-
Notifications
You must be signed in to change notification settings - Fork 418
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Permission denied on /tmp/git #325
Comments
Are you using it under docker directly, or under kubernetes?
…On Sat, Jan 16, 2021, 4:10 PM akloeckner ***@***.***> wrote:
When using git-sync in the recommended way, by bind-mounting the
destination folder onto /tmp/git, I get the following error:
E0116 23:29:01.393979 11 main.go:455] "msg"="too many failures, aborting" "error"="Run(git clone --no-checkout -b master ssh://[...].git /tmp/git): exit status 1: { stdout: \"\", stderr: \"Cloning into '/tmp/git'...\\n/tmp/git/.git: Permission denied\\n\" }" "failCount"=0
This is the case for an empty bind-mount and also if I use a volume.
I have read #245 (comment)
<#245 (comment)>
and the workaround there also works for me: Mount the volume onto /tmp
directly.
So, I wondered why this is...
Loading the fresh image with only a sleep command lets me inspect the
initial contents of tmp:
$ ls -la
total 8
drwxrwxrwt 1 root root 4096 Jan 5 17:18 .
drwxr-xr-x 1 root root 4096 Jan 16 23:48 ..
As we can see, /tmp is world-writeable, so the git-sync user can create
his own git directory here and work with it. This is why mounting a new
volume onto /tmp works as expected:
$ ls -la /tmp
total 16
drwxrwxrwt 4 root root 4096 Jan 16 23:45 .
drwxr-xr-x 1 root root 4096 Jan 16 23:45 ..
drwx------ 2 git-sync 65533 4096 Jan 16 23:45 .ssh
drwxr-xr-x 4 git-sync 65533 4096 Jan 16 23:45 git
*CAVEAT*: The checkedout folder structure will be VOLUME/git/SYMLINK in
this case. If I want to get rid of the git folder inbetween, e.g. for
mounting the volume into an nginxcontainer, I end up with a SYMLINK
inside /tmp. Since /tmp has the t flag set, I can not follow this link as
root user, such as when I'm in a standard nginx container...
If I mount an empty volume onto /tmp/git, it will not be writeable by
git-sync:
$ ls -la /tmp
total 12
drwxrwxrwt 1 root root 4096 Jan 16 23:53 .
drwxr-xr-x 1 root root 4096 Jan 16 23:53 ..
drwxr-xr-x 2 root root 4096 Jan 16 23:52 git
Apparently, the /tmp/git folder is created as root by docker itself, when
mounting the volume.
*Suggested improvement:*
This is why I would suggest to create the git folder from the docs
already in the image and make it be owned by git-sync. This would also
address the caveat mentioned above, because the new git folder would
ideally not have the t flag enabled...
What do you think?
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#325>, or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVEH7E4UT65WSCAUA5DS2ITH3ANCNFSM4WFU6ZPA>
.
|
Directly in docker |
Can you show me a docker commandline to illustrate your point? As long as the "outside" dir exists before you bind mount it, the perms will not be changed. I don't use docker (directly) for anything productionable, so I am not sure what exactly you are doing. I know docker's mkdir-as-root bindmount behavior has bitten many people. |
Sure, here's the three cases from above as pure docker oneliners... Note that I use empty volumes instead of bind mounts, because I am trying to avoid fiddling with the host file system as much as possible. Not sure what will happen with bind mounts. (Probably, the cases will be more diverse, since we have to take into account the host permissions on the bind mount source, as you pointed out.) Nevertheless, Pure image:
|
IMO docker's unnamed volumes "feature" is one of the more
poorly thought-out facets of the tool. As you can see here (
moby/moby#2259) this has been an issue for 7+
years.
Kubernetes solves this by making volumes group-accessible. Docker has no
equivalent.
In the v4 branch of git-sync I am planning to make `--root` be required and
not defaulted (I keep accidentally creating /home/thockin/git when
developing), so even assuming /tmp/git becomes dubious.
I will spend a bit of time thinking about a better answer here, but the
short story is that docker volumes kind of fall flat in this regard.
…On Thu, Jan 21, 2021 at 8:33 AM akloeckner ***@***.***> wrote:
Sure, here's the three cases from above as pure docker oneliners...
Note that I use empty volumes instead of bind mounts, because I am trying
to avoid fiddling with the host file system as much as possible. Not sure
what will happen with bind mounts. (Probably, the cases will be more
diverse, since we have to take into account the host permissions on the
bind mount source, as you pointed out.) Nevertheless, git-sync should
work with volumes, right?
