search

runfinch / finch

The Finch CLI is an open source client for container development
https://www.runfinch.com
Apache License 2.0
3.47k stars 87 forks source link

Unable to run /usr/bin/sudo due to volumes/main partition mounted with nosuid #859

Open kellermanrivero opened 3 months ago

kellermanrivero commented 3 months ago

Describe the bug Unable to use finch to build crops/poky container used for build yocto (yocto is a Linux meta-distribution for embedded devices).

/usr/bin/sudo fails with this message: 

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?

Steps to reproduce

Dockerfile:

(docker/Dockerfile)

FROM crops/poky@sha256:cecb8668a35b712cbb78d2b427934c27c5048d85d9734ab26bd6d692a9c38105

USER root

# Additional dependencies for Juno build
RUN apt update && apt install -y openssh-client gawk \
    wget \
    git-core \
    diffstat \
    unzip \
    texinfo \
    gcc-multilib \
    build-essential \
    chrpath \
    socat \
    libsdl1.2-dev \
    libgtk2.0-bin \
    xterm \
    libssl-dev \
    lib32ncurses5 \
    lib32z1 \
    ant \
    gcc-multilib \
    g++-multilib \
    libglib2.0-dev \
    libpulse-dev \
    zip \
    docbook \
    bison \
    libgmp3-dev \
    libmpc-dev

USER usersetup

WORKDIR /workdir

Step-by-step

finch build docker -t juno/yocto
finch run -it --rm -v ~/workplace/workdir:/workdir busybox chown -R $(id -u):$(id -g) /workdir
finch run -it --rm -v ~/workplace/workdir:/workdir juno/yocto --workdir=/workdir

Error:

sudo: effective uid is not 0, is /usr/bin/sudo on a file system with the 'nosuid' option set or an NFS file system without root privileges?
Traceback (most recent call last):
  File "/usr/bin/usersetup.py", line 92, in <module>
    subprocess.check_call(cmd.split(), stdout=sys.stdout, stderr=sys.stderr)
  File "/usr/lib/python2.7/subprocess.py", line 541, in check_call
    raise CalledProcessError(retcode, cmd)
subprocess.CalledProcessError: Command '['sudo', 'restrict_useradd.sh', '504', '20', 'pokyuser']' returned non-zero exit status 1
FATA[0000] exit status 1

Expected behavior Container succeeds to run as it does in docker desktop

Screenshots or logs

Screenshot 2024-03-15 at 11 35 04

Additional context finch-support-20240315113539.zip

mharwani commented 3 months ago

There are issues with changing permissions on mounted directory with QEMU: https://github.com/lima-vm/lima/issues/231

I see a different error when I switch to "vz" :

$finch run -it --rm -v ~/workplace/workdir:/workdir juno/yocto --workdir=/workdir            
The uid:gid for "/workdir" is "0:0". The uid and gid must be non-zero. Please check to make sure the "volume" or "bind" specified using either "-v" or "--mount" to docker, exists and has a non-zero uid:gid.