permissions error when building the docker image over openshift

[samisalamiws]

Hi @viceice

we are having some permissions errors when we're building our dockerfile based buildpack over openshift. A lot of simple commands like creating folders are not able to run.

we followed the workaround suggested on their documentation at: https://developers.redhat.com/blog/2020/10/26/adapting-docker-and-kubernetes-containers-to-run-on-red-hat-openshift-container-platform#group_ownership_and_file_permission but this made our image size increase significantly (over 10 GB).
basically we added these commands:
RUN chown -R ${USER_ID}:0 /usr/local/buildpack/tools/
RUN chown -R ${USER_ID}:0 /usr/local/bin/
RUN chown -R ${USER_ID}:0 /home/wss-scanner/
RUN chown -R ${USER_ID}:0 /tmp

This brings us to an older discussion we had regarding user/group creation.
when we ran the old dockerfile (without buildpack), we creating the group/user as follow:

RUN groupadd ${WSS_GROUP} && \
useradd --gid ${WSS_GROUP} --groups 0 --shell /bin/bash --home-dir ${WSS_USER_HOME} --create-home ${WSS_USER} && \passwd -d ${WSS_USER}

when we ran the old dockerfile over openshift, it worked ok.
but currently, we are not able to create the group/user the way we were, and we're facing permissions issues.

Is there a way to adjust the user --groups value?

[viceice]

🤔 the Buildpack user already is a member of the root group.

So can you provide some more details about which folders of buildpack you need write access to and why?

@rarkins is that the scanner image i converted some time ago? If yes, we can exchange the details in our private VisualOn repo.

[viceice]

You would need to set the password manually, as we don't want to have any passwords safer to buildpack images.

We still should identify the tools which are causing issues with openshift.

Also your use case is different to our other known cases. As you add stuff as buildpack user and then try to do the same as arbitrary openshift user. Until now we only had one of them.

[rarkins]

Would it help if we add a util command "chown-home" that can be appended to RUN commands? The challenge though is to support this stuff at runtime too.

BTW we could try to coerce go into installing into home - that might help

[viceice]

Would it help if we add a util command "chown-home" that can be appended to RUN commands? The challenge though is to support this stuff at runtime too.

This needs to be done selective, as otherwise we duplicate files again.

BTW we could try to coerce go into installing into home - that might help

https://github.com/containerbase/buildpack/blob/ac6a459922bcc1d2f23b499bad615a399d30d383/src/usr/local/buildpack/tools/golang.sh#L34-L44

[samisalamiws]

@rarkins yes, putting the go into the home directory will be very helpful, plus making sure that any new tool (package manager) installation will be done also to the home directory

@viceice How can we change a password for a user that has already been created? because currently, the buildpack is the one creating the user.
the tools that are causing the problem is all the tools that try to create folders/files in the home directory, for example:
maven - when we do mvn build install it downloads dependencies to the cache directory which is located in the ${HOME}/.m2 folder
go - the same, except that the folder is located in /go
npm - when installing global packages (note it's not happening for local packages, as they are installed to a directory in the /tmp which the current arbitrary user creates)
I don't remember all of them, but I can do some research about it

by the way, after cleaning some of the unnecessary commands, we got a docker image of size 14.5 GB instead of 20GB. so we might live with it for the next couple of weeks until we have a more profound solution.

[viceice]

Can you set UMASK=770 when running user commands on docker build? This should make all new files and folders writable by primary group.

[viceice]

@samisalamiws I've fixed a number of wrong permissions on home dir. Can you check wich folder are still wrong?

Please add observations to:

• Make all home directory files/folders writeable by group 0 #517