From dedee27a31dd6331204e5c022f485271836e5d0c Mon Sep 17 00:00:00 2001 From: David Date: Fri, 26 Jul 2024 20:14:52 +0200 Subject: [PATCH] fix!: oci perms existing users of config.copyToRoot quite likely need to hove the contents of this key to setup = []; - config.copyToRoot may prime the nix2container permission cache with a parent folder (e.g. /bin) and conflicting permissions' --- src/lib/ops/mkOCI.nix | 40 +++++++++++++++++++---------------- src/lib/ops/mkSetup.nix | 3 +-- src/lib/ops/mkStandardOCI.nix | 24 ++++++++------------- 3 files changed, 32 insertions(+), 35 deletions(-) diff --git a/src/lib/ops/mkOCI.nix b/src/lib/ops/mkOCI.nix index 46c39e1f..d3a6747f 100644 --- a/src/lib/ops/mkOCI.nix +++ b/src/lib/ops/mkOCI.nix @@ -32,6 +32,7 @@ in then l.head meta.tags else null, setup ? [], + extraSetupLinks ? "", layers ? [], runtimeInputs ? [], uid ? "65534", @@ -45,8 +46,20 @@ in setupLinks = cell.ops.mkSetup "links" [] '' mkdir -p $out/bin ln -s ${l.getExe entrypoint} $out/bin/entrypoint + ${extraSetupLinks} ''; + root = nixpkgs.buildEnv { + name = "root"; + paths = + setup + ++ [ + # trick `buildEnv` and prevent the $out`/bin` to be a symlink + (nixpkgs.runCommand "setupDirs" {} "mkdir -p $out/bin") + setupLinks + ]; + }; + image = l.throwIf (args ? tag && meta ? tags) "mkOCI/mkStandardOCI/mkDevOCI: use of `tag` and `meta.tags` arguments are not supported together. Remove the former." @@ -73,23 +86,7 @@ in ++ layers; maxLayers = 25; - copyToRoot = - [ - (nixpkgs.buildEnv { - name = "root"; - paths = - setup - ++ [ - # trick `buildEnv` and prevent the $out`/bin` to be a symlink - (nixpkgs.runCommand "setupDirs" {} - '' - mkdir -p $out/bin - '') - setupLinks - ]; - }) - ] - ++ options.copyToRoot or []; + copyToRoot = [root] ++ options.copyToRoot or []; config = l.recursiveUpdate config { User = uid; @@ -99,7 +96,14 @@ in }; # Setup tasks can include permissions via the passthru.perms attribute - perms = l.flatten ((l.map (s: l.optionalAttrs (s ? passthru && s.passthru ? perms) s.passthru.perms)) setup) ++ perms; + perms = + l.flatten ((l.map ( + s: + l.optionals (s ? passthru && s.passthru ? perms) + (l.map (p: p // {path = root;}) s.passthru.perms) + )) + setup) + ++ perms; } ); in let diff --git a/src/lib/ops/mkSetup.nix b/src/lib/ops/mkSetup.nix index 0d262d4e..2933e7c2 100644 --- a/src/lib/ops/mkSetup.nix +++ b/src/lib/ops/mkSetup.nix @@ -15,7 +15,6 @@ in */ name: perms: contents: let setup = nixpkgs.runCommand "oci-setup-${name}" {} contents; - perms' = l.map (p: p // {path = setup;}) perms; in setup - // l.optionalAttrs (perms != []) {passthru.perms = perms';} + // l.optionalAttrs (perms != []) {passthru = {inherit perms;};} diff --git a/src/lib/ops/mkStandardOCI.nix b/src/lib/ops/mkStandardOCI.nix index 1096be15..eba52780 100644 --- a/src/lib/ops/mkStandardOCI.nix +++ b/src/lib/ops/mkStandardOCI.nix @@ -73,19 +73,12 @@ in else operable; inherit (nixpkgs.dockerTools) caCertificates; - setupLinks = - cell.ops.mkSetup "links" [ - { - regex = "/bin"; - mode = "0555"; - } - ] '' - mkdir -p $out/bin - ${runtimeEntryLink} - ${debugEntryLink} - ${livenessLink} - ${readinessLink} - ''; + extraSetupLinks = '' + ${runtimeEntryLink} + ${debugEntryLink} + ${livenessLink} + ${readinessLink} + ''; users = cell.ops.mkUser { inherit uid gid; @@ -128,8 +121,9 @@ in ++ (l.optionals hasReadinessProbe [(nix2container.buildLayer {deps = [readinessProbe];})]); }) ]; - setup = prepend [setupLinks users nss]; - options.copyToRoot = append [tmp caCertificates]; + setup = prepend [users nss caCertificates]; + inherit extraSetupLinks; + options.copyToRoot = append [tmp]; perms = prepend [ { path = tmp;