vagga wrapper fails when changing directory (really rare case)

tailhook / vagga

Vagga is a containerization tool without daemons

http://vagga.readthedocs.org

MIT License

1.86k stars 96 forks source link

vagga wrapper fails when changing directory (really rare case) #395

Open anti-social opened 7 years ago

anti-social commented 7 years ago

ERROR:vagga::wrapper: Error executing test: Error running <Command "/bin/sh" "-c" "$PG_BIN/postgres \\\n  -F \\\n  -D $PG_DATA \\\n  --port=$PG_TEST_PORT \\\n  -k /tmp >/dev/null\n" "--"; environ[46]; work-dir="/work"; uid=900; gid=0; gids=[]>: Error running <Command "/bin/sh" "-c" "$PG_BIN/postgres \\\n  -F \\\n  -D $PG_DATA \\\n  --port=$PG_TEST_PORT \\\n  -k /tmp >/dev/null\n" "--"; environ[46]; work-dir="/work"; uid=900; gid=0; gids=[]>: error when setting working directory: Permission denied (os error 13)

To reproduce set user-id: 1 for any vagga command, execute chmod go-rwx . and run the command.

Error distracted me because of chdir syscall that occurs between fork and exec syscalls:unshare/src/child.rs

tailhook commented 7 years ago

Well, technically error is clear enough: error when setting working directory: Permission denied (os error 13) This means that at least we have enough info to make some heuristics and description text. But it's not obvious what heuristics might be (just chmod of /work, or any dir?) and how applicable they are (only directly running user commands or other things as well?)

tailhook commented 7 years ago

I think it turns out we need some cool error reporting heuristics in unshare, which work similarly to how we handle errors in libmount: i.e. translate OS error plus some probing to some nice error description. (Just hit similar issue in lithos, but with non-existent executable)

traviscross commented 6 years ago

This issue affects the Django tutorial/example in tree (examples/tutorials/django). If, e.g., our default umask is 0077 and so the directory is chmod 700, then:

$ cd examples/tutorials/django
$ chmod o-x . # noop if directory is already chmod 700
$ vagga run-postgres
ERROR 2018-09-12T17:41:57Z: vagga::wrapper: Error executing run-postgres: Error running <Command "/bin/sh" "-c" "exec $PG_BIN/postgres -F --port=$PG_PORT" "--"; environ[10]; work-dir="/work"; uid=200; gid=200; gids=[]>: Error running <Command "/bin/sh" "-c" "exec $PG_BIN/postgres -F --port=$PG_PORT" "--"; environ[10]; work-dir="/work"; uid=200; gid=200; gids=[]>: error when setting working directory: Permission denied (os error 13)
---------- Process db:8356 exited with code 124. Shutting down -----------

This can be worked around with:

$ chmod o+x .
$ vagga run-postgres
[works]

tailhook commented 6 years ago

What would be an acceptable solution for you? Also print "run chmod if you want to get it working"?

traviscross commented 6 years ago

This seems likely to trip up everyone with a 0077 umask, and people just getting started with vagga are unlikely to intuit the problem. It probably deserves a short section in the manual (e.g. in Running > Errors) explaining where and why this sort of thing is necessary. If we could detect this condition and print a warning, the warning could then link to that for further explanation.

(Of course it would be better if there were a way to magically avoid the need for this somewhat awkward chmod, but it's not clear to me that's possible without e.g. copying all files that will be executed by the container into a subdirectory.)