-
Notifications
You must be signed in to change notification settings - Fork 699
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
S2i injection feature is broken on stock Ubuntu 20.04 LTS systems #1065
Comments
This is the most viable solution. Given that this is a bug that happens on Ubuntu, we should probably wire up a Github action to test this (our tests currently run in RHEL/UBI8 containers iirc). |
PS thank you @jperville for your thoroughly detailed bug report! |
Issues go stale after 90d of inactivity. Mark the issue as fresh by commenting If this issue is safe to close now please do so with /lifecycle stale |
/lifecycle frozen |
This bug is happening to me today. » s2i version
s2i v1.3.9 My builder Dockerfile: FROM python:3.11-slim as base
ARG S2IDIR="/s2i"
ARG APPDIR="/opt/program"
LABEL io.openshift.s2i.scripts-url="image://$S2IDIR/bin" \
io.openshift.s2i.destination="/tmp"
ENV PIP_NO_CACHE_DIR=off \
PIP_DISABLE_PIP_VERSION_CHECK=on \
PIP_DEFAULT_TIMEOUT=100 \
POETRY_PATH=/opt/poetry \
VENV_PATH=/opt/venv \
POETRY_VERSION=1.5.0 \
PYTHONUNBUFFERED=1 \
PYTHONDONTWRITEBYTECODE=1
ENV PATH="$POETRY_PATH/bin:$VENV_PATH/bin:$APPDIR:$PATH"
WORKDIR $APPDIR
FROM base as builder
RUN python3 -m pip install "poetry==$POETRY_VERSION" \
&& python3 -m venv $VENV_PATH
COPY poetry.lock pyproject.toml $APPDIR
RUN poetry export --without-hashes -o /tmp/requirements.txt \
&& $VENV_PATH/bin/pip install -r /tmp/requirements.txt
COPY . .
RUN poetry build && $VENV_PATH/bin/pip install dist/*.whl
FROM base as final
COPY .s2i $S2IDIR
COPY --from=builder $VENV_PATH $VENV_PATH the error happens when I'm trying to run error message is the same as OP:
Sorry, but why @coreydaley's fix from October last year was not merged? I'm still trying to figure out solutions to this issue, I tried:
|
A successful workaround for me was to include the following line by the end of my
This removes inplace the line |
Is this a feature request or bug?
/kind bug
What went wrong?
On Ubuntu 20.04 system, I cannot build a docker image which uses the injection feature.
It used to work on Ubuntu < 20.04 and still works on CentOS 7.x systems.
This bug has already been reported as #1006 but was closed for lifecycle/rotten.
This bug report should have all the information to reproduce, workaround and fix the issue.
Steps to reproduce:
Run this on fresh Ubuntu 20.04 system with docker installed (
sudo apt-get install docker.io
).Attention: do not tweak the default value of the
fs.protected_regular
sysctl, which should be1
.docker pull quay.io/centos7/ruby-27-centos7
echo hello > file.txt
s2i build https://github.com/openshift/ruby-hello-world.git quay.io/centos7/ruby-27-centos7 my-hello-world:xxx --inject $PWD/file.txt:/bug.txt
(fails)echo $?
(displays 1)Expected results:
I expect the image to build successfully.
Actual results:
The image fails to build, with the following error message at the end:
Version:
s2i:
s2i v1.3.1
docker:
Additional info:
The bug happens on stock Ubuntu 20.04 LTS system.
It does not happen on Centos 7.x or on Ubuntu 14.04 systems that I have access to.
The reason is that on Ubuntu 20.04 LTS
sudo sysctl fs.protected_regular=1
is the default,which (according to https://unix.stackexchange.com/questions/503111/group-permissions-for-root-not-working-in-tmp ) restricts the permissions under
/tmp
and in particular prevents s2i from truncating the/tmp/rm-injections
file inside the container despite that file being writable by everyone (chmod 0666
).At the end of the s2i assemble phase, s2i will try to truncate the
/tmp/rm-injections
file, which has mode0666
(writable by everyone). This file is owned by user1000:1000
while thes2i assemble
user has uid1001:1001
. The assemble user is then denied the right to truncate the/tmp/rm-injections
file, despite that file being world-writable.Here is to reproduce the problem with a simple busybox container:
We see that if the run the same command creating the xxx file in
/var
instead of/tmp
it works:If we force
sudo sysctl fs.protected_regular=0
in the first example it works again:To workaround this issue I had to:
sudo sysctl fs.protected_regular=0
(in a/etc/sysctl.d
file) (best workaround)s2i
binary withsed -i -e s:tmp/rm-injections:var/rm-injections:g
(giant hack)To fix the issue properly, I suggest either:
/tmp/rm-injections
file outside of/tmp
rmInjectionsScript
insource-to-image/pkg/build/strategies/sti/sti.go
Line 35 in 30d81a9
/var/rm-injections
./etc/sysctl.d
entry withfs.protected_regular=0
on Ubuntu 20.04 and more recent systems.The text was updated successfully, but these errors were encountered: