Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Permission issues using the docker image with podman #411

Open
marcalff opened this issue Oct 15, 2024 · 8 comments
Open

Permission issues using the docker image with podman #411

marcalff opened this issue Oct 15, 2024 · 8 comments
Assignees
Labels
bug Something isn't working docker Pull requests that update Docker code help wanted Extra attention is needed

Comments

@marcalff
Copy link
Member

I am trying to migrate opentelemetry-cpp to use weaver.

To do this, I am using the docker image, and looked at the scripts used in opentelemetry-rust as an example.

Using this:

# SELINUX
# https://docs.docker.com/storage/bind-mounts/#configure-the-selinux-label

USE_MOUNT_OPTION=""

if [ -x "$(command -v getenforce)" ]; then
  SELINUXSTATUS=$(getenforce);
  if [ "${SELINUXSTATUS}" == "Enforcing" ]; then
    echo "Detected SELINUX"
    USE_MOUNT_OPTION=":z"
  fi;
fi

generate() {
  TARGET=$1
  OUTPUT=$2
  FILTER=$3
  docker run --rm \
    -v ${SCRIPT_DIR}/semantic-conventions/model:/source${USE_MOUNT_OPTION} \
    -v ${SCRIPT_DIR}/templates:/templates${USE_MOUNT_OPTION} \
    -v ${ROOT_DIR}/wip/:/output${USE_MOUNT_OPTION} \
    otel/weaver:$WEAVER_VERSION_TAG \
    registry \
    generate \
    --registry=/source \
    --templates=/templates \
    ${TARGET} \
    /output/${TARGET} \
    --param output=${OUTPUT} \
    --param filter=${FILTER}
}

# stable attributes and metrics
mkdir -p ${ROOT_DIR}/wip/attributes
mkdir -p ${ROOT_DIR}/wip/metrics
generate "./" "./" "stable"

mkdir -p ${ROOT_DIR}/wip/${INCUBATING_DIR}/attributes
mkdir -p ${ROOT_DIR}/wip/${INCUBATING_DIR}/metrics
generate "./" "./${INCUBATING_DIR}/" "any"

I get:

Detected SELINUX
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
✔ `main` semconv registry `/source` loaded (151 files)
✔ No `before_resolution` policy violation
✔ `default` semconv registry resolved

Diagnostic report:

  × Writing of the generated code /output/././attributes/client_attributes.h
  │ failed: Permission denied (os error 13)
...

This is because the docker command can not write to the ${ROOT_DIR}/wip/attributes directory, which is owned by my user account (malff).

Doing a chmod to allow everyone to write there allows files to be written, but then they have a different ownership.

When using the docker image for build-tools, the image did write files owned by my own account, and I did not have to open permissions or to adjust file ownership, it just worked.

I am NOT willing to add a chmod o+w just to make the script pass, so this is blocking.

How can I use weaver with docker, to generate files with the proper file ownership ?

@lquerel
Copy link
Contributor

lquerel commented Oct 15, 2024

I believe the following documentation explains how to set up an environment similar to the one you’re describing. Please let me know if it doesn’t work for you. Thanks!

https://github.com/open-telemetry/weaver/blob/main/docs/docker-guide.md

@marcalff
Copy link
Member Author

marcalff commented Oct 15, 2024

Bonjour Laurent.

I also tried using:

-u $(id -u ${USER}):$(id -g ${USER})

but the docker image still wrote files with a different user, this did not work.

My UID:GID is 1000:1000 locally, the docker image creates files with 100999:100999,
even when invoking docker with --user 1000:1000.

The doc also mention:

        --mount 'type=bind,source=$(HOME)/.weaver,target=/tmp/weaver/.weaver' \
        --mount 'type=bind,source=$(PWD)/templates,target=/home/weaver/templates,readonly' \
        --mount 'type=bind,source=$(PWD)/src,target=/home/weaver/target' \

This does not work for SELinux, which is why I used:

    -v ${SCRIPT_DIR}/semantic-conventions/model:/source${USE_MOUNT_OPTION} \

with USE_MOUNT_OPTION being :z

Ref: https://docs.docker.com/engine/storage/bind-mounts/

@lquerel
Copy link
Contributor

lquerel commented Oct 15, 2024

Bonjour Marc! Let me loop in @jsuereth on this thread. I recall him mentioning a workaround for SELinux, but I don’t remember the exact trick.

