/dev/console given different ownership in different scenarios #278

J-Swift · 2016-12-02T04:15:40Z

Thanks for the tool, it is really simple but powerful to use! Also, this may actually be a rkt issue, so please forgive me if that is the case : )

Some background on this issue is that I'm attempting to get nginx running fully as an unprivileged user, i.e. avoiding the master process from starting as root. I've been able to get everything setup correctly but am running into an issue with linking the logging to /dev/stdout and /dev/stderr. The following build script is a pared down approximation of what I'm doing:

acbuild begin docker://alpine:3.4

acbuild run -- addgroup -S nginx 2>/dev/null
acbuild run -- adduser -S -D -H -h /nginx -s /sbin/nologin -G nginx -g nginx nginx

## In the real aci I am doing something like this
# acbuild run -- ln -sf /dev/stderr /nginx/log/error.log
# acbuild run -- chown -R nginx:nginx /nginx
# acbuild set-exec -- /nginx/sbin/nginx -g 'error_log /nginx/log/error.log warn;'

acbuild set-user nginx
acbuild set-exec -- /bin/ls -la /dev

acbuild write bad_dev_console.aci

acbuild end

Now, as I understand it, /dev/stdout and /dev/stderr are bound automatically by acbuild during run commands. Also, as this comment points out, rkt does some different magic for us depending on if the --interactive flag is passed to rkt run.

It appears that the ownership only fails to be set correctly when running rkt run with no --interactive flag:

$ sudo rkt run --insecure-options=image bad_dev_console.aci
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
[24012.418194] alpine[5]: total 12
[24012.418438] alpine[5]: drwxr-xr-x    5 root     root          4096 Dec  2 04:07 .
[24012.418582] alpine[5]: drwxr-xr-x   18 root     root          4096 Jan  1  1970 ..
[24012.418702] alpine[5]: crw-------    1 root     root      136,   0 Dec  2 04:07 console
[24012.418821] alpine[5]: lrwxrwxrwx    1 root     root            13 Jan  1  1970 fd -> /proc/self/fd
[24012.418939] alpine[5]: crw-rw-rw-    1 root     root        1,   7 Dec  2 04:07 full
[24012.419071] alpine[5]: lrwxrwxrwx    1 root     root            28 Dec  2 04:07 log -> /run/systemd/journal/dev-log
[24012.419189] alpine[5]: drwxr-xr-x    2 root     root          4096 Dec  2 04:07 net
[24012.419306] alpine[5]: crw-rw-rw-    1 root     root        1,   3 Dec  2 04:07 null
[24012.419425] alpine[5]: lrwxrwxrwx    1 root     root            13 Dec  2 04:07 ptmx -> /dev/pts/ptmx
[24012.419549] alpine[5]: drwxr-xr-x    2 root     root             0 Dec  2 04:07 pts
[24012.419669] alpine[5]: crw-rw-rw-    1 root     root        1,   8 Dec  2 04:07 random
[24012.419787] alpine[5]: drwxrwxrwt    2 root     root            40 Dec  2 04:07 shm
[24012.419904] alpine[5]: lrwxrwxrwx    1 root     root            12 Jan  1  1970 stderr -> /dev/console
[24012.420067] alpine[5]: lrwxrwxrwx    1 root     root            15 Jan  1  1970 stdin -> /proc/self/fd/0
[24012.420256] alpine[5]: lrwxrwxrwx    1 root     root            12 Jan  1  1970 stdout -> /dev/console
[24012.420381] alpine[5]: crw-rw-rw-    1 root     root        5,   0 Dec  2 04:07 tty
[24012.420502] alpine[5]: crw-rw-rw-    1 root     root        1,   9 Dec  2 04:07 urandom
[24012.420623] alpine[5]: crw-rw-rw-    1 root     root        1,   5 Dec  2 04:07 zero


$ sudo rkt run --insecure-options=image bad_dev_console.aci --user root
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
[24016.308294] alpine[5]: total 12
[24016.308579] alpine[5]: drwxr-xr-x    5 root     root          4096 Dec  2 04:07 .
[24016.308826] alpine[5]: drwxr-xr-x   18 root     root          4096 Jan  1  1970 ..
[24016.309043] alpine[5]: crw-------    1 root     root      136,   0 Dec  2 04:07 console
[24016.309313] alpine[5]: lrwxrwxrwx    1 root     root            13 Jan  1  1970 fd -> /proc/self/fd
[24016.309547] alpine[5]: crw-rw-rw-    1 root     root        1,   7 Dec  2 04:07 full
[24016.309741] alpine[5]: lrwxrwxrwx    1 root     root            28 Dec  2 04:07 log -> /run/systemd/journal/dev-log
[24016.309920] alpine[5]: drwxr-xr-x    2 root     root          4096 Dec  2 04:07 net
[24016.310105] alpine[5]: crw-rw-rw-    1 root     root        1,   3 Dec  2 04:07 null
[24016.310276] alpine[5]: lrwxrwxrwx    1 root     root            13 Dec  2 04:07 ptmx -> /dev/pts/ptmx
[24016.310483] alpine[5]: drwxr-xr-x    2 root     root             0 Dec  2 04:07 pts
[24016.310707] alpine[5]: crw-rw-rw-    1 root     root        1,   8 Dec  2 04:07 random
[24016.311039] alpine[5]: drwxrwxrwt    2 root     root            40 Dec  2 04:07 shm
[24016.311242] alpine[5]: lrwxrwxrwx    1 root     root            12 Jan  1  1970 stderr -> /dev/console
[24016.311485] alpine[5]: lrwxrwxrwx    1 root     root            15 Jan  1  1970 stdin -> /proc/self/fd/0
[24016.311682] alpine[5]: lrwxrwxrwx    1 root     root            12 Jan  1  1970 stdout -> /dev/console
[24016.311843] alpine[5]: crw-rw-rw-    1 root     root        5,   0 Dec  2 04:07 tty
[24016.312175] alpine[5]: crw-rw-rw-    1 root     root        1,   9 Dec  2 04:07 urandom
[24016.312488] alpine[5]: crw-rw-rw-    1 root     root        1,   5 Dec  2 04:07 zero


