Comments (14)
@osterman @sboardwell
I think we can use BindFS to solve this problem without risking the "works in my environment" problems that could come up if some users were running inside Geodesic as root
and some were not.
It would require further customization of the launch script, so that on Linux we mount $HOME
to /localhost.bindfs
instead of /localhost
and then inside Geodesic use BindFS to map /localhost.bindfs
to /localhost
with UID/GID mapping using --create-for-user
and --create-for-group
, but I think once we get that right, everything else falls into place, and it should not be as hard as supporting Windows was.
from geodesic.
@Nuru -- I'd recomment $HOME/.local/bin
(see XDG Base Directory Specification).
from geodesic.
I'd like to propose this solution (please advise if this is universal enough):
- We support Linux user 1000 (which appears to be the default uid for distributions).
- If running linux, the wrapper script does
DOCKER_ARGS+=(--user="$(id -u):$(id -g)")
- The
Dockerfile.alpine
andDockerfile.debian
will includeuseradd/groupadd/sudo
support for user 1000 performing root operations. - Major: We have to change the ownership inside the containers of
/conf
,/home
and fix permissions of/var/tmp
to allow usage by user 1000
Dockerfile additions:
RUN \
groupadd -g 1000 geouser && \
useradd -d /conf -G sudo -g geouser -u 1000 geouser && \
sed -i 's/sudo[[:space:]]ALL=(ALL:ALL) ALL/sudo ALL=(ALL) NOPASSWD: ALL/' /etc/sudoers && \
chown -R 1000:1000 /conf /home && \
chmod 777 /var/tmp
from geodesic.
@drmikecrowe wrote:
I'd like to propose this solution (please advise if this is universal enough):
1. We support Linux user 1000 (which appears to be the default uid for distributions).
...
@drmikecrowe If you would be willing, I would prefer you try the BindFS solution I proposed and let us know how that goes.
Steps:
-
Create a custom Geodesic image that includes the
bindfs
package. -
In the wrapper, if running Linux:
- pass environment variables
GEODESIC_HOST_UID="$(id -u)"
andGEODESIC_HOST_GID="$(id -g)"
- mount $HOME to
/localhost.bindfs
instead of/localhost
- Then, at the start of _workdir.sh:
- Check if env vars are set and file system is mounted on
/localhost.bindfs
and if so, set upbindfs
to mirror it to/localhost
with the desired owner and group:
if [[ -n $GEODESIC_HOST_UID ]] && [[ -n $GEODESIC_HOST_GID ]] && df -a | grep -q /localhost.bindfs; then
bindfs --create-for-user="$GEODESIC_HOST_UID" --create-for-group="$GEODESIC_HOST_GID" /localhost.bindfs /localhost
- Fix
file_on_host
if needed. I can take care of that if you just get me the output ofdf -a
on a system where the BindFS fix is active and working as we would like it to work.
My hope is that this will solve all the file ownership problems and not get hung up on whatever the host UID and GID are, while also not requiring any further changes to Geodesic.
from geodesic.
I think this is what we want, but would appreciate any feedback
from geodesic.
@drmikecrowe OK, I have not been able to reproduce and fix the problem, so I need more information from you.
This is not an issue with Docker v20 on Ubuntu (tested on 20.04 LTS) when running in rootless mode. As with macOS, this configuration correctly translates file ownership between the root UID and GID inside the container to the user's UID and GID on the host.
When running Docker as root, and launching Geodesic using sudo geodesic
, the geodesic wrapper does not get the user's UID and GID or home directory, so BindFS does not help and we do not get the right home directory mapped to /localhost
anyway.
How are you launching Geodesic? Are you able to find the non-root user's UID, GID, and $HOME?
from geodesic.
I add my user to the docker
group, and never use sudo
to run docker.
I'm wondering if we should simply point users to rootless mode...
from geodesic.
