Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support controlling the user, group, and permissions of the application files #399

Open
tmds opened this issue Mar 27, 2023 · 7 comments
Open

Support controlling the user, group, and permissions of the application files #399

tmds opened this issue Mar 27, 2023 · 7 comments
Labels
Area: Library Tasks and stories around the image and layer manipulation library Area: Task
Milestone
Discussion

Comments

@tmds
Copy link
Member

tmds commented Mar 27, 2023

The current implementation unconditionally uses -rwxr-xr-x. and root:root for the application files.

It would be nice to be able to:

  • control the umask (permission filter)
  • control the user/group of these files (and their containing directory).

The umask could be made settable through a property, like ContainerAppUMask.
When set, the effective permissions of a file/directory are the result of using the file's owner permission for owner, group and other, and applying ContainerAppUMask to it. That means, the effective permissions are as if the application was published under umask $(ContainerAppUMask).

Controlling the user/group of these files would allow to match their ownership with the app user, and thus allowing that user to change the files on a running container. It could be done through properties like: ContainerAppOwner, ContainerGroup which are set to a uid/gid. Or some property like: ContainerAppOwnedByUser=true which makes the ownership match with the app user and group.

cc @baronfel @richlander @omajid @aslicerh
@baronfel
Copy link
Member

baronfel commented Mar 27, 2023
edited
Loading

We do need to do this, but I think it'll require a bit of a rework of the current model.

Images are made of many Layers, and right now the tooling creates a single Layer with all app dependencies and the same permissions (root) inside the CreateNewImage Task. These knobs should be settable in MSBuild, I agree. Other tooling (like Jib) allows for defining the Layers as data structures (including user/group and permissions) and that's the model I think we should follow here. We should be able to do something like:

<ContainerLayer Include="$(PublishDir)/**/*" 
				Destination="/app" 
				User="$(ContainerAppUserId)" 
				Group="$(ContainerAppGroupId)" 
				Permissions="644" />

and have the tooling generate those tarballs with the correct permissions in-order.

@baronfel baronfel added Area: Task Area: Library Tasks and stories around the image and layer manipulation library labels Mar 27, 2023
@tmds
Copy link
Member Author

tmds commented Mar 30, 2023

<ContainerLayer...

That is very flexible, it allows including different files with different permissions in the layer.

I'm looking to control the 'default values' for User, Group, and Permissions.

We should be able to implement those separate from introducing ContainerLayer (which requires a more complex implementation).

Permissions="644"

note: Unix permissions for directories require the 'x' bit. If you want to avoid a separate permission parameter for directories, we can take this value and use it for files. For directories, we can add an 'x' for each 'r' permission. So 644 for files (rw-r--r--), implies 755 for directories (rwxr-xr-x).

@richlander
Copy link
Member

Is this the same as:

image

https://docs.docker.com/engine/reference/builder/#copy

@baronfel
Copy link
Member

Yes, exactly - it allows fine grained control of the permissions of copied files.

@tmds
Copy link
Member Author

tmds commented Apr 3, 2023

My request is less fine-grained than the suggested ContainerLayer which enables using different permissions for different files.

I'm looking to control the values which are currently fixed to Gid = Uid = 0 and Mode = -rwxr-xr-x. on construction here:

sdk-container-builds/Microsoft.NET.Build.Containers/Layer.cs

Lines 77 to 82 in 6da3967

var entry = new PaxTarEntry(entryType, containerPath, extendedAttributes)
{
Mode = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.UserExecute |
UnixFileMode.GroupRead | UnixFileMode.GroupExecute |
UnixFileMode.OtherRead | UnixFileMode.OtherExecute
};

Can we add parameters to control these?

@baronfel baronfel added this to the 7.0.400 milestone Apr 5, 2023
@baronfel baronfel mentioned this issue May 15, 2023
Closed
@tmds tmds mentioned this issue May 17, 2023
Merged
@tmds
Copy link
Member Author

tmds commented May 24, 2023

When the tooling is used with Microsoft images, the non-root user does not have write-access to the application folder since that application folder is owned by root and only writable by the owner.

That means it's OK for the non-root user of the Red Hat images to also to not have write access to the application folder.

I no longer consider this a must-have to support the Red Hat images.

I'm fine if the issue gets closed, or stays open for others to declare an interest in controlling the application folder permissions.

@baronfel baronfel modified the milestones: 7.0.400, Discussion Nov 13, 2023
@Devqon
Copy link

Devqon commented Nov 29, 2023
edited
Loading

We also need some fine-grained control over directory permissions from the app user. Our use-case is that the application unpacks a file in the app's root directory at runtime, which is done inside a library (no control over the unpacking and its destination).

Of course you might consider that this should not be the way to do so, but the point is that we have no control over it. The current workaround is to manually attach to the container after redeploy and reconfigure the app directory ownership with chown

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Area: Library Tasks and stories around the image and layer manipulation library Area: Task
Projects
None yet
Milestone
Discussion
Development

No branches or pull requests
4 participants
@baronfel @tmds @richlander @Devqon