Call getpwuid only after chroot is set #3742
Conversation
github-actions
bot
requested review from
eriknordmark,
OhmSpectator and
rucoder
|
Can you add a reference to the commit/PR which caused the regression (so it is easier to track and to figure out if this fix needs to be back-ported). |
|
Yes this need to be back ported. I labeled as stable. |
|
commit 53e2d24 |
There was a problem hiding this comment.
The original intention of the change was to be sure shim vm has the same user, but let @shjala review that.
My only request is please add a proper commit message describing the problem and what exact commit this fix targets. Thanks.
While starting a cmd from the container rootfs, initrd script tries to chroot to the rootfs and executes the cmd. The eve specific chroot (chroot2.c) tries to set root to the container rootfs and execute the command. /chroot2 /mnt/rootfs $ug $pidfile $cmd The issue here is that chroot2.c is calling getpwuid() on the userid even before setting chroot. That makes getpwuid to process the user id in eve context than the user container context. This works fine with userid root, but for non-root users it fails since that user may (will not) be present in eve context. This fix moves the getpwuid() call after chroot(). Signed-off-by: Pramodh Pallapothu <pramodh@zededa.com>
zedi-pramodh
force-pushed
the
fix-chroot2
branch
from
da9b37e to
4e48fca
Compare
|
Updated the commit message |
There was a problem hiding this comment.
What is the grafana container mentioned in the PR description? I've tried to find it in the scripts and cannot find it... Should it even use this util? I think the use case should be discussed with @shjala.
Until now the only use case that I'm aware about is here:
eve/pkg/xen-tools/initrd/init-initrd
Line 190 in 09aa0fe
I did not understand your comment. Customers can use any container image, grafana is just an app running in the container. It happens that it runs with non-root userid. You can check alpha for that image if you are interested. |
So, is it just a regular container Application deployed on a node? |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## master #3742 +/- ##
==========================================
+ Coverage 19.69% 19.72% +0.02%
==========================================
Files 235 235
Lines 51708 51708
==========================================
+ Hits 10185 10198 +13
+ Misses 40782 40771 -11
+ Partials 741 739 -2 ☔ View full report in Codecov by Sentry. |
Yes. |
|
So, it means EVE has been failing to run any container App since 11.3.0... Wow. |
|
Another question: why our regression tests did not detect this problem... @uncleDecart, do you know whether we have any tests for the container-based apps? |
|
Its not all containers fail to start. Only containers that run the apps with non-root user. May be most of the test cases run the apps in the container as root user. |
There was a problem hiding this comment.
Kick off tests; @shjala should review before we merge this.
@OhmSpectator It was detected but Shah is busy this week with high-priority TPM issues: lf-edge/eden#944 |
|
Based on the discussion in lf-edge/eden#944 this fix is needed. |
There is a regression in recent commit where getpwuid() was added before chroot is set. Due to that any container which runs with non-root userid will fail to start.
Testing done
Before this fix grafana container which runs with user id 472 was failing to start. It works with this fix.