Comments (6)
Hey @lanquarden, thanks for reporting this. I definitely agree that /dev/null
should have 666 permissions. Weird thing is that I am able to reproduce this on one machine, but on another machine I cannot. i.e. installing the machine1
with Ubuntu Jammy works successfully.
In the successful install, /dev/null
has 660 permissions. So, it makes me think that there's possibly an environmental issue external to vagrant that is causing issues. I'm definitely not certain though. I will continue to investigate and update here.
from hook.
Maybe the issue resides in apt update
, these commands are invoked with root user so it shouldn't complain about the 660 permission, unless apt is running some parts as a different user... Maybe this behavior is linked to the environment somehow. I didn't explore that route as I had found a workaround.
from hook.
@jacobweinstock we run into the same with EKS Anywhere (we opened an AWS case as well as we have EKS-A Subscription).
In fact, @lanquarden is right and by default apt
is using the _apt
user for calling out to apt-key
(and to many other "sandboxed" tasks like downloading a package etc.) that would write to /dev/null
.
The main issue here is that with the current hook kernel, when you mount /dev
with devtmpfs
/dev/null
gets created with 0660 (and this happens inside the cexec container as well thanks to this):
While using Ubuntu 22.04 for example it gets 0666:
root@kls107:~# mkdir /mnt/dev
root@kls107:~# mount -r -t devtmpfs none /mnt/dev
root@kls107:~# ll /mnt/dev/null
crw-rw-rw- 1 root root 1, 3 Feb 6 09:29 /mnt/dev/null
root@kls107:~# mount|grep /mnt/dev
none on /mnt/dev type devtmpfs (ro,relatime,size=65716676k,nr_inodes=16429169,mode=755,inode64)
root@kls107:~#
We would love to get a fix (or any applicable workaround that does not require custom build cexec container/hook os) into EKS Anywhere.
from hook.
I've sent a PR to cexec that implements a "harmless workaround" and allows the call of apt update in the following way:
CMD_LINE: echo 'nameserver IPOFYOURNAMESERVER' > /etc/resolv.conf && export NEEDRESTART_SUSPEND=true && apt -y update && apt install -y nfs-common open-iscsi....
from hook.
Hey @lanquarden and @Cajga , this PR should resolve this. #200 . Once its landed, or before if you want to build from my branch, would you mind testing to validate its working for you both?
from hook.
@jacobweinstock , thank you for the quick fix.
I can confirm that using the hook image fixed the /dev/*
permissions inside hook. I can also confirm that the /dev/null
has 0666
permissions inside the chrooted cexec action ( this surprised me as it is mounting devtmpfs (that had permission issues) instead of bind mounting /dev
from hook).
from hook.
Related Issues (20)
- [bootkit] purpose of func `metaDataQuery` and `container_uuid`
- question around use of `cpio` HOT 4
- boot w/ the dev-dist build HOT 7
- how to recoginze the lvm on my disk HOT 2
- changes to `kernel/` directory require `validation` check
- add lvm2 package into kernel Dockerfile, lead to failure of kernel build HOT 1
- Make deterministic device paths available
- Hook dynamic runtime driver support HOT 1
- git tag "latest" behaves in a mutable way. HOT 1
- Hook doesn't create required files/folder for docker trusted certificates HOT 2
- [Feature Request] Let the user choose which architecture to build HOT 1
- Include the checksums as a release artifact
- include a version file in Hook
- How to enable docker insecure-registries on OSIE HOT 1
- How to install from official ISO image
- Possible Bug In VLAN parsing HOT 2
- Ability to signal host shutdown HOT 1
- ARM64 server gets stuck on "bpfilter write fail: -32" when activating Linuxkit (Alpine) HOT 1
- ARM64 server gets stuck on "bpfilter write fail: -32" when activating Linuxkit (Alpine). HOT 11
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from hook.