executor image for ocm toi must run as root

[dee0]

What happened:

I found with the USER statement in the dockerfile below my executor could not run.

FROM docker.io/bitnami/kubectl:1.31.4 

USER root
RUN mkdir -p /toi/outputs; mkdir -p /toi/inputs; chown -R 1001:1001 /toi

USER 1001
COPY ./scripts/entrypoint.sh /toi/run

ENTRYPOINT [ "/bin/bash", "/toi/run" ]

Running a command like

ocm toi bootstrap package -c ../ocm/credentials.yaml actionOne 'directory::../ocm/component-archive//example.com/ocm/toi/helloworld:1.0.0'

will fail with an error like

{"msg":"exec container process `/bin/bash`: Permission denied","level":"error","time":"2024-12-30T02:46:03.822858Z"}

The problem is when ocm copies the inputs into the container it messes up the permissions on root. The screenshot below shows the change. On the left are the permissions after ocm copied the input into place and the right are the default permissions. You can see that afterwards the permissions on root only let the owner work with it.

What you expected to happen:

I should be able to have the container run as non-root.
Copying of inputs into the container should only modify the contents of under /toi/inputs.
The contents of /toi/inputs must be readable by whatever user the container is running as

How to reproduce it (as minimally and precisely as possible):

See above command and dockerfile.

Anything else we need to know:

Nope

Environment:

ocm 0.19.0

[Skarlso]

As a sidenote, I would stop using FROM docker.io/bitnami/kubectl:1.31.4 because of bitnami/containers#75671.

[Skarlso]

Hey Dan. Can you try with this PR please? open-component-model/ocm#1224

[Skarlso]

I actually run your project Dan and I didn't get your error. My output:

ocm toi bootstrap package -c ./userInput/credentials.yaml -p ./userInput/parametersFromCLI.yaml actionOne 'directory::./ocm/component-archive//example.com/ocm/toi/helloworld:1.0.0'
...
using executor image ghcr.io/skarlso/toi:v0.1.1[["name"="toi-executor-one"]] with credentials [myPackageOCI->myExecutorOCI]
start
+ echo start
+ cp -r /toi/inputs/. /toi/outputs/inputs
+ cp /proc/1/cmdline /toi/outputs
+ cp /proc/1/environ /toi/outputs
+ echo end
+ exit 0
+ printError
+ ec=0
+ : Exiting with exit code 0
+ exit 0
end
Provided outputs:
outputs:
  cmdline:
    binary: L2Jpbi9iYXNoAC90b2kvcnVuAGFjdGlvbk9uZQBleGFtcGxlLmNvbS9vY20vdG9pL2hlbGxvd29ybGQ6MS4wLjAA
  config:
    toiExecutorConfig:
      data: toiExecutorConfigData
      fromToiPackageExecutorConfig:
        data: toiPackageExecutorConfigData
        fromLibraryOne:
          data: toiExecutorTemplateLibraryOneData
          fromLibraryTwo:
            data: toiExecutorTemplateLibraryTwoData
        fromLibraryTwo:
          data: toiExecutorTemplateLibraryTwoData
  environ:
    binary: UEFUSD0vb3B0L2JpdG5hbWkvY29tbW9uL2Jpbjovb3B0L2JpdG5hbWkva3ViZWN0bC9iaW46L3Vzci9sb2NhbC9zYmluOi91c3IvbG9jYWwvYmluOi91c3Ivc2JpbjovdXNyL2Jpbjovc2JpbjovYmluAEhPU1ROQU1FPWI0YzYyMDhhNGJjMwBIT01FPS8AT1NfQVJDSD1hbWQ2NABPU19GTEFWT1VSPWRlYmlhbi0xMgBPU19OQU1FPWxpbnV4AEFQUF9WRVJTSU9OPTEuMzEuNABCSVROQU1JX0FQUF9OQU1FPWt1YmVjdGwA
  ocmconfig:
    configurations:
    - credentials:
      - credentials:
          password: somehardcoded-password
          username: somehardcoded-username
        credentialsName: myExecutorOCI
      repoName: default
      type: memory.credentials.config.ocm.software
    - consumers:
      - credentials:
        - credentialsName: myExecutorOCI
          repoName: default
          type: Memory
        identity:
          type: OCIRegistry
      type: credentials.config.ocm.software
    - contextType: default
      settings:
        defaultLevel: Warn
      type: logging.config.ocm.software
    type: generic.config.ocm.software
  ocmrepo:
    binary: H4sIAAAJbogA/+w9TXPbuJI5q2r+A4o5bFJjyQBI8Os263mzz1WZzauMaw+b5ICPhsUXilCRkB1vKv99CxQpUrLsyKEjP7+wL7YJoInuRjcajW6alzbTXNppVij4PPtnZYoXjw0YYxwGQf0TY7z7E/sEvyABCf2IBKF7TnzssxcI95H8KFhVlpcv8OB37RDVb/pXhi9eJeew4P8DZZWZwkvJideuicpL33/xSliaKrOmvPFST5rF0hRQ2KmCSpbZ0pqyOoXPfLHMYSbN4tTIxak12ekc8txcmzJX3oln+aWXemSGZ9g78VR2CZX1Uq+ac8rCNFRcYxaHvqIaWEiwT0WgOOESAwk00yIRPglBJBBoiBLBpJA+lUEcR2HEAu/rx689kkZ4AIjciKr3948ApxERY7dUpPnbwY7+YxrhF4h1KH4c/OT6X8v/dK2IM6K4kAH4UggVchyTWKggxNrnoUxixoSGhCmGQxkFEQ2FxJqCEpiDFEQH0MP7EPuPCdmWP6WRT0f7fwz7r41JkeDlpPdshJ8HtvSf4TjhIaaJH4cqUjoRiYgp0ERzLESY8MgPY6Gx5ComhOmARVIrLhj1ORYSf5//FwW7/h+lvo9H/T+G/rduXGaKFGVFZXme/4PLT/wS3hYwgc8gV87HS9FLdDEH1D5AqwoUus7yHAlAdg5IZ2Vl0XVm56gwiEuHskKm7DXyonmOFtzKeVZcous5t+iaV6hagsx0BgqJm3rIqoISmaL+/ezN+Qyhc+0w10Pd0wJBWZpyMm1flk4Qav9wk+/+urg2E4RKqMyqlPAOtCPndyNRxW8qZOdZhbKqnl5Z8hskVhZl1j0qgef5jWsxNY94jnQGuXKzqaoVoPe+n3x8Nbd2WaWnp5eZna/E2g9eQjHt3OWFUZA753i6LM0/QdrTzI2vTn0/eT1B2/ASnVskeeFY614ts2zBL8ExkyNrsr+1QiihJgjZmyXMaiwtjWmDs+ALSN2YaSu5qalZ8xL9NTerXCE558UloCpbrHLuaETWOOYjaQqdXSIBubmulwZwhYxGleWFQjw3hZNr7pCtu67faU3WLKB2mme9VoQUtzy9s9fv3PJm6ro0izeZKHl587aAFL16hSq7Eq96DLiAxTLnFrpur9Hr17fHX1ybQ8ZfXJtm/Le5s+QlX4CF8k++XGbFYXzaHXQXx/6xt9/dvOv33+HgxYbRazG0LNvix94eO6w8K0FBYTOeV60o2+X16hW6BNvr8Mpb3LRyfXt27p0gz6mzW4xeD61jSFVdm1IdhqPt3eKQmzdu8Wlx09Dz9uw8RVszmSBkVna5spWzAOe2UfvakLh1b0un7Aot+BJxVJhiCp+zykJhO8u3RrBWt6xwuE6b9d/oQb/FyEXbuPl1p90dsOtW90u/bbNaqrRbOVXdQy5UnjmlaH6pH0JxlZXOjje/7LeMF/MS+rZRm1U5GsfWONprc5D6j8ZxNI6jcXzOxlFubXZuS7tL1ulk3/LaXjGbXdctq3o7rv5wm+ab8063lv3HG0nfo8nNytvxUt4WsG/wrhrvH9xq8cs1+X+54C+knUpXprRuFaydYq4tOAc+Ky4rxEtA16b8lBWXtYVH7/j1n1BVzvi+Qnn2qbWK7XwRF+YK0OuJbR6s55BBlU6mO8a481OX63lP20HTvB51U/ut3zHMWfROF2r13HIQauFKU1SrBZTnqrUmzqVO0duz83dwmVW2vKmfbx2Xfu/+cP5eH2vdeVmaJZS2ptf9jVCr5zVi1EXWNw1Nv84t2unXNtT92iNJijTPK5hwpTI3GZ6/a3hbU7uW9B9Z3rB6m4P7eNghmradpxvt7PFyMM4OVe2BcLWAmf1s3Xp8e/Ynunh7jpSBqvgPiyqAhfPQlEG8uKmX5PqwaedZNWAO67f+tOGvrfhPKGJfh0qEYUJAKgk8UELJOJBc6cT3RRArIhMVSaKUIGEsACIRUSIIJlqJDu1D4j8+xrvxX5+QMf57lPhvHVhofP6z0lQVknOQn+rYjp0jZWS95Uuj4BtK1gSPoJzWOCcvd3cD+Q30ezfkfTGEzSl4u3FrC+6OvTsYNruxvaPH/u3xHb9G7nIcLZod7879boa2GVnt2f4OYPbdO113VnnYDnn3uL1bZMu3f689sj39TzZOZnM8vz315ognzdJFJd2iQvXN9tqt7RBsXNc9ODZtB6FxxO5H4lq+jaILEuzB0jXeg6iNK9we3rRsj12WRiKVlScoWwdqpSkszwooT5xH5EK3jVlwgpZQVbc6Trq4xe2XNi2P/9I2Yoxeov9+e/G31MWBMvceBXX0tzDWqeNqAYUFF+19w+UnR5KzWCXPXPA7K9B7P8DDor8B7s576CX6wwWX3WRa38552toFo+ujlotVwyaI7hY6KBcjP3tzjharyjbBcRdxbEjOs8reGxbvbwYj/HSw7f8NTMTp4X3A/V9IQ7rj/1F/zP96ovwveuItQGX84mYJXurx5TLPZB3cO70q1MzIbFb7d7MFLzINlZ1dkV+dZ+SdeOutzku/fAPFYlYZba95WaeMrYPAs/XgHrbdNDFQAVNYi4jHASEBj32igwSDjkXClAqwljoMAEikwxCHRIdJwrgEFitQfhB5J16V/R94KcXk64mX8xso1yluD59tL/1tdkV/veGL/FfLyz2zVjigBIhkRGuRcI5xRMIIADDXidA+E34Qh4xHgSZhQnCsEj+MY4q5z3SE2WbWEQnjryd3s9ZIC3Za2RL4Ys88ht7tb+bhx0F84vGiMLbmUuXkveGQkYtZmz/opd77Lx+8T1mhPnjpB691aD94Jx+8rA4i2JsPXvrlg+f8urpPP2RgCvjgff360fs6gG4uCdYRYYEGHyeYJZCEmkAkIy0jDVGoOQEpIhZJkbCAxMDiWFIRJz5miosnoNtem+F0K5dXFXFMlCaxTBQTUjLBYu0njGFJwhBTySWOqO9TQmkCAVM0UkFM3dqADd3EJ8cR977jzHA+gBYsoWGoAAeUUs0E5yIkNIgTpgVXMvBBJAnHDDClJIiFYBx8ESqtqSR0w4foqdjwKMthaGrfhg3JcbhwdwjS8eJkiFn5RiRy+JLjmCrBqUhiTUMteRgQzYRUcYhBBBQLlsS+FpRGTAZ+HBOWaEz8CGiIhQR/w2t2pCW3jyPruOhwZgyNKW6YQZgf/Vh2bAIkj2J4Eq79CMJQERWBwgFEURTIEDgLIwxYqIQpCVjEjCRUSxXxSGJFlRI8Zop3Gz9hAT4S4Y9iamIllWBJmGCtgFLBGaMk4hH4AZYQ+wEW0g8ExQHRACoSQRTKRFAdM5EwzjvC/fBYdP+QrUdDorQMAiZ4JDALJA1xmMgoTiQlNBLKl5QxyiPFCPepjrif6ECFgpEoEUHHiMh/Kj70FsTH++ewcY2v2koS7/6ykLQtB9lGUwK3pvRSz10A/ZdBzaUnwjPqqke+fu3OLiMMh63z/1DN7dA+JP8X0z35v9GY/3uU/N9784XSXya9vIe7+7mbl18mW6kMD0sq+mUMQz5RGHJL/4e6LH3Eh+f/+xgHu/of+v6o/8fQ//H+d7z/He9/x/vf8f73p7j/3U3+/8Ml//e2gxF+Mtjy/4YGLvuID/f/MA79Xf+PBNHo/x3D//s7lFBndldmsbab5aop3dR1lafLszWrss3jgRL1Ro/w3GFb/wfelXZoH6L/e+u/wzH/9yj5v1vuVqPjTVqsK5oe67/H+u+x/nus/x7rv8f677H+e6z/Huu/x/rvsf57rP8e67/H+u+x/vvfrf57aM54h/ZB8V+Kd+O/JCJj/c9R6n/u22W203/u3Iz2ZP/Qw3eiMfXnqVJ/btf/Da1V6iM++P6HhLe+/0xJ5Iej/h9D/7tDeOvamHLmytl6fYbCrmnc/kmoH+3kf5HAx2SU/1Hl7/y4zWJ4BxpKKCRUKXr/0bW4tGwXPMqcT+VRTNkUkykOL4ifYpaS+H+9Sety3Z/37b70VpqrTEG51XWCesk+Z6aw8Nm2r2+d/k0gy1X1t35em8K2nnGKLueynGXmtPrEy7wy7vXpFZ6RGWkGuGi5y6rJfmvqZ+rn6+z9FumcV/Pf8ktTZna+SNFff/9tSlnYNBamXPA8q+pwea9XD+XvNbbTq/adVzxfQYqUVEqDUHGsZcCpD4RILXECMiCEhcC5LzBzPlbsx0kUUR36ERAGVJAgxnzn0LObc+daS1hHqhxzrQsr5JMuV8vI7HzTs8nUT1HLnF3O5kbyvMfZpsBjaClpw5JNeUmK7iqqaHquBVbP5j9zIx5LXJdQQJlJh/IOcT0KpbfPIabYFVVNW09Onb+1Lam6ZuJwSQ290H0+knoUSm9LygUPjiKpoUev5yOpR6F0j6T2hYvuF10Tn/9+9RpaW/x8hPYolB4gtG/r22ChDa2Efj5CexRKbwttb/10F7u/W3TuWDFoOxtF9yNE18XGf7T8huaXPh/VexRKD1O95gOm94tusNUcWsb/fET3KJR2omtvRg9z+tu790FqNrSM7/nI6lEo3SOrg9z+R5HV0JLr5yOrR6F0n6yewPEf+mWH5yO1R6H0EKkN8fzb4OA6Vrkj1AVY7pi09Z27FF3R8eLpKS+eRhhhhCeHrfvfoV/Y7NA+4P7X/f/vW///1Wdj/c9R6n++dP/Suy3VN+Ub92nU7/uM61N9GHX8LNT3fRZqW/8HRnk7tA/I/8CY4GhX/wM/GPX/GPp/Z2KXK5k6IP/r4tq4/K8exhGeE2zp/9DDXg/v4flf7t+/39r/CRvr/49S/39vvc+2Abi732gBnrEFGGGEEX5W+H8AAAD//wMAZi6+4gCMAAA=
  parameters:
    toiPackageExecutorParameterMapping:
      data: toiPackageExecutorParameterMapData
      fromCredentials:
        name: somehardcoded-username
        password: somehardcoded-password
      fromToiPackageConfigTemplate:
        data: toiPackageConfigTemplateData
        fromLibraryOne:
          data: toiPackageTemplateLibraryOneData
          fromLibrary2:
            data: toiPackageTemplateLibraryTwoData
        fromLibraryTwo:
          data: toiPackageTemplateLibraryTwoData
        fromParamsFromCLI:
          data: paramsFromCLIData
          fromLibraryOne:
            data: toiPackageTemplateLibraryOneData
            fromLibrary2:
              data: toiPackageTemplateLibraryTwoData
          fromLibraryTwo:
            data: toiPackageTemplateLibraryTwoData

