From d4ae22ae1635b7cd0c2121a69a9181167f83555e Mon Sep 17 00:00:00 2001 From: Rob Ballantyne Date: Sat, 17 Feb 2024 22:52:58 +0000 Subject: [PATCH] Less aggressive permissions setting. COPY with chown flag --- build/COPY_ROOT/opt/ai-dock/bin/fix-permissions.sh | 14 +++++++------- .../opt/ai-dock/bin/build/layer1/init.sh | 1 + build/Dockerfile | 4 ++-- 3 files changed, 10 insertions(+), 9 deletions(-) diff --git a/build/COPY_ROOT/opt/ai-dock/bin/fix-permissions.sh b/build/COPY_ROOT/opt/ai-dock/bin/fix-permissions.sh index 42f0d6b..9610f58 100755 --- a/build/COPY_ROOT/opt/ai-dock/bin/fix-permissions.sh +++ b/build/COPY_ROOT/opt/ai-dock/bin/fix-permissions.sh @@ -18,13 +18,14 @@ function main() { } function fix_container() { - # Ensure we only affect files in this fs layer + # Beware: If you copied files at buildtime without setting gid 1111 the fs will bloat + # COPYs should ensure local permissions are suitable first printf "Fixing container file permissions...\n" chown root.ai-dock /opt chmod g+s /opt - find /opt -not -group ai-dock -exec chown root.ai-dock {} \; find /opt -type d ! -perm -g=s -exec chmod g+s {} \; - find /opt ! -perm -g=w -exec chmod g+w {} \; + # See above - Remember this is overlayfs + find /opt -not -group ai-dock -exec chown root.ai-dock {} \; printf "Container file permissions reset\n" } @@ -32,16 +33,15 @@ function fix_workspace() { if [[ $WORKSPACE_PERMISSIONS != "false" ]]; then printf "Fixing workspace permissions...\n" chown "${WORKSPACE_UID}.${WORKSPACE_GID}" "${WORKSPACE}" - chmod -R g+s "${WORKSPACE}" - find "${WORKSPACE}" -not -user "${WORKSPACE_UID}" -exec chown "${WORKSPACE_UID}.${WORKSPACE_GID}" {} \; + chmod g+s "${WORKSPACE}" find "${WORKSPACE}" -type d ! -perm -g=s -exec chmod g+s {} \; - find "${WORKSPACE}" ! -perm -g=w -exec chmod g+w {} \; + find "${WORKSPACE}" -not -writeable -uid "${WORKSPACE_UID}" -exec chown "${WORKSPACE_UID}.${WORKSPACE_GID}" {} \; chmod o-rw "${WORKSPACE}/home/${USER_NAME}" if [[ -e ${WORKSPACE}/home/user/.ssh/authorized_keys ]]; then chmod 700 "${WORKSPACE}/home/${USER_NAME}/.ssh" chmod 600 "${WORKSPACE}/home/${USER_NAME}/.ssh/authorized_keys" fi - printf printf "Workspace file permissions reset\n" + printf "Workspace file permissions reset\n" else printf "Workspace permissions not changed (non-standard fs)\n" fi diff --git a/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh b/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh index f54d31c..737c7aa 100755 --- a/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh +++ b/build/COPY_ROOT_EXTRA/opt/ai-dock/bin/build/layer1/init.sh @@ -1,3 +1,4 @@ #!/bin/bash # Override this file to add extras to your build +#fix-permissions -o container \ No newline at end of file diff --git a/build/Dockerfile b/build/Dockerfile index dfc4b6f..4bad63c 100644 --- a/build/Dockerfile +++ b/build/Dockerfile @@ -55,7 +55,7 @@ ENV MAMBA_EXE="/opt/micromamba/bin/micromamba" ENV RCLONE_CONFIG="/etc/rclone/rclone.conf" ENV IMAGE_SLUG="base-image" # Copy early so we can use scripts in the build - Changes to these files will invalidate the cache and cause a rebuild. -COPY ./COPY_ROOT/ / +COPY --chown=0:1111 ./COPY_ROOT/ / ARG CUDA_VERSION ARG CUDNN_VERSION @@ -69,7 +69,7 @@ RUN yes | unminimize && \ set -eo pipefail && /opt/ai-dock/bin/build/layer0/init.sh | tee /var/log/build.log # Copy overrides and new files into a final layer for fast rebuilds. Uncomment below -#COPY ./COPY_ROOT_EXTRA/ / +#COPY --chown=0:1111 ./COPY_ROOT_EXTRA/ / #RUN set -eo pipefail && /opt/ai-dock/bin/build/layer1/init.sh | tee -a /var/log/build.log # Keep init.sh as-is and place additional logic in /opt/ai-dock/bin/preflight.sh