firecracker-go-sdk icon indicating copy to clipboard operation
firecracker-go-sdk copied to clipboard
verified publisher icon firecracker-microvm

Fix extra driver permissions with jailer

Open jwilder opened this issue 3 years ago • 2 comments

When using the jailer config with a different uid/gid and more than one attached volume, the additional volumes are still owned by root causing a permission error when the VM starts.

This chowns the extra volume files to the jailer config uid/gid.

Sample logs:

time="2022-03-05T18:36:48-07:00" level=info msg="Attaching drive rootfs.ext4, slot 1, root true."
time="2022-03-05T18:36:48-07:00" level=info msg="Attached drive rootfs.ext4: [PUT /drives/{drive_id}][204] putGuestDriveByIdNoContent "
time="2022-03-05T18:36:48-07:00" level=info msg="Attaching drive overlay.ext4, slot 2, root false."
2022-03-06T01:36:48.117232076 [9285e3caaef3:fc_api:ERROR:src/api_server/src/parsed_request.rs:174] Received Error. Status code: 400 Bad Request. Message: Unable to create the block device BackingFile(Os { code: 13, kind: PermissionDenied, message: "Permission denied" })
time="2022-03-05T18:36:48-07:00" level=error msg="Attach drive failed: overlay.ext4: [PUT /drives/{drive_id}][400] putGuestDriveByIdBadRequest  &{FaultMessage:Unable to create the block device BackingFile(Os { code: 13, kind: PermissionDenied, message: \"Permission denied\" })}"
time="2022-03-05T18:36:48-07:00" level=error msg="While attaching drive overlay.ext4, got error [PUT /drives/{drive_id}][400] putGuestDriveByIdBadRequest  &{FaultMessage:Unable to create the block device BackingFile(Os { code: 13, kind: PermissionDenied, message: \"Permission denied\" })}"
time="2022-03-05T18:36:48-07:00" level=warning msg="Failed handler \"fcinit.AttachDrives\": [PUT /drives/{drive_id}][400] putGuestDriveByIdBadRequest  &{FaultMessage:Unable to create the block device BackingFile(Os { code: 13, kind: PermissionDenied, message: \"Permission denied\" })}"
start machine: [PUT /drives/{drive_id}][400] putGuestDriveByIdBadRequest  &{FaultMessage:Unable to create the block device BackingFile(Os { code: 13, kind: PermissionDenied, message: "Permission denied" })}

Description of changes:

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

jwilder avatar Mar 06 '22 01:03 jwilder

@jwilder, lgtm. For the buildkite failure, just need a dco in your commit message.

austinvazquez avatar Mar 16 '22 16:03 austinvazquez

nudge @jwilder

jeffwidman avatar Oct 15 '22 00:10 jeffwidman