#The file I create in container A cannot be used by the `nobody` user in container B

Hello, I am a new user to dagger.
Context:

• I tried using modules, but there are limitations on the client.Host functionality and client.Git functionality
• Thus, I am using the dagger.io/dagger client without dagger modules

The task I want to accomplish is as follows

1. [SUCCESS] load my private git repo
2. [SUCCESS] run cue cmd dump which returns a *File (config.yaml)
3. [SUCCESS] Add the*File (config.yaml) to a new container's filesystem
4. [SUCCESS] Expose oci registry running on the host (WithServiceBinding(reg, hostSrv).)
5. [PERMISSION DENIED] Use the *File (flux push artifact...)

I suspect the file permissions are to blame? But I'm not a linux administrator so this is kind of a showstopper.

█ [0.15s] exec id
┃ uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)

█ [0.13s] exec ls -ls config.yaml
┃      4 -rw-r--r--    2 root     root           716 Apr  3 22:09 config.yaml    fmt.Println(result)

How can I proceed?
This behavior is unintuitive. I would expect to be able to use the file because I created the file in the same pipeline.

Am I doing something wrong?

█ [2.77s] ERROR exec flux push artifact oci://zot/ociv2/apps/crossplane:v0.0.4 --source git@<url>.git --path ./ --revision @sha1:<sha>
┃ ► pushing artifact to zot/ociv2/apps/crossplane:v0.0.4
┃ ✗ pushing artifact failed: error creating layer: open /home3785664481: permission denied

Furthermore... am I still going to be able to use dagger this way? Or will functionality around Host be removed as well?

I've posted this in stackoverflow
https://stackoverflow.com/questions/78273787/dagger-io-container-with-host-to-container-service-fails-to-flux-push-artifact-t

Hey @winter kestrel 👋

I suspect the file permissions are to blame? But I'm not a linux administrator so this is kind of a showstopper.

Do you mean you are not able to update the file permission with chmod +x config.yaml?

I tried using modules, but there are limitations on the client.Host functionality and client.Git functionality

What limitations are you facing ?

cc @hot cairn @rigid pelican

Let me try chmod. I didn't think of that :doh: I was looking for a method in the dagger docs to get it done

The limitation is that the Host() function is not available in dagger modules

Git() depends on that to clone private repos over SSH

☝️ specifically dagger.Container().Host()

hmm

█ [0.14s] ERROR exec chmod +x config.yaml
┃ chmod: config.yaml: Operation not permitted

I can post the code, perhaps I am doing something painfuly obviously wrong

would this help? https://docs.dagger.io/manuals/developer/overview/942201/execution-environment/#host-resources

yes this could help 🙏

The Workdir and WorkdirFile APIs on CurrentModule allow you to load directories and files
Ah.

I will try that later

    result, _ := client.Container().
        From("ghcr.io/fluxcd/flux-cli:v2.2.3").
        WithFile("/home/config.yaml", content.Content).
        WithWorkdir("/home").
        WithServiceBinding(reg, hostSrv).
        WithoutEntrypoint().
        WithExec([]string{"chmod", "+x", "config.yaml"}).
        WithExec(strings.Fields(flux)). // Permission denied
        Stdout(ctx)

The flux command:

    flux := fmt.Sprintf(`flux push artifact %s
        --source git@codeberg.org:carsaredumb/local-kind.git
        --path ./
        --revision @sha1:%s
    `, ociUrl, commit)

could you update the line:
WithFile("/home/config.yaml", content.Content, 0666).

this should set the correct permission for the config.yaml, then you can remove the line WithExec([]string{"chmod", "+x", "config.yaml"}).

sorry not 0666

0555

WithFile("/home/config.yaml", content.Content, 0555).

or maybe 0777 😬

I CAN TRY THEM ALL muahaha

My linter didn't allow an unsigned int. So I tried WithFile("/home/config.yaml", content.Content, dagger.ContainerWithFileOpts{Permissions: 0777}).
... and it still throws the same permission denied

Could it be that the problem is not dagger, but the zot registry?

How can I tell if it is the zot registry not allowing me to create layer or dagger?

