build icon indicating copy to clipboard operation
build copied to clipboard
verified publisher icon containers

Allow specifying uid:gid:mode for empty mount directories created by rkt

Open omkensey opened this issue 10 years ago • 3 comments

Currently if container processes are running as a non-root user, there is no simple way to populate designated mountpoints with default content if they are not mounted by the user.

  • Content pre-staged in the mountpoint is masked by the empty directory created if nothing is mounted
  • Content pre-staged elsewhere in the ACI cannot be copied into the now-empty mountpoint because the directory is created with root-writable permissions only

Example: a process running as a user, that wants to read its config file from the /etc directory, so /etc is listed as a mountpoint in the manifest to make it easy to provide a user-written config file.

For this (and other reasons like supporting the ability to run processes with different uid/gid in the same ACI), it should be possible to specify default uid, gid and permissions for an empty mountpoint. (This can currently be done by rkt at runtime, but the user running the container has to specify them on the command-line, rather than defaults being provided to make that not always necessary.)

omkensey avatar Mar 30 '16 21:03 omkensey

Right now there's no way to specify this information in the AppC spec, so this change will need to be added there before acbuild could have this functionality.

You may be able to add a pre-start event handler to populate whatever files you need in these mount points, something like acbuild set-eh pre-start /initialize.sh. Would that be sufficient for you?

cgonyeo avatar Mar 30 '16 22:03 cgonyeo

I don't think that works -- when I include /bin/chown in a container and try to chown the empty mount directories from a pre-start script, I get "Operation not permitted" -- copying the files also fails of course. The pre-start handler runs under the uid:gid specified with acbuild set-{user,group} (verified by having it echo the values of $UID and $GROUPS to stdout).

Even if that can be made to work, it would still be nice to have this be a first-class operation, as it is in many package managers. File an issue against AppC?

omkensey avatar Apr 09 '16 06:04 omkensey

Filed an issue against AppC for you. I'll leave this open for when/if AppC adds the necessary functionality.

cgonyeo avatar Apr 27 '16 17:04 cgonyeo