search

tazjin / nixery

Container registry which transparently builds images using the Nix package manager. Canonical repository is https://cs.tvl.fyi/depot/-/tree/tools/nixery
https://nixery.dev/
Apache License 2.0
1.8k stars 67 forks source link

permissions on / for docker://nixery.dev/shell/bash #139

Open truatpasteurdotfr opened 2 years ago

truatpasteurdotfr commented 2 years ago 
[tru@elitebook840g3 ~]$ docker images nixery.dev/shell/bash
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
nixery.dev/shell/bash   latest              4edc2efa819a        292 years ago       105 MB
[tru@elitebook840g3 ~]$ docker run -ti nixery.dev/shell/bash bash
bash-5.1# ls -ld /
dr-xr-xr-x 14 0 0 15 Oct 26 22:37 /
bash-5.1#

as / is not writable by root, this is causing some issue for converting the docker image to a singularity container, but there is a workaround by using singularity build --fix-perms my.sif docker://nixery.dev/shell/bash. There is no such thing afaik when trying to singularity run the docker image.

Would it be possible to "fix" the / permissions?

tazjin commented 2 years ago

This should be relatively simple to fix. Currently I believe the tarballs we create contain no explicit entry for /, so adding that and setting appropriate permissions on it should help.

The only "weird" thing about this is that there will either need to be a special layer for this (bad idea because of layer budgets), or alternatively it would start existing in every tarball (and thus overlapping "in order"). Minor thing but worth thinking about for a bit.

tazjin commented 2 years ago

Clarification question: Are you sure this only needs the permissions set on / itself?

I'm asking because from the singularity build docs it sounds like it's giving root write permissions for every file in the image.

truatpasteurdotfr commented 2 years ago

Hi,

to be honest, I only checked the top level of the docker image! I should have dig a little deeper (ie starting a docker image and chmod 755 / , commit and singulity build the new docker image)...

truatpasteurdotfr commented 2 years ago 
[tru@elitebook840g3 ~]$ docker images nixery.dev/shell/bash
REPOSITORY              TAG                 IMAGE ID            CREATED             SIZE
nixery.dev/shell/bash   latest              4edc2efa819a        292 years ago       105 MB
[tru@elitebook840g3 ~]$ docker run -ti nixery.dev/shell/bash bash
bash-5.1# ls -ld /
dr-xr-xr-x 14 0 0 15 Oct 31 14:31 /
bash-5.1# find / -type d -perm 555
bash: find: command not found
bash-5.1# ls      
bin  dev  etc  lib  libexec  nix  nix-support  proc  run  share  sys  usr
bash-5.1# ls -ls /nix
total 13
13 drw------- 21 0 0 21 Oct 26 09:58 store
bash-5.1# ls -ld /*
dr-xr-xr-x   2 0 0 131 Jan  1  1980 /bin
drwxr-xr-x   5 0 0 360 Oct 31 14:31 /dev
dr-xr-xr-x   3 0 0   9 Oct 31 14:31 /etc
dr-xr-xr-x   3 0 0   3 Jan  1  1980 /lib
dr-xr-xr-x   3 0 0   3 Jan  1  1980 /libexec
drw-------   3 0 0   3 Oct 26 09:05 /nix
dr-xr-xr-x   2 0 0   4 Jan  1  1980 /nix-support
dr-xr-xr-x 506 0 0   0 Oct 31 14:31 /proc
drwxr-xr-x   3 0 0   3 Oct 31 14:31 /run
dr-xr-xr-x   6 0 0   6 Jan  1  1980 /share
dr-xr-xr-x  13 0 0   0 Oct 29 09:14 /sys
dr-xr-xr-x   3 0 0   3 Jan  1  1980 /usr

I am not familiar at all with nix, so I am already stuck at this level:

bash-5.1# find / -type d -perm 555
bash: find: command not found

So you are probaby right, singularity migh need more permissions than only the top level!