@marcalff
Copy link
Member Author

marcalff commented Oct 16, 2024

The SELinux part is solved, I mentioned it because what is in the doc does not work for SELinux.

To clarify, I am using podman instead of docker.

Running with:

podman --user 0:0 ...

actually creates files using my own local account (malff, 1000:1000), without the need to use chmod.

[malff@malff-desktop ~]$ which docker
/usr/bin/docker
[malff@malff-desktop ~]$ docker --version
Emulate Docker CLI using podman. Create /etc/containers/nodocker to quiet msg.
podman version 4.9.4-rhel

@marcalff marcalff changed the title Permission issues using the docker image Permission issues using the docker image with podman Oct 16, 2024
@jsuereth jsuereth self-assigned this Oct 16, 2024
@jsuereth
Copy link
Contributor

I think we will update the docs to have recommendations for SELinux users. I didn't include them earlier because the :z option on -v volume mounts came with a load of caveats and concerning comments in docker docs, but I believe it's the ONLY option to support SELinux today. I found a still-open issue to that effect on Docker itself.

Thanks for calling this out!

@marcalff
Copy link
Member Author

Thanks @jsuereth

I was affected by 2 issues:

  • SELinux, having to use -v with :z, as you mentioned,
  • podman, for which --user ${UID}::${GID} does not work, I had to use --user 0:0 instead.

I am mostly concerned about the second, because I do not know how to write a script that will work for both docker and podman, to be checked in the opentelemetry-cpp repository.

@michaelsafyan
Copy link

Ran into a similar issue while using make check-policies in the Semantic Conventions repo...

It causes a failure like this:

docker run --rm \
        --mount 'type=bind,source=/usr/local/google/home/michaelsafyan/Code/github/michaelsafyan/open-telemetry.semantic-conventions/policies,target=/home/weaver/policies,readonly' \
        --mount 'type=bind,source=/usr/local/google/home/michaelsafyan/Code/github/michaelsafyan/open-telemetry.semantic-conventions/model,target=/home/weaver/source,readonly' \
        docker.io/otel/weaver:v0.10.0 registry check \
        --registry=/home/weaver/source \
        --baseline-registry=https://github.com/open-telemetry/semantic-conventions/archive/refs/tags/v1.28.0.zip[model] \
        --policy=/home/weaver/policies
Trying to pull docker.io/otel/weaver:v0.10.0...
Getting image source signatures
Copying blob 0a6f77e95531 done   | 
Copying blob 43c4264eed91 done   | 
Copying blob 4b615ad333f2 done   | 
Copying blob bf5085879421 done   | 
Copying blob 4f4fb700ef54 skipped: already exists  
Copying config 97b4bfce55 done   | 
Writing manifest to image destination
Weaver Registry Check
⠴ Checking registry `/home/weaver/source`
Diagnostic report:

  × The following error occurred during the processing of semantic convention
  │ file: IO error for operation on /home/weaver/source: Permission denied (os
  │ error 13)

I am using podman-is-docker, so any command running docker is actually running podman. This is in an environment with SELinux enabled.

@jsuereth
Copy link
Contributor

Just coming back to this:

It seems like with podmon and SELinux the only option is the following:

  • Run as root:root (i.e. --user 0:0
  • use -v with :Z SELinux support when mounting directories.

Given the abysmal state of Docker around SELinux and filesystem mounting options, I'm not sure we have any other recourse here.

A few things to tryt:

  1. this flag: --userns=keep-id
  2. this flag: --uidmap=$(id USER):${WEAVER_UID} --gidmap=$(id -g $USER):${WEAVER_GID}. (Note we can force weaver's UID:GID to known values for this going forward if it works).

@jsuereth jsuereth added bug Something isn't working help wanted Extra attention is needed docker Pull requests that update Docker code labels Nov 25, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working docker Pull requests that update Docker code help wanted Extra attention is needed
Projects
None yet
Development

No branches or pull requests

4 participants