dd-trace-rb
dd-trace-rb copied to clipboard
Published
20 hours ago •
DataDog
DataDog
dd-trace-rb 1.21.0 LoadError failures when running under a different user
Current behaviour
- When the ddtrace gem is installed under a user (say
userA). - And the ruby app runs under a different user (say
userB). - Then
LoadErrorerrors are raised either duringddtracerb/ddprofrbexecution or during requirement of a file included in the gem (such asrequire 'ddtrace/auto_instrument').
Expected behaviour
- ddtrace gem files should be available by default independently of the user that installed them, unless user-specified permissions dictate otherwise.
Steps to reproduce
- Dockerfile
FROM ruby:3.3
ARG ddtrace_version
WORKDIR /app
RUN echo "source 'https://rubygems.org'\n\ngem 'ddtrace', '$ddtrace_version'" >> gems.rb
RUN bundle install
CMD bundle exec ddtracerb -h
- Try with 1.20.0 and a made-up user/group id (different from the root user who ran the bundle install in the Dockerfile), you get the expected output of:
❯ docker run -u 502:20 -it $(docker build -q . --build-arg ddtrace_version=1.20.0)
Command '' is not valid for ddtrace.
Usage: ddtracerb [command] [arguments]
exec [command]: Executes command with tracing & profiling preloaded.
help: Prints this help message.
- Try with 1.21.0 with the same made-up user/group id:
❯ docker run -u 502:20 -it $(docker build -q . --build-arg ddtrace_version=1.21.0)
bundler: failed to load command: ddtracerb (/usr/local/bundle/bin/ddtracerb)
/usr/local/bundle/bin/ddtracerb:25:in `load': cannot load such file -- /usr/local/bundle/gems/ddtrace-1.21.0/bin/ddtracerb (LoadError)
from /usr/local/bundle/bin/ddtracerb:25:in `<top (required)>'
from /usr/local/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `load'
from /usr/local/lib/ruby/3.3.0/bundler/cli/exec.rb:58:in `kernel_load'
from /usr/local/lib/ruby/3.3.0/bundler/cli/exec.rb:23:in `run'
from /usr/local/lib/ruby/3.3.0/bundler/cli.rb:451:in `exec'
from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/command.rb:28:in `run'
from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor.rb:527:in `dispatch'
from /usr/local/lib/ruby/3.3.0/bundler/cli.rb:34:in `dispatch'
from /usr/local/lib/ruby/3.3.0/bundler/vendor/thor/lib/thor/base.rb:584:in `start'
from /usr/local/lib/ruby/3.3.0/bundler/cli.rb:28:in `start'
from /usr/local/lib/ruby/gems/3.3.0/gems/bundler-2.5.3/exe/bundle:28:in `block in <top (required)>'
from /usr/local/lib/ruby/3.3.0/bundler/friendly_errors.rb:117:in `with_friendly_errors'
from /usr/local/lib/ruby/gems/3.3.0/gems/bundler-2.5.3/exe/bundle:20:in `<top (required)>'
from /usr/local/bin/bundle:25:in `load'
from /usr/local/bin/bundle:25:in `<main>'
If you check the file permissions of the contents of 1.20.0 vs 1.21.0 gems you see that 1.21.0 seems to be missing world readable permissions on all files:
alexandre.fonseca ~/Downloads/ddtrace-1.20.0
❯ ls -lah data/**/** | grep -vE '\.?\.$' | grep -E "(d|-)rw" | cut -d ' ' -f1 | sort | uniq -c
1565 -rw-r--r--
2 -rwxr-xr-x
226 drwxr-xr-x
alexandre.fonseca ~/Downloads/ddtrace-1.21.0
❯ ls -lah data/**/** | grep -vE '\.?\.$' | grep -E "(d|-)rw" | cut -d ' ' -f1 | sort | uniq -c
1567 -rw-r-----
4 -rwxr-x---
225 drwxr-xr-x
Manually adding the missing world readable permission works fine as a hotfix:
- Dockerfile
FROM ruby:3.3
ARG ddtrace_version
WORKDIR /app
RUN echo "source 'https://rubygems.org'\n\ngem 'ddtrace', '$ddtrace_version'" >> gems.rb
RUN bundle install
RUN chmod -R +r $(bundle show ddtrace) # <----- HOTFIX
CMD bundle exec ddtracerb
❯ docker run -u 502:20 -it $(docker build -q . --build-arg ddtrace_version=1.21.0)
WARNING: Use of `ddtracerb` is deprecated, and will be removed in 2.0. Use `ddprofrb` instead.
Command '' is not valid for ddtracerb.
Usage: ddprofrb [command] [arguments]
exec [command]: Executes command with profiling preloaded.
help: Prints this help message.