Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(core): Bundling in selinux-enabled OSes #9445

Closed
wants to merge 1 commit into from
Closed

fix(core): Bundling in selinux-enabled OSes #9445

wants to merge 1 commit into from

Conversation

corollari
Copy link

@corollari corollari commented Aug 5, 2020
edited
Loading

TLDR: In some linux distributions such as Fedora, the docker container that is used for bundling assets runs into fatal problems due to the selinux configuration

Reproduction steps

  1. Install a fresh copy of Fedora 32 (latest stable)
  2. Create a CDK stack that uses @aws-cdk/aws-lambda bundling system (see below for some example code)
  3. Run cdk synth
  4. Bundling fails

Example code:

import * as lambdaNodejs from '@aws-cdk/aws-lambda-nodejs'
new lambdaNodejs.NodejsFunction(this, "handler", {
    entry: "src/lambda/function.ts",
    handler: "default",
});

Problem

Running cdk synth produces the following error:

[Error: EACCES: permission denied, stat '/asset-input/package-lock.json'] {
  errno: -13,
  code: 'EACCES',
  syscall: 'stat',
  path: '/asset-input/package-lock.json'
}

So this seems to be a permissions problem, but when you check the permissions of the folders mounted on the root of the docker container, you get:

drwxrwxr-x.   9    1000  1000   4096 Aug  4 11:59 asset-input
drwxrwxrwx.   2    1000  1000   4096 Aug  4 12:56 asset-output
-rw-r--r--.   1 root    root  322785 Jul  1 16:16 ATTRIBUTION.txt
lrwxrwxrwx.   1 root    root       7 Jun  9 12:56 bin -> usr/bin
dr-xr-xr-x.   1 root    root    4096 Apr  9  2019 boot
drwxr-xr-x.   5 root    root     340 Aug  4 12:56 dev
drwxr-xr-x.   1 root    root    4096 Aug  4 12:56 etc
drwxr-xr-x.   1 root    root    4096 Apr  9  2019 home
lrwxrwxrwx.   1 root    root       7 Jun  9 12:56 lib -> usr/lib
lrwxrwxrwx.   1 root    root       9 Jun  9 12:56 lib64 -> usr/lib64
drwxr-xr-x.   1 root    root    4096 Apr  9  2019 media
drwxr-xr-x.   1 root    root    4096 Apr  9  2019 mnt
drwxr-xr-x. 564 root    root   20480 Aug  4 10:52 node_modules
drwxr-xr-x.   1 root    root    4096 Apr  9  2019 opt
-rw-r--r--.   1 root    root  321667 Aug  4 10:52 package-lock.json
dr-xr-xr-x. 412 root    root       0 Aug  4 12:56 proc
dr-xr-x---.   1 root    root    4096 Aug  4 10:50 root
drwxr-xr-x.   1 root    root    4096 Jul 20 17:27 run
lrwxrwxrwx.   1 root    root       8 Jun  9 12:56 sbin -> usr/sbin
drwxr-xr-x.   1 root    root    4096 Apr  9  2019 srv
dr-xr-xr-x.  13 root    root       0 Aug  4 03:02 sys
-rw-r--r--.   1 1230228 users 297680 Jun 22 09:46 THIRD-PARTY-LICENSES.txt
drwxrwxrwt.   1 root    root    4096 Aug  4 10:52 tmp
drwxr-xr-x.   1 root    root    4096 Jun  9 12:56 usr
drwxr-xr-x.   1 root    root    4096 Jul 20 17:30 var

Given that the code executed inside docker is being run under userdid 1000, this is quite puzzling, as there shouldn't be any permissions problem with a user that is accessing a directory owned by himself. Furthermore all attempts to change the permissions of the asset-input directory or modify anything about it just fail.

Luckily, after some digging I found the real root of the problem, which is the selinux configuration interfering with the volume mounted inside the docker container.

Solution

The volume just needs to be mounted with the z flag, which modifies the selinux labels of the directory.

Note that I haven't tested this solution with other OSes such as windows.

... and here goes a 10-hour debugging session that resulted in a 2-character change 😆

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license

@aws-cdk-automation
Copy link
Collaborator

AWS CodeBuild CI Report

  • CodeBuild project: AutoBuildProject6AEA49D1-qxepHUsryhcu
  • Commit ID: 50ea94e
  • Result: SUCCEEDED
  • Build Logs (available for 30 days)

Powered by github-codebuild-logs, available on the AWS Serverless Application Repository

@jogold
Copy link
Contributor

jogold commented Aug 8, 2020
edited
Loading

Hi @corollari

From the Docker doc

Use extreme caution with these options.

What are the risks here (in the context of a CDK app)? And do we need the z flag for all volumes? Can it be applied only to /asset-input?

@corollari
Copy link
Author

What are the risks here (in the context of a CDK app)?

According to this source (not official, but I managed to find a few other discussions where people other say the same) this change should only affect systems where SELinux is enforced (systems where it's currently broken) and as long as we stick to only mounting selected directories (like what we are doing right now) there shouldn't be any problems.

I also went ahead and asked this question directly on the r/fedora subreddit in order to get the opinions of people more knowledgeable than me on the topic, feel free to skim through the responses there.

Can it be applied only to /asset-input?

If we don't mount /asset-output with that flag too then it won't be accessible nor writable.

@jogold
Copy link
Contributor

jogold commented Aug 10, 2020

@eladb opinion on this?

eladb
eladb reviewed Aug 17, 2020
View reviewed changes
packages/@aws-cdk/core/lib/bundling.ts
@@ -112,7 +112,7 @@ export class BundlingDockerImage {
...options.user
? ['-u', options.user]
: [],
...flatten(volumes.map(v => ['-v', `${v.hostPath}:${v.containerPath}:${v.consistency ?? DockerVolumeConsistency.DELEGATED}`])),
...flatten(volumes.map(v => ['-v', `${v.hostPath}:${v.containerPath}:z,${v.consistency ?? DockerVolumeConsistency.DELEGATED}`])),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we only add this if the OS is selinux?

eladb
eladb suggested changes Aug 17, 2020
View reviewed changes
Copy link
Contributor

@eladb eladb left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

see comment

@eladb
Copy link
Contributor

eladb commented Sep 7, 2020

Closing for now. Please reopen when ready to follow up

@eladb eladb closed this Sep 7, 2020
@maafk maafk mentioned this pull request Jul 24, 2021
Merged
mergify bot pushed a commit that referenced this pull request Sep 2, 2021
@maafk
fix(core): allow asset bundling when selinux is enabled (#15742)
dbfebb4 
----

Revisiting [#9445](#9445) but looking to see if running on linux with selinux enabled.

This PR aims to allow for asset bundling on linux os with selinux enabled

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
TikiTDO pushed a commit to TikiTDO/aws-cdk that referenced this pull request Sep 6, 2021
@maafk @TikiTDO
fix(core): allow asset bundling when selinux is enabled (aws#15742)
a8b8bf1 
----

Revisiting [aws#9445](aws#9445) but looking to see if running on linux with selinux enabled.

This PR aims to allow for asset bundling on linux os with selinux enabled

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
david-doyle-as24 pushed a commit to david-doyle-as24/aws-cdk that referenced this pull request Sep 7, 2021
@maafk @david-doyle-as24
fix(core): allow asset bundling when selinux is enabled (aws#15742)
169d492 
----

Revisiting [aws#9445](aws#9445) but looking to see if running on linux with selinux enabled.

This PR aims to allow for asset bundling on linux os with selinux enabled

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@eladb eladb eladb requested changes

Assignees

@eladb eladb

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@corollari @aws-cdk-automation @jogold @eladb