-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
chown/chmod on mounted directory: Permission denied #231
Comments
This is a known limitation of the current sshfs server, which works without the root privilege. |
Thanks for the info! Is it going to be resolved when VirtFS is built in? Is running rootfully a workaround and is it documented somewhere? Starting a rootful VM works, but |
Sorry, I didn't see your most recent comment #231 (comment) |
It should actually be |
Thanks for the hint. Unfortunately doesn't resolve the permission issue. |
How could we resolve this with a quick fix (less security but more interop)? If I disable rootless containerd and enable rootful on the guest I can't use nerdctl:
OR why are you using Line 51 in 8092199
Thanks for taking the time :) |
If we could get https://github.com/afbjorklund/qemu/commits/9p-darwin merged into the upstream, we will be able to store the file owner info into xattr (or a separate file). https://wiki.qemu.org/Documentation/9psetup ( I'm not sure we will use 9p by default, though, due to a performance issue. |
Thanks. Still not quite sure why the sshfs option
|
or maybe a hacky way of doing it:
|
These flags have nothing to do with allowing chown/chmod. |
ahh this is how I confused you. I found this issue after looking for issues regarding "incorrect" host mount permissions. Would that solve it? Sorry for the confusion. |
If I build lima myself to test it. Is there anything I need to take into account? Do I need to re-create the lima vm if I change these options? Or is a re-compile sufficient? |
There is nothing special to take into account and you do not need to re-create the vm, it should just work like the binary you downloaded on github. Volumes are mounted on startup, all you need to do is shutdown, and start the vm (using your custom build). |
Is there any way forward here? I get similar "permission denied" errors and it's not clear whether it can be fixed in current setup at all. I am using lima with docker and regardless on whether I use rootless docker or rootful docker + sudo - I still get permission denied errors. Is it an sshfs limitation? or can we expect it to work in the future (ignoring 9p work). |
Clarification: I didn't get permission denied for chown itself for rootful docker installation. Instead I could not connect to docker via sock file created by this:
I needed to run docker open via 127.0.0.1:2375 instead of using a socket file. and now it works fine except for some problems related to docker image and systemd integration itself, but this is out of scope of this ticket, so you can ignore my last comment. |
Any updates or ideas on a plan to solve this? |
The plan is to use |
As a followup, the latest version of the 9p patch is https://gitlab.com/wwcohen/qemu/-/tree/9p-darwin and that's where the in-progress work will go as it progresses towards resubmission upstream. Any comments on how to improve would be GREATLY welcomed before I submit again. |
Sorry, it was my test error. Tips for others who need help:
Finally it may be necessary to remove the previous mounted directory, eg Now recreate the lima vm, there is no more permission problem. |
Latest test: When using 9p for directory mounting, if the executable file in the docker image is copied to the host directory and executed in the container, the following error message may be generated: bash exec... Connection reset by network This may be a bug of qemu, you need to install qemu from master branch to fix it: brew uninstall qemu --ignore-dependencies
brew install qemu --HEAD |
I use podman by lima-vm, container is mysql/mysql-server, it need mountType: 9p
mounts:
- location: "/Users/xxx/lima_workspace/podman"
writable: true
9p:
cache: mmap |
@nulllpoint In a recent release, the |
The above is useful, the problem was solved. |
For another data point, I'm experiencing the same issue with the new vz driver and the virtiofs mount type. |
I'm using colima @mritd By the way, happy to see you here. We have exchanged friend links before. |
@pawmaster 😆😆😆 off topic, in fact you can directly replace colima with lima: # This example requires Lima v0.8.0 or later
images:
# Hint: run `limactl prune` to invalidate the cache
- location: "https://cloud-images.ubuntu.com/releases/22.04/release/ubuntu-22.04-server-cloudimg-amd64.img"
arch: "x86_64"
- location: "https://cloud-images.ubuntu.com/releases/22.04/release/ubuntu-22.04-server-cloudimg-arm64.img"
arch: "aarch64"
arch: "aarch64"
cpus: 8
memory: "16G"
disk: "100G"
mountType: "9p"
mounts:
- location: "~"
writable: true
9p:
securityModel: mapped-xattr
cache: "mmap"
- location: "/opt/composes"
writable: true
9p:
securityModel: mapped-xattr
cache: "mmap"
- location: "/tmp/lima"
writable: true
9p:
securityModel: mapped-xattr
cache: "mmap"
