ekalinin/nodeenv

node installation fails when capability DAC_OVERRIDE is dropped using docker

nschad opened this issue · 2 comments

nschad commented

Hi,

So after 4 hours of debugging. I finally found out why our pre-commit (GitLab CI) wasn't installing any node related Hooks. With disabled capability DAC_OVERRIDE, the nodeenv then downloads the node installer with permissions 1001:1001 which results into PermissionError: [Errno 13] even though I'm root in the container.

Screenshot of the node setup in the pre-commit cache directory
image

Additional Info:

It appears when extracting an archive as root the root users umask will not be applied unless specified via --no-same-permissions. Which makes the folder unusable and stops the container from working when the capability DAC_OVERRIDE is dropped (should be the same problem on selinux enabled systems).

Reproducible steps:
Start a container with

docker run -it --cap-drop DAC_OVERRIDE python:3.8 bash

Logs:

root@9a240d8fec59:/# curl https://nodejs.org/download/release/latest/node-v16.0.0-linux-arm64.tar.gz --output files/node-v16.0.0-linux-arm64.tar.gz             
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current                                                                           
                                 Dload  Upload   Total   Spent    Left  Speed                                                                             
100 31.7M  100 31.7M    0     0  17.2M      0  0:00:01  0:00:01 --:--:-- 17.2M                                                                            
root@9a240d8fec59:/files# python
Python 3.8.9 (default, Apr 10 2021, 15:47:22)
[GCC 8.3.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> import tarfile
>>> import os
>>> print(os.getcwd())
/files
>>> tar = tarfile.open("node-v16.0.0-linux-arm64.tar.gz")
>>> tar.extractall()
>>> tar.close()
>>>
root@9a240d8fec59:/files# ls -alh
total 32M
drwxr-xr-x 3 root root 4.0K Apr 29 18:40 .
drwxr-xr-x 1 root root 4.0K Apr 29 18:39 ..
drwxr-xr-x 6 1000 1000 4.0K Apr 20 10:50 node-v16.0.0-linux-arm64
-rw-r--r-- 1 root root  32M Apr 29 18:39 node-v16.0.0-linux-arm64.tar.gz
root@9a240d8fec59:/files# touch node-v16.0.0-linux-arm64/
CHANGELOG.md  LICENSE       README.md     bin/          include/      lib/          share/
root@9a240d8fec59:/files# touch node-v16.0.0-linux-arm64/test.txt
touch: cannot touch 'node-v16.0.0-linux-arm64/test.txt': Permission denied
ekalinin commented

Hey @ShuzZzle !

Thanks for report!

But it's not clear how it could be fixed from nodeenv's POV?

nschad commented

Hey @ShuzZzle !

Thanks for report!

But it's not clear how it could be fixed from nodeenv's POV?

I absolutely agree. I had that same thought 5 minutes after posting it. I figured that it would be helpful determining if there is something we can do when extracting the archive (like applying the root umask) or if its just poorly a docker "problem". Also I guess the real fix would be by not using a root user in the first place, since generally thats not a good practive anyway

  • 👍1