@drmikecrowe We definitely should be pointing users to rootless mode. Unfortunately, our current install procedure does not work in rootless mode, because the non-root user cannot install the geodesic
wrapper in /usr/local/bin
and the root user cannot run docker run
because the socket is not in the default location. I think what we will do is:
- Give up on auto-detection and auto-configuration of BindFS, just make it available as an option
- If we cannot install the
geodesic
wrapper in/usr/local/bin
, instead of giving up, write it to/tmp/geodesic
and output a message to install it manually viasudo install -C /tmp/geodesic /usr/local/bin/geodesic
from geodesic.
@Nuru -- what about:
- check if user has write access to
/usr/local/bin
and ensure we are running in user mode - write to
/tmp/geodesic
- execute
sudo mv /tmp/geodesic /usr/local/bin/___
(which will prompt the user for their password if they aren't in sudoer's group)
Thoughts?
from geodesic.
@drmikecrowe I do not like the security implications of running other people's scripts as root, and to me it's even worse when a script asks for your password in the middle of running, as you really have no idea what it's doing: maybe it's going to Tweet your password to the world. So I don't want to execute sudo
in the script and I'm glad my solution gets rid of our current workaround which is to have affected users run the whole install script under sudo
.
An alternative would be to install the script in $HOME/bin/
(creating it if it does not exist), giving the user the option of adding $HOME/bin
to their PATH
or installing the script in /usr/local/bin
. I have mixed feelings about that. I like that for some people (who already have $HOME/bin
on their path), they will have nothing left to do, and make install
(and therefore make all
) will properly update their wrapper without further intervention. What I don't like is that it feels intrusive and presumptuous to be creating a directory in the user's home directory.
from geodesic.
@drmikecrowe Please try release candidate v0.152.0-rc2 and report issues in #771
from geodesic.
Please try release candidate v0.152.0-rc2 and report issues in #771
@Nuru Please confirm:
ARG VERSION=0.151.0-rc2
not 152?
from geodesic.
Please try release candidate v0.152.0-rc2 and report issues in #771
@Nuru Please confirm:
ARG VERSION=0.151.0-rc2
not 152?
@drmikecrowe Feel free to try both, but if you are going to try only one, please try
ARG VERSION=0.152.0-rc2
from geodesic.
Since this is a pretty common issue across different container runtimes, underlying VMs, mountTypes -- one note for any fellow colima users out there: Be sure to change from your vm
setting to vz
and mountType
setting to virtiofs
. See the below for full details:
- https://sweetops.slack.com/archives/G014YEKDH4K/p1708394409046649
- https://stackoverflow.com/a/77596193
- lima-vm/lima#231
from geodesic.
Related Issues (20)
- First two links under "Let's roll..." 404.
- Add Description section and 'Supported Tags and respective Dockerfile links' subsection to Geodesic docker hub repo HOT 2
- assume-role does not successfully pick up aws-vault SSO session HOT 2
- Can we look into what we can do to slim down the Geodesic image size? HOT 3
- pip3 not working in 0.144.5-debian HOT 1
- Apple M1 (arm64) Support HOT 7
- Start container in cwd HOT 3
- Dependency Dashboard
- /sbin/docker gives apk instructions on debian
- Prevent commands from showing up in history by setting `HISTCONTROL` HOT 1
- AMD CPU got a warning for running Geodesic on Apple M1 CPU 🙂️ HOT 3
- Entering Bash Subshell Results in Functions in `prompt.sh` and Prompt Hooks Not Being Found HOT 3
- Permissions of prompt:kube-ps1.sh causes issues with Linux operation as non-root user HOT 1
- Improve Documentation for Build-time and Runtime Feature Flags HOT 3
- Prevent accidentally killing first session if other sessions are open HOT 1
- Add a `destroy` command to the wrapper script to support removing the currently running geodesic container HOT 3
- Add `kubectl-node-shell` tooling HOT 1
- All executable scripts should have a proper shebang HOT 2
- Bash History Substring Search HOT 1
- Make all reports errors on exec format for awscli and session manager plugin HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from geodesic.