# containerd is managed by Docker, not by Lima, so the values are set to false here.
containerd:
system: false
user: false
provision:
- mode: system
# This script defines the host.docker.internal hostname when hostResolver is disabled.
# It is also needed for lima 0.8.2 and earlier, which does not support hostResolver.hosts.
# Names defined in /etc/hosts inside the VM are not resolved inside containers when
# using the hostResolver; use hostResolver.hosts instead (requires lima 0.8.3 or later).
script: |
#!/bin/sh
sed -i 's/host.lima.internal.*/host.lima.internal host.docker.internal/' /etc/hosts
- mode: system
script: |
#!/bin/bash
set -eux -o pipefail
if command -v docker >/dev/null 2>&1; then
docker run --platform=linux/arm64 --privileged --rm tonistiigi/binfmt --install all
exit 0
else
if [ ! -e /etc/systemd/system/docker.socket.d/override.conf ]; then
mkdir -p /etc/systemd/system/docker.socket.d
# Alternatively we could just add the user to the "docker" group, but that requires restarting the user session
cat <<-EOF >/etc/systemd/system/docker.socket.d/override.conf
[Socket]
SocketUser=${LIMA_CIDATA_USER}
EOF
fi
export DEBIAN_FRONTEND=noninteractive
curl -fsSL https://get.docker.com | sh
fi
probes:
- script: |
#!/bin/bash
set -eux -o pipefail
if ! timeout 30s bash -c "until command -v docker >/dev/null 2>&1; do sleep 3; done"; then
echo >&2 "docker is not installed yet"
exit 1
fi
if ! timeout 30s bash -c "until pgrep dockerd; do sleep 3; done"; then
echo >&2 "dockerd is not running"
exit 1
fi
hint: See "/var/log/cloud-init-output.log". in the guest
hostResolver:
# hostResolver.hosts requires lima 0.8.3 or later. Names defined here will also
# resolve inside containers, and not just inside the VM itself.
hosts:
host.docker.internal: host.lima.internal
portForwards:
- guestSocket: "/run/docker.sock"
hostSocket: "{{.Dir}}/sock/docker.sock"
message: |
To run `docker` on the host (assumes docker-cli is installed), run the following commands:
------
docker context create aarch64 --docker "host=unix://{{.Dir}}/sock/docker.sock"
docker context use aarch64
------
networks:
# The instance can get routable IP addresses from the vmnet framework using
# https://github.com/lima-vm/vde_vmnet. Available networks are defined in
# $LIMA_HOME/_config/networks.yaml. Supported network types are "host",
# "shared", or "bridged".
- lima: shared |
@mritd |
Try posixovl with |
Hey, I really like lima so far and wish I could use it for development, but unfortunately I've come across a workflow-breaking issue.
My docker image copies files into a mounted directory and changes their ownership to the custom user 1000. The copying works just fine, but the chown fails with
Permission denied
.This issue can be confirmed in a shell;
chmod
fails in the same way.It's the same for a custom mount inside of
$HOME
and a directory in/tmp/lima
.The files end up with
drwxrwxrwx 1 nobody nobody 128 Sep 9 13:17 php
Manually touched files get
-rw-r--r-- 1 nobody nobody 0 Sep 9 13:22 test
I'm on an M1 Macbook Pro with macOS 12 and installed QEMU using the provided shell file. The same setup just works with Docker Desktop.
The text was updated successfully, but these errors were encountered: