Wrong /dev/null permission making ubuntu jammy deployment impossible about hook HOT 6 CLOSED

Hey @lanquarden, thanks for reporting this. I definitely agree that /dev/null should have 666 permissions. Weird thing is that I am able to reproduce this on one machine, but on another machine I cannot. i.e. installing the machine1 with Ubuntu Jammy works successfully.
In the successful install, /dev/null has 660 permissions. So, it makes me think that there's possibly an environmental issue external to vagrant that is causing issues. I'm definitely not certain though. I will continue to investigate and update here.

from hook.

Maybe the issue resides in apt update, these commands are invoked with root user so it shouldn't complain about the 660 permission, unless apt is running some parts as a different user... Maybe this behavior is linked to the environment somehow. I didn't explore that route as I had found a workaround.

from hook.

@jacobweinstock we run into the same with EKS Anywhere (we opened an AWS case as well as we have EKS-A Subscription).

In fact, @lanquarden is right and by default apt is using the _apt user for calling out to apt-key (and to many other "sandboxed" tasks like downloading a package etc.) that would write to /dev/null.

The main issue here is that with the current hook kernel, when you mount /dev with devtmpfs /dev/null gets created with 0660 (and this happens inside the cexec container as well thanks to this):

While using Ubuntu 22.04 for example it gets 0666:

root@kls107:~# mkdir /mnt/dev
root@kls107:~# mount -r  -t devtmpfs none /mnt/dev
root@kls107:~# ll /mnt/dev/null
crw-rw-rw- 1 root root 1, 3 Feb  6 09:29 /mnt/dev/null
root@kls107:~# mount|grep /mnt/dev
none on /mnt/dev type devtmpfs (ro,relatime,size=65716676k,nr_inodes=16429169,mode=755,inode64)
root@kls107:~# 

We would love to get a fix (or any applicable workaround that does not require custom build cexec container/hook os) into EKS Anywhere.

from hook.

I've sent a PR to cexec that implements a "harmless workaround" and allows the call of apt update in the following way:

CMD_LINE: echo 'nameserver IPOFYOURNAMESERVER' > /etc/resolv.conf && export NEEDRESTART_SUSPEND=true && apt -y update && apt install -y nfs-common open-iscsi....

from hook.

Hey @lanquarden and @Cajga , this PR should resolve this. #200 . Once its landed, or before if you want to build from my branch, would you mind testing to validate its working for you both?

from hook.

@jacobweinstock , thank you for the quick fix.

I can confirm that using the hook image fixed the /dev/* permissions inside hook. I can also confirm that the /dev/null has 0666 permissions inside the chrooted cexec action ( this surprised me as it is mounting devtmpfs (that had permission issues) instead of bind mounting /dev from hook).

from hook.