┃ ► pushing artifact to zot/ociv2/apps/crossplane:v0.0.4
┃ ✗ pushing artifact failed: error creating layer: open /home1823960391: permission denied

Or is it flux that simply can't open that file?

could it be a podman setting somewhere?
Ah, I forgot to mention, I am using podman, not docker

❯ dagger version
dagger v0.10.3 (registry.dagger.io/engine) darwin/amd64

should I upgrade?

🤔 I'm not sure to be the best person to answer... cc @hot cairn @rigid pelican @soft viper

Yes it doesn't hurt

oof

after the upgrade there is no output from dagger. It flashes a few lines and then everything disappears

❯ go mod tidy
go: downloading dagger.io/dagger v0.11.0
go: foo.bar imports
        dagger.io/dagger: reading dagger.io/dagger/go.mod at revision v0.11.0: unknown revision v0.11.0

go list shows nothing

Hi, catching up...

@winter kestrel, rather than using dag.Host, in modules you just put a *Directory as an argument and provide it via CLI (could be a local path, a git ref, etc...). You can see an example in https://docs.dagger.io/quickstart/292472/arguments#pass-a-directory-as-argument.

oh!

ok I didn't know that could be a repo

how can I auth over SSH?

I'd still need the host ssh thing no?

    // Retrieve path of authentication agent socket from host
    sshAgentPath := os.Getenv("SSH_AUTH_SOCK")

    // Private repository with a README.md file at the root.
    return client.
        Git("ssh://git@codeberg.org/carsaredumb/local-kind.git", dagger.GitOpts{
            SSHAuthSocket: client.Host().UnixSocket(sshAgentPath),
        }).
        Branch("main").
        Tree()

and how would I do a service on the host's localhost?

    hostSrv := client.Host().Service([]dagger.PortForward{
        {Frontend: 5000, Backend: 5000},
    })

SSH socket not yet supported, but you can follow these for an update:

• https://github.com/dagger/dagger/issues/6747
• https://github.com/dagger/dagger/issues/6726

Could you pull the file via ssh in your host and feed the file to the dagger module in the meantime?

My most pressing problem now though, is that I get no dagger output after upgrading to v0.11.0

then it is the permission denied problem

For a service, you just return the *Service in the function, and via CLI you chain up. More on that here: https://docs.dagger.io/manuals/developer/go/742930/services.

That release is minutes old. What do you want to work on first? Downgrade and permission issue, or walk through the missing output?

let me figure out how to downgrade a homebrew install

I'd rather work on the permission issue

I'll be just a few minutes

I think it's going to be easier to uninstall from homebrew and use the installer with specific version: https://docs.dagger.io/install

Ok I've downgraded

I have the stdout again

yeah that's what I did

0.10.3 is no longer available by homebrew

lol minutes old

how could I be so bold

I saw the blog post and thought an upgrade might help 🙂

hmm

ok so I only now notice that there is this upstream->downstream error readfrom

is there a way to share a go file without clogging up the chat?

nice. I am learning Discord

Can you debug this?

fmt.Printf("%v\n", strings.Fields(flux))

yes, that's just to not have to quote each word

I'll fmt it

❯ go run main.go 
flux push artifact oci://zot/ociv2/apps/crossplane:v0.0.4
        --source git@codeberg.org:carsaredumb/local-kind.git
        --path ./
        --revision @sha1:eaa3d42463b823fd6fb14709826e42449e49d79e

I can also switch to []strings{...} way

I want to see what each arg is. Like:

fmt.Println(strings.Join(strings.Fields(flux), ":"))

I'm on it

❯ go run main.go
flux:push:artifact:oci://zot/ociv2/apps/crossplane:v0.0.4:--source:git@codeberg.org:carsaredumb/local-kind.git:--path:./:--revision:@sha1:eaa3d42463b823fd6fb14709826e42449e49d79e

or I can use a different delimiter

It appears the permission issue is in the remote where flux pushes to.

❯ go run main.go
flux^^push^^artifact^^oci://zot/ociv2/apps/crossplane:v0.0.4^^--source^^git@codeberg.org:carsaredumb/local-kind.git^^--path^^./^^--revision^^@sha1:eaa3d42463b823fd6fb14709826e42449e49d79e

ok I see

how can you tell? what is the clue?

Based on last line, on pushing artifact: open /homexxxxx: permission denied

Btw that TUI is older and was removed in 0.11.0. Do you happen to have an env variable setting which TUI you want to use?

oh?

I have not set any TUI

I did not know it was configurable

Yeah, via --progress.

Oh, I think it's because you're using dagger run.

I've not used that in a very long time.

oh I see

Yeah. Since I'm able to auth with my private repo using Git() this way it is an easier user experience than modules

but you sent an article with possibly something that might work

so I'll give that a look when I have a moment

Also, the service I'm trying to use is long lived

I don't want it to disappear as soon as the pipeline finishes

so that is why I'm running it on the host

You can also use existing module like this one for Git:
https://daggerverse.dev/mod/github.com/shykes/daggerverse/supergit@dfb1f91fa463b779021d65011f0060f7decda0ba#Supergit.remote

but maybe I will just try ECR

Marco's problem is the authentication part. Specifically via ssh auth.

Do you have other means of authenticating? Or just ssh auth?

https://daggerverse.dev/mod/github.com/puzzle/dagger-module-git-actions/git-actions@ba354569d342d9ce311cadad88391048c610d584

maybe ?

The main focus is to work with a Git Repository by SSH authentication.

Oh, that's interesting. Yeah, you pass your private key as a secret and that module creates a container that is capable of doing the ssh based clone. That'll work 🙂

I'm using this for local development, I'm used to auth via ssh for git repos. Is there an alternative?

Yeah, https for example. Token, auth header.

oh nice I see that module might help

nice

thanks for all your help today I really appreciate it!

this will get me going

I'll give that module a shot and try to use ECR instead of a local registry

(or I'll bug the people over at Zot about what might be happening... or podman?)

If you run that flux command from your host it works ok, right?

yeah

it's a bummer because I want to suggest this as a local/remote development tool for my team

There must be something else from your environment that needs to be replicated in the container.

and if I can't get zot to work it's not as cool. Still cool, but not as cool as it could be 🙂

yeah. Maybe I have to look into podman networking

What's zot, can you point to the website?

because it is running as a podman container

https://zotregistry.dev/v2.0.3/

the command I'm running is this

❯ podman run -d -p 5000:5000 --name oras-quickstart ghcr.io/project-zot/zot-linux-amd64:latest

so the path is dagger-container -> host -> podman-container

there is probably something going on there

So you're trying to connect to a service running in your host from dagger?

(I found zot through the getting started for the oras oci registry tool: https://oras.land/docs/quickstart#install-zot-registry)

yes that's right

Oh, so you need a tunnel for that.

oh

Let me find an example

not this?

    hostSrv := client.Host().Service([]dagger.PortForward{
        {Frontend: 5000, Backend: 5000},
    })

I remember I saw Tunnel() but for whatever reason I skipped over it

I guess I will look at it again!

No, a tunnel is for exposing a service in dagger to the host. I forgot you had the port forward. That should be ok.

Do we need any docs updates for this?

hmm. I think everything was already in documentation. I just didn't know what to look for

I don't think it's a networking issue. From the error it looks to me like the flux push command is trying to publish the artifact to a place it doesn't have access to. You could try changing the --path arg (the ./ looks like it's putting it in $HOME on account of the open /home2113103238: permission denied error message), for example, or maybe there's some other flag missing for authentication that may be being picked up automatically from your host env when you run it locally. Seeing https://fluxcd.io/flux/cmd/flux_push_artifact/ there's several flags related to user/permissions/authentication.

Re: the ssh auth, and following what I said about providing *Directory as an argument, I forgot that the CLI already does what you're doing there by default (it uses $SSH_AUTH_SOCK and dag.Git with dag.Host().UnixSocket()).

So you just provide the git URL via the CLI call and it should work the same. And it also decouples your function from the source's location. This means you could easily call it with a local path to test, for example, or change repo without changing your code.

The downside is having to provide the repo URL every time you call the function, but we're working on making that easier so it'll get saved, possibly in the dagger.json file as a default value.

Thanks for the follow up!

I'll give that a try 👍 👍

The downside is having to provide the repo URL every time you call the function, but we're working on making that easier so it'll get saved, possibly in the dagger.json file as a default value.

Do we have an issue for that, @rigid pelican ?