Pure image: git-sync user can write to /tmp and thus also /tmp/git:
# docker run --entrypoint="" k8s.gcr.io/git-sync/git-sync:v3.2.2 ls -la /tmp
total 8
drwxrwxrwt 1 root root 4096 Jan 5 17:18 .
drwxr-xr-x 1 root root 4096 Jan 21 16:24 ..
Mount volume on /tmp: git-sync user can write to /tmp and thus also
/tmp/git:
# docker run --entrypoint="" -v emptyvol1:/tmp k8s.gcr.io/git-sync/git-sync:v3.2.2 ls -la /tmp
total 8
drwxrwxrwt 2 root root 4096 Jan 5 17:18 .
drwxr-xr-x 1 root root 4096 Jan 21 16:25 ..
Mount volume on /tmp/git: git-sync user can*NOT* write to /tmp/git:
# docker run --entrypoint="" -v emptyvol2:/tmp/git k8s.gcr.io/git-sync/git-sync:v3.2.2 ls -la /tmp
total 12
drwxrwxrwt 1 root root 4096 Jan 21 16:26 .
drwxr-xr-x 1 root root 4096 Jan 21 16:26 ..
drwxr-xr-x 2 root root 4096 Jan 21 16:26 git
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#325 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABKWAVCSJDJOFNF3BIJNCHLS3BJNXANCNFSM4WFU6ZPA>
.
|
It's also important to remember that Docker volumes, when mounted/filled for the first time, will take the ownership of the directory being mounted to. So, if |
Thanks. I think that's OP's point (and I did not know that was a feature), but it is in conflict with a different goal (not defaulting the root flag). But I think I have a compromise answer. Doing some tests and will post back. |
The problem with mounting a volume on /tmp is that it makes that volume world-writable in the host, which is probably not a great idea. |
Thanks for looking into this!
As a side note on that: actually, I wouldn't see a reason to be able to set this directory at all. A user obviously will have to use some mount anyways. That mount will always have to be related to the root setting. So, why not force the user to use one exact root directory of your choice? It would make configuration somewhat simpler. (But I'm a total newbie on Docker, so I might miss something blatantly obvious, here...)
And it sets the “sticky bit“ on the volume, such that the root user will not be allowed to follow the symlink anymore! See https://stackoverflow.com/a/26497532 |
I don't exclusively run this in a docker image. E.g. for testing I will run it directly, and it is super valuable to be able to run it against temporary directories. What I am exploring now is how to make the binary non-opinionated, but the container image define a default root dir. I think I know how to do that, but am exploring all the combinations of knobs and documenting them a bit. Ideally, when you run the container image you mount your volume at a specific place and are done. You should not need to mess with the flag. I'm not super enamored with |
Take a look at #329 - see if it does what you need. |
Sounds like it should. I am not sure how to build and test this. But it looks like you know exactly what you're doing, so I'm confident it's the right thing. 👍 I also like the detailed documentation! |
When using git-sync in the recommended way, by bind-mounting the destination folder onto
/tmp/git
, I get the following error:This is the case for an empty bind-mount and also if I use a volume.
I have read #245 (comment) and the workaround there also works for me: Mount the volume onto
/tmp
directly.So, I wondered why this is...
Loading the fresh image with only a
sleep
command lets me inspect the initial contents oftmp
:As we can see,
/tmp
is world-writeable, so thegit-sync
user can create his owngit
directory here and work with it. This is why mounting a new volume onto/tmp
works as expected:CAVEAT: The checkedout folder structure will be
VOLUME/git/SYMLINK
in this case. If I want to get rid of thegit
folder inbetween, e.g. for mounting the volume into annginx
container, I end up with aSYMLINK
inside/tmp
. Since/tmp
has thet
flag set, I can not follow this link asroot
user, such as when I'm in a standardnginx
container...If I mount an empty volume onto
/tmp/git
, it will not be writeable bygit-sync
:Apparently, the
/tmp/git
folder is created as root by docker itself, when mounting the volume.Suggested improvement:
This is why I would suggest to create the
git
folder from the docs already in the image and make it be owned bygit-sync
. This would also address the caveat mentioned above, because the newgit
folder would ideally not have thet
flag enabled...Note: This will not fix the cause you lined out in #245. If we bind-mount a non-existing folder from the host system (even onto
/tmp
as in the workaround), the permission will still be denied by the host system. But as you said, there is nothing we can do about that.What do you think?
The text was updated successfully, but these errors were encountered: