File Copy Breaks Permissions? | Dagger | Page 1

vapid elm Aug 22, 2023, 2:28 PM

#

Been troubleshooting an issue while writing some dependabot integrations... See attached Gist for reproduction.

• Engine: 34af08e4c1b7 (version v0.8.4)

As near as I can tell the WithFile command somehow alters or breaks permissions in my container. The below snippet will return Permission Denied in the test_perms_fail func.

https://gist.github.com/stobias123/46c7b9dce0506349ddeb6597674f19cd

Gist

The touch command fails after I copy in a file.

The touch command fails after I copy in a file. GitHub Gist: instantly share code, notes, and snippets.

#

Output after running above main.go

┃ │ Stdout:
┃ │
┃ │ Stderr:
┃ │ touch: cannot touch '/home/dependabot/.gitconfig': Permission denied
┃ │ Please visit https://dagger.io/help#go for troubleshooting guidance.
┃ │
│ █ [0.18s] ERROR exec touch /home/dependabot/.gitconfig
│ ┃ touch: cannot touch '/home/dependabot/.gitconfig': Permission denied

#

LMK if this is better suited for GH Issues

broken cliff Aug 22, 2023, 4:59 PM

#

seems to be working as designed. WithFile has a permissions setting you can specificy in the ContainerWithFileOpts struct specifically for this use-case

vapid elm Aug 22, 2023, 5:45 PM

#

not sure I follow?

#

my WithFile is creating an entirely different file

#

Note: /home/dependabot/dependabot-updater dir exists already.

Create file (dagger) at /home/depandabot/dependabot-updater/job.json
Touch file (withexec bash) at /home/dependabot/.gitconfig - fail.

Confusing to me how permissions could come into play at all in this flow

broken cliff Aug 22, 2023, 6:34 PM

#

@vapid elm I meant Owner instead of permissions. This works:

func test_perms_fail(client *dagger.Client, ctx context.Context) {
    dependabotImage := "ghcr.io/dependabot/dependabot-updater-terraform"

    job := client.Host().File("foo.txt")
    out, err := client.Container().From(dependabotImage).
        WithExec(
            []string{
                "pwd",
            }).
        WithExec(
            []string{
                "id",
            }).
        WithFile("/home/dependabot/dependabot-updater/job.json", job, dagger.ContainerWithFileOpts{Owner: "dependabot:dependabot"}).
        WithExec(
            []string{
                "touch",
                "/home/dependabot/.gitconfig",
            }).Stdout(ctx)
    if err != nil {
        panic(err)
    }
    fmt.Println(out)
}

#

the reason your case fail is because since WithFile creates a new file in the overlay path, it changes /home/dependabot permissions from dependabot:dependabot to root:root

broken cliff Aug 22, 2023, 7:34 PM

#

broken cliff the reason your case fail is because since `WithFile` creates a new file in the ...

there's a reason for this: https://github.com/dagger/dagger/blob/d99f9419edad1e6c4519a0695dc039c90bda2f72/core/integration/container_test.go#L3641. thx @tiny plank 🙏

vapid elm Aug 22, 2023, 8:42 PM

#

huh interesting ok.

Appreciate the explanation.

tiny plank Aug 22, 2023, 8:55 PM

#

scoured the internet for a bit, it might be technically feasible to implement this in a better way now, depending on your kernel version: https://github.com/toby63/shiftfs-dkms#details-about-the-successor-for-shiftfs

#

@vapid elm This doesn't come up all that often, so hope you don't mind if I pester you for input for a bit. To confirm, this image sets the user as dependabot and you expected WithFile to inherit that user as the owner? Also would you expect different behavior from WithMountedFile?

#

If we're able to use idmapped mounts (assuming Linux 5.12+) that could eliminate all of the technical hurdles, so flipping the default could be back on the table.

tiny plank Aug 22, 2023, 10:09 PM

#

Better link for the curious: https://kernelnewbies.org/Linux_5.12#ID_mapping_in_mounts

vapid elm Aug 23, 2023, 3:14 AM

#

sorry for the late response here, and TBD on reading the links.

My expectation was for this to behave similar to a docker copy. It seems that has cache or some buildkit CoW implications though..?

➜  dependabot-service git:(master) ✗ /bin/cat Dockerfile.test
FROM ghcr.io/dependabot/dependabot-updater-terraform
COPY foo.txt /home/dependabot/dependabot-updater/foo.txt
RUN touch /home/dependabot/.gitconfig

... build and run 

dependabot@1d2d7eb63231:~/dependabot-updater$ ls -alr | grep -E 'foo|gitignore'
-rw-r--r-- 1 dependabot dependabot   35 Aug 17 23:40 .gitignore
-rw-r--r-- 1 root       root          3 Aug 22 14:36 foo.txt

broken cliff Aug 23, 2023, 2:17 PM

#

vapid elm sorry for the late response here, and TBD on reading the links. My expectation...

🤔 interesting that Dockerfile COPY works differently. Any thoughts @tiny plank ?

tiny plank Aug 23, 2023, 2:21 PM

#

afaict it works the same:

FROM ubuntu
RUN useradd potato
USER potato:potato
RUN whoami
COPY Dockerfile /potato
RUN ls -al /potato

Step 6/6 : RUN ls -al /potato
 ---> Running in 28e0916a7050
-rw-r--r-- 1 root root 94 Aug 23 14:19 /potato

broken cliff Aug 23, 2023, 2:22 PM

#

@tiny plank I think it's different for deep paths.

What I observed is:

WithFIle `/home/user/foo/bar.txt

^ this will cause all the directory tree ownership to change

#

Dockerfile COPY /home/user/foo/bar.txt seems like it doesn't touch the permission of already existing directory structure

tiny plank Aug 23, 2023, 2:30 PM

#

ah yeah i see

broken cliff Aug 23, 2023, 5:34 PM

#

tiny plank ah yeah i see

any ideas why WithFile works differently? 🤔

tiny plank Aug 23, 2023, 5:43 PM

#

Nope, we should just open an issue to investigate (I can when back at PC)

broken cliff Aug 23, 2023, 7:21 PM

#

tiny plank Nope, we should just open an issue to investigate (I can when back at PC)

@tiny plank just had a realization that this is very likely a consequence of the MergeOp optimization?

#

pretty sure Dockerfile doesn't use it unless you specify the --link flag

tiny plank Aug 23, 2023, 7:22 PM

#

yeah, it's possible

#File Copy Breaks Permissions?