
Sorry, but why @coreydaley's fix from October last year was not merged?
I'm still trying to figure out solutions to this issue, I tried:
USER 0
and io.openshift.s2i.assemble-user="0"
./tmp
folder as suggested hereio.openshift.s2i.destination
to other folders.sudo sysctl fs.protected_regular=0
on my docker image.A successful workaround for me was to include the following line by the end of my s2i
assemble
script:
sed -i '/rm-injections/d' /tmp/rm-injections
This removes inplace the line truncate -s0 "/tmp/rm-injections"
from the /tmp/rm-injections
.
Is this a feature request or bug?
/kind bug
What went wrong?
On Ubuntu 20.04 system, I cannot build a docker image which uses the injection feature. It used to work on Ubuntu < 20.04 and still works on CentOS 7.x systems.
This bug has already been reported as #1006 but was closed for lifecycle/rotten. This bug report should have all the information to reproduce, workaround and fix the issue.
Steps to reproduce:
Run this on fresh Ubuntu 20.04 system with docker installed (
sudo apt-get install docker.io
). Attention: do not tweak the default value of thefs.protected_regular
sysctl, which should be1
.docker pull quay.io/centos7/ruby-27-centos7
echo hello > file.txt
s2i build https://github.com/openshift/ruby-hello-world.git quay.io/centos7/ruby-27-centos7 my-hello-world:xxx --inject $PWD/file.txt:/bug.txt
(fails)echo $?
(displays 1)Expected results:
I expect the image to build successfully.
Actual results:
The image fails to build, with the following error message at the end:
Version:
s2i:
s2i v1.3.1
docker:Additional info:
The bug happens on stock Ubuntu 20.04 LTS system. It does not happen on Centos 7.x or on Ubuntu 14.04 systems that I have access to.
The reason is that on Ubuntu 20.04 LTS
sudo sysctl fs.protected_regular=1
is the default, which (according to https://unix.stackexchange.com/questions/503111/group-permissions-for-root-not-working-in-tmp ) restricts the permissions under/tmp
and in particular prevents s2i from truncating the/tmp/rm-injections
file inside the container despite that file being writable by everyone (chmod 0666
).At the end of the s2i assemble phase, s2i will try to truncate the
/tmp/rm-injections
file, which has mode0666
(writable by everyone). This file is owned by user1000:1000
while thes2i assemble
user has uid1001:1001
. The assemble user is then denied the right to truncate the/tmp/rm-injections
file, despite that file being world-writable.Here is to reproduce the problem with a simple busybox container:
We see that if the run the same command creating the xxx file in
/var
instead of/tmp
it works:If we force
sudo sysctl fs.protected_regular=0
in the first example it works again:To workaround this issue I had to:
sudo sysctl fs.protected_regular=0
(in a/etc/sysctl.d
file) (best workaround)s2i
binary withsed -i -e s:tmp/rm-injections:var/rm-injections:g
(giant hack)To fix the issue properly, I suggest either:
/tmp/rm-injections
file outside of/tmp
rmInjectionsScript
in https://github.com/openshift/source-to-image/blob/30d81a9440f30b472bb32e592b12c1a83a396edd/pkg/build/strategies/sti/sti.go#L35 to a path that is not tmp-like, for example to/var/rm-injections
./etc/sysctl.d
entry withfs.protected_regular=0
on Ubuntu 20.04 and more recent systems.