[dee0]

Hey @Skarlso

Thanks for the quick response! :)

I pulled down your change to apply CopyUIDGID and I got an error similar to what you mentioned here ( Btw, locally I am using podman --remote rather than docker daemon, hence the slight diff )

Locally, I tried backing out our change and putting in the one the below and that seemed to fix the problem. Basically in the loop I just make sure we don't try making a dir entry for either '/' or '.'. This should be safe since we shouldn't have any need to alter the permissions of any containers that are already existing in the container and those two at least should be pre-existing.

[Skarlso]

Yah I was looking at that too. And did that fix your permission issue?

Just to be clear, I tried with latest OCM and NOT my PR because my pr was broken. :D And latest OCM worked with the output above.

Did I run the correct command?

Also, what is your ghcr.io/dee0/ocm/toi/helloworld:1.0.1?

For me, I just built the Dockerfile that you had there and pushed that and used it as is. Was that correct?

[dee0sap]

Hey @Skarlso

So with your PR I ran into the issue I you mentioned here

What I did after initially hitting that problem was :

1. Backed out your change
2. Reverted to my working docker image to make sure things could work
3. Went back to my 'bad' image and tried reproducing the problem. I found that it failed differently. Instead of the permission denied error from before the error was from the docker client library and was about a failure to upgrade the http connection to the daemon. Also my output didn't get show up on my local filesystem. Checking the container contents I could see the problem with the root directory was still there.
4. Put the change in my screenshot into place
5. Re-tested with my 'bad' image, this time it worked

And of course in the meantime you put those changes in place. :)

Thanks!

[Skarlso]

So... It works now? 🤔

[dee0sap]

Yep!

[Skarlso]

Nice yay 🎉👍🤩🍻