Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Gaia's container has permissions issues with itself #843

Closed
4 tasks
faddat opened this issue Apr 30, 2021 · 6 comments · Fixed by #844
Closed
4 tasks

Gaia's container has permissions issues with itself #843

faddat opened this issue Apr 30, 2021 · 6 comments · Fixed by #844

Comments

@faddat
Copy link
Contributor

faddat commented Apr 30, 2021

Summary of Bug

docker run -it -p 46657:46657 -p 46656:46656 -v ~/.gaia:/gaia/.gaia tendermint/gaia gaiad init notional
panic: could not create directory "/gaia/.gaia/config": mkdir /gaia/.gaia/config: permission denied

goroutine 1 [running]:
github.com/tendermint/tendermint/config.EnsureRoot(0xc00103bfe0, 0xb)
	github.com/tendermint/tendermint@v0.34.10/config/toml.go:38 +0x2c5
github.com/cosmos/cosmos-sdk/server.interceptConfigs(0xc001156360, 0xc00115c1c0, 0x4, 0xc000f5f620)
	github.com/cosmos/cosmos-sdk@v0.42.4/server/util.go:193 +0x936
github.com/cosmos/cosmos-sdk/server.InterceptConfigsPreRunHandler(0xc000edd900, 0x0, 0x0)
	github.com/cosmos/cosmos-sdk@v0.42.4/server/util.go:126 +0x325
github.com/cosmos/gaia/v4/cmd/gaiad/cmd.NewRootCmd.func1(0xc000edd900, 0xc001140920, 0x1, 0x1, 0x0, 0x0)
	github.com/cosmos/gaia/v4/cmd/gaiad/cmd/root.go:58 +0xd4
github.com/tendermint/tendermint/libs/cli.concatCobraCmdFuncs.func1(0xc000edd900, 0xc001140920, 0x1, 0x1, 0x0, 0x0)
	github.com/tendermint/tendermint@v0.34.10/libs/cli/setup.go:118 +0x7c
github.com/spf13/cobra.(*Command).execute(0xc000edd900, 0xc001140900, 0x1, 0x1, 0xc000edd900, 0xc001140900)
	github.com/spf13/cobra@v1.1.3/command.go:831 +0x582
github.com/spf13/cobra.(*Command).ExecuteC(0xc000edd680, 0x0, 0x0, 0xc00103bfe0)
	github.com/spf13/cobra@v1.1.3/command.go:960 +0x375
github.com/spf13/cobra.(*Command).Execute(...)
	github.com/spf13/cobra@v1.1.3/command.go:897
github.com/spf13/cobra.(*Command).ExecuteContext(...)
	github.com/spf13/cobra@v1.1.3/command.go:890
github.com/cosmos/cosmos-sdk/server/cmd.Execute(0xc000edd680, 0xc00103bfe0, 0xb, 0x2009898, 0xc001053730)
	github.com/cosmos/cosmos-sdk@v0.42.4/server/cmd/execute.go:36 +0x265
main.main()
	github.com/cosmos/gaia/v4/cmd/gaiad/main.go:16 +0x45

It is complaining about permissions inside the container because the user gaia doesn't have the privelige to read there.

This can be reproduced following the steps in the Dockerfile.

Version

4.2.1

Steps to Reproduce

docker run -it -p 46657:46657 -p 46656:46656 -v ~/.gaia:/gaia/.gaia tendermint/gaia gaiad init


For Admin Use

  • Not duplicate issue
  • Appropriate labels applied
  • Appropriate contributors tagged
  • Contributor assigned/self-assigned
@shahankhatch
Copy link
Contributor

Thanks for this @faddat

The docker image is not intended for use. It isn't part of any build or testing approach, so it's 'deprecated' in its current form. The documentation doesn't yet reflect this.

Though I think this would an important feature to manage eventually, it'd be good to understand what purpose(s) this image is intended to serve. To me, an ideal use of the image would be to serve gaia's different modes and integrate it with good security practices in a modular way.

If you think we should remove the docker image for the time being, I'll accept that approach, but always open to suggestions.

@faddat
Copy link
Contributor Author

faddat commented Apr 30, 2021

We should probably nuke the container if it isn't meant to be used.

Here's one that is:

FROM golang:1.16-alpine AS build-env

# Set up dependencies
ENV PACKAGES curl make git libc-dev bash gcc linux-headers eudev-dev python3 wget

# Set working directory for the build
WORKDIR /go/src/github.com/cosmos/gaia

# Add source files
COPY . .

RUN go version

# Install minimum necessary dependencies, build Cosmos SDK, remove packages
RUN apk add --no-cache $PACKAGES && \
    make install

WORKDIR /

RUN wget https://github.com/cosmos/mainnet/raw/master/genesis.cosmoshub-4.json.gz && \
        gzip -d genesis.cosmoshub-4.json.gz


# Final image
FROM alpine:edge

# Install ca-certificates
RUN apk add --update ca-certificates


# Copy over binaries from the build-env
COPY --from=build-env /go/bin/gaiad /usr/bin/gaiad


COPY --from=build-env /genesis.cosmoshub-4.json /root/.gaia/config/genesis.json.tmp


# Run gaiad by default, omit entrypoint to ease using container with gaiacli
CMD gaiad init instagaia$RANDOM && cp /root/.gaia/config/genesis.json.tmp /root/.gaia/config/genesis.json && gaiad start --p2p.seeds bf8328b66dceb4987e5cd94430af66045e59899f@public-seed.cosmos.vitwit.com:26656,cfd785a4224c7940e9a10f6c1ab24c343e923bec@164.68.107.188:26656,d72b3011ed46d783e369fdf8ae2055b99a1e5074@173.249.50.25:26656,ba3bacc714817218562f743178228f23678b2873@public-seed-node.cosmoshub.certus.one:26656,3c7cad4154967a294b3ba1cc752e40e8779640ad@84.201.128.115:26656,366ac852255c3ac8de17e11ae9ec814b8c68bddb@51.15.94.196:26656 --x-crisis-skip-assert-invariants

One-liner gaia for mac, windows and linux :)

PS: Yes, it is not highly efficient, but it saves N minutes times N engineers.

@faddat
Copy link
Contributor Author

faddat commented Apr 30, 2021

btw the above is meant for contrib, not the root of the repo.

@faddat faddat mentioned this issue Apr 30, 2021
11 tasks
@readygo586
Copy link

This is because "gaia" group has no permission to write, you can delete the following line from original Dockerfile.

 RUN addgroup gaia && \                          
   adduser -S -G gaia gaia -h "$GAIA"

@colin-axner
Copy link
Contributor

colin-axner commented May 12, 2021

Though I think this would an important feature to manage eventually, it'd be good to understand what purpose(s) this image is intended to serve.

Multi-network testnet environments. The golang relayer's integration tests rely on the existence of a gaia image and there is active development on hermes using docker images to spin up a mesh network, see related pr

I imagine some validators may use docker for their setup (if they are validating multiple chains on the same machine), but this is a less convincing argument for me

@faddat
Copy link
Contributor Author

faddat commented May 19, 2021

I just updated the image and I'll PR it into contrib/

Additionally, it can appear front and center on readme.md as an instant way to set up a gaia node to have one to develop against locally.

@faddat faddat mentioned this issue May 19, 2021
11 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

4 participants