eve icon indicating copy to clipboard operation
eve copied to clipboard

Published 20 hours ago verified publisher icon lf-edge

compose-image: run yq container as root

Open yvolchkov opened this issue 2 years ago • 8 comments

The yq container assumes that user id is 1000. Which is true for most of the systems, but not for all of them. The obvious example is a shared machine, where only the first user will have uid 1000.

As the result the development build (DEV=y) will work only for uid 1000, and for other users yq will silently fail to update the rootfs yaml configuration.

This patch adds a missing check that yq was successful, so the build will fail if it was not. And also fixes the problem by running yq container as root, so it has necessary permissions to edit the yaml

Signed-off-by: Yuri Volchkov [email protected]

yvolchkov avatar Aug 05 '22 18:08 yvolchkov

@eriknordmark could you have a look?

zededa-yuri avatar Aug 19 '22 14:08 zededa-yuri

Why would we want to run yq as root? It shouldn't require any privileges at all, it is just processing input text to output text.

Adding error check is a good thing (although wouldn't just running the entire script with set -e do it?). Writing the file should be done as a redirect to avoid permissions issues.

deitch avatar Aug 19 '22 14:08 deitch

YQ container would not have rights to write to the mounted directory if it is not owned by UID 1000. The way it is done now is updating resulting file inplace. I'll check if its possible to redirect the stdout of container to the file

As for set -e it is considered as a bad practice. I'd prefer not to do that http://mywiki.wooledge.org/BashFAQ/105

zededa-yuri avatar Aug 19 '22 15:08 zededa-yuri

As for set -e it is considered as a bad practice. I'd prefer not to do that

I disagree. I understand that it is incomplete, but so is every piece of technology ever written. If there are situations that need specific addressing, then let's do that. In the case you are trying to solve, it makes your pain go away.

I'll check if its possible to redirect the stdout of container to the file

That would be a lot cleaner, if it is possible. Writing stuff from within a container to be used outside it works, but creates lots of permissions headaches (as you pointed out).

deitch avatar Aug 19 '22 15:08 deitch

[the hostess took up a broom] @zededa-yuri do you plan to check if it's possible to redirect the stdout to a file and finish this pr or we can close it?

rouming avatar Oct 12 '22 13:10 rouming

Update pull request as requested

yvolchkov avatar Oct 14 '22 16:10 yvolchkov

Create OCI config for lfedge/eve-pillar-dev:dd25be30132b23fba5b71a153e9b5f7fdb02e5a6-amd64

Works fine for me!

mikem-zed avatar Oct 14 '22 16:10 mikem-zed

Can you plase adjust PR title and description?

giggsoff avatar Oct 14 '22 17:10 giggsoff

done

yvolchkov avatar Oct 17 '22 12:10 yvolchkov