`failed to open /.cntr/pid, Permission denied (os error 13)` when running `cntr exec` from inside a non-root systemd service

[lf-]

It appears that cntr creates a /.cntr directory (unsure if documented) with a cntr-exec binary (awesome, if the cntr you had prior is not in PATH since you got it from nix shell or something) as well as a pid. The pid is only accessible as root:

$ sudo cntr attach 49114 `which bash`

cntr$ ls -l /.cntr
total 1416
-r-xr-xr-x 1 root root 1444456 Mar 14 20:17 cntr-exec
-rw------- 1 root root       5 Mar 14 20:17 pid

cntr$ /.cntr/cntr-exec bash
failed to open /.cntr/pid, Permission denied (os error 13)

cntr$ /.cntr/cntr-exec -V
exec 1.5.4

This is kind of a problem if you are entering a rootless container. I am not sure why I didn't run into this while debugging nix builds via breakpointHook, but either way, this is somewhat of a bother.

The unit I entered, approximately (fill in the blanks, I don't believe I removed any exec relevant stuff):

[Unit]
Description=GHA runner for redacted
Requires=gha-cache-redacted.service
StartLimitIntervalSec=0

[Service]
Environment="HOME=/run/gha-slot-redacted-0"
# Environment=You can imagine the rest
BindPaths=%d:/secrets
EnvironmentFile=/etc/foobar-env
ExecStart=/nix/store/aaaaaaaaaaaaaaaaaaaa-github-runner-1.2.3.4/bin/Runner.Listener run --startuptype service
Group=nix-trusted-users
LoadCredential=stuff:/etc/credibility/stuff
LogsDirectory=gha-slot-redacted-0
Restart=on-success
RuntimeDirectory=gha-slot-redacted-0
StateDirectory=gha-slot-redacted-0
TimeoutStopSec=infinity
User=gha-slot-redacted-0

[Install]
WantedBy=multi-user.target

[Mic92]

Interesting. It actually makes it world-readable https://github.com/Mic92/cntr/blob/d0ee249d14d744144352c17006742331c0435a3e/src/dotcntr.rs#L34

[Mic92]

The fuse filesystem is no longer needed and cntr exec is now started outside of cntr attach, which makes the setuid binary obsolete.