Less aggressive permissions setting. COPY with chown flag

ai-dock · Feb 17, 2024 · d4ae22a · d4ae22a
1 parent d296c89
commit d4ae22a
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 9 deletions.
diff --git a/build/COPY_ROOT/opt/ai-dock/bin/fix-permissions.sh b/build/COPY_ROOT/opt/ai-dock/bin/fix-permissions.sh
@@ -18,30 +18,30 @@ function main() {
 }
 
 function fix_container() {
-    # Ensure we only affect files in this fs layer
+    # Beware: If you copied files at buildtime without setting gid 1111 the fs will bloat
+    # COPYs should ensure local permissions are suitable first
     printf "Fixing container file permissions...\n"
     chown root.ai-dock /opt
     chmod g+s /opt
-    find /opt -not -group ai-dock -exec chown root.ai-dock {} \;
     find /opt -type d ! -perm -g=s -exec chmod g+s {} \;
-    find /opt ! -perm -g=w -exec chmod g+w {} \;
+    # See above - Remember this is overlayfs
+    find /opt -not -group ai-dock -exec chown root.ai-dock {} \;
     printf "Container file permissions reset\n"
 }
 
 function fix_workspace() {
     if [[ $WORKSPACE_PERMISSIONS != "false" ]]; then
         printf "Fixing workspace permissions...\n"
         chown "${WORKSPACE_UID}.${WORKSPACE_GID}" "${WORKSPACE}"
-        chmod -R g+s "${WORKSPACE}"
-        find "${WORKSPACE}" -not -user "${WORKSPACE_UID}" -exec chown "${WORKSPACE_UID}.${WORKSPACE_GID}" {} \;
+        chmod g+s "${WORKSPACE}"
         find "${WORKSPACE}" -type d ! -perm -g=s -exec chmod g+s {} \;
-        find "${WORKSPACE}" ! -perm -g=w -exec chmod g+w {} \;
+        find "${WORKSPACE}" -not -writeable -uid "${WORKSPACE_UID}" -exec chown "${WORKSPACE_UID}.${WORKSPACE_GID}" {} \;
         chmod o-rw "${WORKSPACE}/home/${USER_NAME}"
         if [[ -e ${WORKSPACE}/home/user/.ssh/authorized_keys ]]; then
             chmod 700 "${WORKSPACE}/home/${USER_NAME}/.ssh"
             chmod 600 "${WORKSPACE}/home/${USER_NAME}/.ssh/authorized_keys"
         fi
-        printf printf "Workspace file permissions reset\n"
+        printf "Workspace file permissions reset\n"
     else
         printf "Workspace permissions not changed (non-standard fs)\n"
     fi

diff --git a/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh b/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh
@@ -1,3 +1,4 @@
 #!/bin/bash
 
 # Override this file to add extras to your build
+#fix-permissions -o container
diff --git a/build/Dockerfile b/build/Dockerfile
@@ -55,7 +55,7 @@ ENV MAMBA_EXE="/opt/micromamba/bin/micromamba"
 ENV RCLONE_CONFIG="/etc/rclone/rclone.conf"
 ENV IMAGE_SLUG="base-image"
 # Copy early so we can use scripts in the build - Changes to these files will invalidate the cache and cause a rebuild.
-COPY ./COPY_ROOT/ /
+COPY --chown=0:1111 ./COPY_ROOT/ /
 
 ARG CUDA_VERSION
 ARG CUDNN_VERSION
@@ -69,7 +69,7 @@ RUN yes | unminimize && \
     set -eo pipefail && /opt/ai-dock/bin/build/layer0/init.sh | tee /var/log/build.log
 
 # Copy overrides and new files into a final layer for fast rebuilds. Uncomment below
-#COPY ./COPY_ROOT_EXTRA/ /
+#COPY --chown=0:1111 ./COPY_ROOT_EXTRA/ /
 #RUN set -eo pipefail && /opt/ai-dock/bin/build/layer1/init.sh | tee -a /var/log/build.log
 
 # Keep init.sh as-is and place additional logic in /opt/ai-dock/bin/preflight.sh