Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

mantid_development.sh: --ipc=host needed for chown permission #12

Open
ajjackson opened this issue May 3, 2019 · 3 comments
Open

mantid_development.sh: --ipc=host needed for chown permission #12

ajjackson opened this issue May 3, 2019 · 3 comments

Comments

@ajjackson
Copy link

The recent updates (specifically commit 329090d) break mantid_development.sh for me, failing to mount readable volumes with the following output:

+ TARGET_USERNAME=abc
+ for rule in /etc/entrypoint.d/*.sh
+ env TARGET_USERNAME=abc /etc/entrypoint.d/10_change_user_ids.sh
+ PUID=1000
+ PGID=1000
+ groupmod --non-unique --gid 1000 abc
+ usermod --non-unique --uid 1000 abc
+ for rule in /etc/entrypoint.d/*.sh
+ env TARGET_USERNAME=abc /etc/entrypoint.d/20_abc_own_directories.sh
+ chown abc:abc /mantid_src
chown: changing ownership of '/mantid_src': Permission denied
+ chown abc:abc /mantid_build
chown: changing ownership of '/mantid_build': Permission denied
+ chown abc:abc /mantid_data
chown: changing ownership of '/mantid_data': Permission denied
+ chown abc:abc /ccache
+ CMD=bash
+ runuser -u abc -- bash
abc@ee926268edd1:/mantid_build$

The former behaviour is restored (without "permission denied" errors) if I reintroduce the --icp=host argument to docker within this script. This option is mentioned in the updated docs as being necessary for X windowing, but seems to have a wider impact?

A factor that is probably relevant is that I don't run docker as root but use a docker group instead. Perhaps the recent updates make an assumption that docker was run by root?

@DanNixon
Copy link
Member

DanNixon commented May 25, 2019

The former behaviour is restored (without "permission denied" errors) if I reintroduce the --icp=host argument to docker within this script. This option is mentioned in the updated docs as being necessary for X windowing, but seems to have a wider impact?

That is odd. IPC namespacing should not affect being able to change filesystem attributes AFAIK.

This option may imply other security attributes that do allow certain filesystem modifications.

A factor that is probably relevant is that I don't run docker as root but use a docker group instead. Perhaps the recent updates make an assumption that docker was run by root?

No. In fact membership of the docker group is pretty much equivalent of being a sudoer anyway.

@sf1919
Copy link
Collaborator

sf1919 commented Nov 22, 2022

@ajjackson is this still an issue?

@ajjackson
Copy link
Author

No idea, I've switched away from using the development dockerfiles to the Conda option.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants