-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Phase out overwriting of image's HOME variable. Remove /tekton/home. #2013
Comments
Adding a configmap field to allow the HOME overwrite to be disabled: https://github.com/tektoncd/pipeline/compare/master...sbwsg:opt-out-home-overwrite?expand=1 |
Thanks for doing this! This has been very annoying for Java people on Knative and GCB, because almost all the time, most Java applications get the genuine, actual user home through a platform-independent way that does not read After all, changing the Yet, Tekton auth supplies a Docker config file at That said, I am actually more interested in where Tekton will create the But I should say I don't like having to deal with the inconsistency between the actual home and the value of |
What's the answer going forward, when the flag is set or not set? |
With this new flag Tekton will no longer interfere with HOME - it will be whatever you expect it to be when the container runs in a Pod. Previously $HOME would have been set to /tekton/home but now it won't be. So I would expect |
Moving this issue over to next milestone. In the next release we plan to flip the behaviour of the feature flag so that Tekton no longer overwrites the HOME environment variable by default. |
This doesn't seem true. I think we are not ready to flip the |
It sounds like the HOME env var isn't set at all by the image in that case. The go code for dockercreds simply does Edit: ran the latest creds-init image locally and I do get a HOME var of |
I think |
I've given some more thoughts on this core HOME issue. Before we can actually flip In most contexts (including ours), I think the notion of a user home is really a runtime one. An image may suggest a certain directory as a "home" and a certain UID/user as a running user, but runtime platforms (as well as user configurations) can override the "suggested user". The home will then be "determined" by the user running the container. For example, If I run an image as This actually matters to me, because I am trying to figure out how to fix a related problem on OpenShift, which runs images as a random UID. Not only on OpenShift, but users can also change the running user on Tekton (e.g., using So, the following quotes in the Tekton auth doc becomes ambiguous.
|
Another related issue?
This is a warning, so it doesn't break my task at least. |
I've written up a design doc covering the solution you proposed @chanseokoh of having a fixed directory. Doc is here: https://docs.google.com/document/d/1SVuDt-SXPHymz41dveSXFSPrx5Z-Wzb9eHliJAyYg4o I plan to present this to the tekton working group on Wednesday and will update my existing PR with any changes that get agreed on during that call. |
/reopen |
@sbwsg: Reopened this issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. |
Hello, "image-digest-exporter-d6kxs] 2020/08/21 08:55:40 unsuccessful cred copy: ".docker" from "/tekton/creds" to "/tekton/home": unable to open destination: open /tekton/home/.docker/config.json: permission denied" $ tkn version |
Hello, Same here
How can this get fixed Didier |
Could you explain a bit about what is broken? What is the Task you're trying to run and what are its Steps? What version of k8s and tekton are you running? What are the PipelineResources you've configured? What does the Pod look like after the TaskRun finishes? What is the incorrect observed behaviour of your PipelineRun or TaskRun? |
@sbwsg Scott, in the meantime since I wrote the above, I fixed my problem : see my comment in #2616 (comment). When I replaced 'docker.io' by 'index.docker.io' in the secret creation, the initial credential checks (before building) went ok. Then, I could build and push to Docker Hub. So, my problem is fixed. |
OK, thanks for the update! |
From owners meeting just now: next step is to loudly announce this upcoming change on the mailing list and slack. |
Prior to this commit Steps were given a default HOME env var and a default workingDir. These defaults collide with any value set by the Step's image Dockerfile. This commit removes the default home and workingDir overrides (except in those few cases where they're still expected, like PipelineResources). See https://groups.google.com/g/tekton-dev/c/C-PL8VYN51E/m/el5Fca_PDAAJ for our tekton-dev announcement of this change. See #1836 for the original problem description and workingDir tracking issue. See #2013 for the HOME change tracking issue. See https://github.com/tektoncd/pipeline/blob/main/docs/deprecations.md for our documented dates for these deprecations. See https://github.com/tektoncd/pipeline/blob/main/api_compatibility_policy.md#alpha-beta-and-ga for our beta deprecation policy. ,
@sbwsg Let me ask one thing to clarify my concern; do you intended to stop mounting The current implementation is the latter, but the the issue title "Remove /tekton/home." sounds implying former change to me. Lines 112 to 117 in f041ef5
|
@tmshn that's a very interesting question! I completely forgot that the issue title includes "Remove /tekton/home." And I didn't include a work item in the list at the top to remove the folder from our codebase. I expect that we will completely remove the |
Simply because some of the docker images do not have home directory properly set, and we need to take extra care to examine each images (maybe not so big blocking issue, though). For example, $ docker run --rm --entrypoint cat docker.io/alpine/git:v2.26.2@sha256:23618034b0be9205d9cc0846eb711b12ba4c9b468efdd8a59aac1d7b1a23363f /etc/passwd
root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/:/sbin/nologin |
Ahh I see. We will need to audit the catalog tasks that use our images to make sure we don't break any existing. For those tasks which would be broken we can manually add a |
That sound fine! |
because in the latest tekton pipeline the `HOME` env variable is not overridden by default (and in the future, not at all): tektoncd/pipeline#2013
because in the latest tekton pipeline the `HOME` env variable is not overridden by default (and in the future, not at all): tektoncd/pipeline#2013
Expected Behavior
Images with an expectation that HOME is set to something specific should work as intended.
Actual Behavior
Those images do not work as expected - Pipelines overwrites the HOME variable of an image with
/tekton/home
.See #1836 for the original report on this issue.
So the plan is as follows:
The text was updated successfully, but these errors were encountered: