Skip to content
This repository has been archived by the owner on Dec 7, 2023. It is now read-only.

Incorrect privileges on image root #240

Closed
praseodym opened this issue Jul 28, 2019 · 9 comments · Fixed by #249
Closed

Incorrect privileges on image root #240

praseodym opened this issue Jul 28, 2019 · 9 comments · Fixed by #249
Labels
contributor-assigned This issue has been assigned to a contributor kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Milestone
v0.5.0

Comments

@praseodym
Copy link
Contributor

praseodym commented Jul 28, 2019
edited
Loading

When running a VM with the weaveworks/ignite-ubuntu:latest image I ran into problems starting the systemd-resolved service (which is expected by kubeadm, at least when using kubespray). It turns out that this problem was caused by the non-root systemd-resolve user not being able to access the sytemd-resolved binary.

It turns out that this is because of incorrect privileges on the image's root directory:

root@17b9791da8ac3e62:~# ls -la /
total 36
drwx------ 22 root root  1024 Jul 26 11:00 .

A normal Linux system has drwxr-xr-x (0755) for /. Both the Ubuntu and CentOS images have this problem.
@praseodym
Copy link
Contributor Author

Looks like the problem is not in the OCI images themselves, but somewhere in Ignite itself:

> docker run --rm -it weaveworks/ignite-ubuntu ls -la
total 8
drwxr-xr-x   1 root root    6 Jul 28 19:52 .

@DieterReuter
Copy link
Contributor

There is also a problem with apt update, it doesn't work with this VM image weaveworks/ignite-ubuntu:latest. As soon as you fix it with chmod 755 /, the command apt update is working!

@DieterReuter
Copy link
Contributor

I just want to confirm, with fixing the image root's directory via chmod 755 / all the error messages from booting the VM image weaveworks/ignite-ubuntu:latest are resolved!

@DieterReuter
Copy link
Contributor

Ping @luxas. Can you please have a quick look at this issue? Maybe could point us to the right code, where we could fix the folder permission in Ignite.

@luxas luxas added the kind/bug Categorizes issue or PR as related to a bug. label Jul 29, 2019
@luxas luxas added this to the v0.5.0 milestone Jul 29, 2019
@luxas luxas added the priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. label Jul 29, 2019
@luxas
Copy link
Contributor

luxas commented Jul 29, 2019

So we basically do docker export > archive.tar, and then tar -x -f archive.tar -C mountpath
https://github.com/weaveworks/ignite/blob/master/pkg/dmlegacy/image_format.go#L59

There we'd have to do chmod 755; alternatively pass some kind of "preserve permission data" option to tar. @DieterReuter can you take a look and help fix this?

@praseodym
Copy link
Contributor Author

ioutil.TempDir does a chmod 0700, so doing a chmod 0755 afterwards (or maybe better yet, creating a new directory in the TempDir with mode 0755 to avoid making it readable for other local users) will probably fix this.

@luxas
Copy link
Contributor

luxas commented Jul 29, 2019

can you send a PR for this please?

@praseodym praseodym mentioned this issue Jul 30, 2019
Merged
@praseodym
Copy link
Contributor Author

Turns out the problem was not with the base image, but with the overlay. PR including some details at #249!

@DieterReuter
Copy link
Contributor

I already tested this fix, works like a charm!!! 🎉👍🤓

Thanks 🙏, @praseodym!

@luxas luxas added the contributor-assigned This issue has been assigned to a contributor label Jul 31, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
contributor-assigned This issue has been assigned to a contributor kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release.
Projects
None yet
Milestone
v0.5.0
Development

Successfully merging a pull request may close this issue.

Fix image root permissions praseodym/ignite
3 participants
@praseodym @DieterReuter @luxas