$ sudo rkt run --insecure-options=image bad_dev_console.aci --user nginx
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
[24020.700875] alpine[5]: total 12
[24020.701137] alpine[5]: drwxr-xr-x    5 root     root          4096 Dec  2 04:07 .
[24020.701284] alpine[5]: drwxr-xr-x   18 root     root          4096 Jan  1  1970 ..
[24020.701407] alpine[5]: crw-------    1 root     root      136,   0 Dec  2 04:07 console
[24020.701528] alpine[5]: lrwxrwxrwx    1 root     root            13 Jan  1  1970 fd -> /proc/self/fd
[24020.701648] alpine[5]: crw-rw-rw-    1 root     root        1,   7 Dec  2 04:07 full
[24020.701780] alpine[5]: lrwxrwxrwx    1 root     root            28 Dec  2 04:07 log -> /run/systemd/journal/dev-log
[24020.701903] alpine[5]: drwxr-xr-x    2 root     root          4096 Dec  2 04:07 net
[24020.702022] alpine[5]: crw-rw-rw-    1 root     root        1,   3 Dec  2 04:07 null
[24020.702143] alpine[5]: lrwxrwxrwx    1 root     root            13 Dec  2 04:07 ptmx -> /dev/pts/ptmx
[24020.702269] alpine[5]: drwxr-xr-x    2 root     root             0 Dec  2 04:07 pts
[24020.702391] alpine[5]: crw-rw-rw-    1 root     root        1,   8 Dec  2 04:07 random
[24020.702511] alpine[5]: drwxrwxrwt    2 root     root            40 Dec  2 04:07 shm
[24020.702630] alpine[5]: lrwxrwxrwx    1 root     root            12 Jan  1  1970 stderr -> /dev/console
[24020.702757] alpine[5]: lrwxrwxrwx    1 root     root            15 Jan  1  1970 stdin -> /proc/self/fd/0
[24020.702880] alpine[5]: lrwxrwxrwx    1 root     root            12 Jan  1  1970 stdout -> /dev/console
[24020.702999] alpine[5]: crw-rw-rw-    1 root     root        5,   0 Dec  2 04:07 tty
[24020.703119] alpine[5]: crw-rw-rw-    1 root     root        1,   9 Dec  2 04:07 urandom
[24020.703238] alpine[5]: crw-rw-rw-    1 root     root        1,   5 Dec  2 04:07 zero


$ sudo rkt run --insecure-options=image --interactive bad_dev_console.aci
run: disabling overlay support: "overlay entry not present in /proc/filesystems"
total 12
drwxr-xr-x    5 root     root          4096 Dec  2 04:07 .
drwxr-xr-x   18 root     root          4096 Jan  1  1970 ..
crw--w----    1 nginx    root      136,   0 Dec  2 04:07 console
lrwxrwxrwx    1 root     root            13 Jan  1  1970 fd -> /proc/self/fd
crw-rw-rw-    1 root     root        1,   7 Dec  2 04:07 full
lrwxrwxrwx    1 root     root            28 Dec  2 04:07 log -> /run/systemd/journal/dev-log
drwxr-xr-x    2 root     root          4096 Dec  2 04:07 net
crw-rw-rw-    1 root     root        1,   3 Dec  2 04:07 null
lrwxrwxrwx    1 root     root            13 Dec  2 04:07 ptmx -> /dev/pts/ptmx
drwxr-xr-x    2 root     root             0 Dec  2 04:07 pts
crw-rw-rw-    1 root     root        1,   8 Dec  2 04:07 random
drwxrwxrwt    2 root     root            40 Dec  2 04:07 shm
lrwxrwxrwx    1 root     root            12 Jan  1  1970 stderr -> /dev/console
lrwxrwxrwx    1 root     root            15 Jan  1  1970 stdin -> /proc/self/fd/0
lrwxrwxrwx    1 root     root            12 Jan  1  1970 stdout -> /dev/console
crw-rw-rw-    1 root     root        5,   0 Dec  2 04:07 tty
crw-rw-rw-    1 root     root        1,   9 Dec  2 04:07 urandom
crw-rw-rw-    1 root     root        1,   5 Dec  2 04:07 zero

Is this surprising? Am I missing something? Thanks in advance!

The text was updated successfully, but these errors were encountered:

sanmai-NL · 2017-07-12T10:36:28Z

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

/dev/console given different ownership in different scenarios #278

/dev/console given different ownership in different scenarios #278

J-Swift commented Dec 2, 2016

sanmai-NL commented Jul 12, 2017

/dev/console given different ownership in different scenarios #278

/dev/console given different ownership in different scenarios #278

Comments

J-Swift commented Dec 2, 2016

sanmai-NL commented Jul 12, 2017