Replase usage of `/bin/sh` with a shell that reads `/etc/profile` #17631

martin-g · 2024-03-07T13:38:18Z

Describe the bug

I faced an issue while trying to build a bioconductor-** recipe at Bioconda: bioconda/bioconda-recipes#46177
The issue is that the Linux ARM64/aarch64 Docker images used by default by mulled-build-tool:

DEFAULT_BASE_IMAGE=quay.io/bioconda/base-glibc-busybox-bash:latest" -

galaxy/lib/galaxy/tool_util/deps/mulled/mulled_build.py

Line 61 in bc0d075

DEFAULT_BASE_IMAGE = os.environ.get("DEFAULT_BASE_IMAGE", "quay.io/bioconda/base-glibc-busybox-bash:latest")
CONDA_IMAGE=continuumio/miniconda3:latest - https://github.com/galaxyproject/galaxy/blob/bc0d075d552cc10d9c452e9e0a4595b3e079301e/lib/galaxy/tool_util/deps/mulled/mulled_build.py#L376C43-L376C72

use umask=027 by default.

Linux ARM64:

$ docker run -it --rm continuumio/miniconda3:latest bash -c umask
0027

The Linux x86_64 images use 022 as default:

docker run -it --rm continuumio/miniconda3:latest bash -c umask                                                                                                                                     
0022

Both images inherit this behavior from their respective base images (Debian/Ubuntu).

I haven't tried to find why Debian (and Ubuntu) did this. 027 is more secure, but why only the Linux ARM64 image uses it ?! No idea.

So, I tried to use custom Docker images that inherit from the default ones and set umask=022 in /etc/profile and /etc/bash.bashrc:

FROM quay.io/condaforge/mambaforge:latest

ENV ENV /etc/profile                    # for dash
ENV BASH_ENV /etc/profile        # for bash
RUN echo "umask 022" >> /etc/profile                             # non-interactive
RUN echo "umask 022" >> /etc/bash.bashrc                   # interactive

$ docker build . -f Dockerfile.mambaforge -t my-mambaforge-aarch64:latest
$ docker run -it --rm my-mambaforge-aarch64:latest bash -c umask                       # non-interactive
$ docker run -it --rm my-mambaforge-aarch64:latest bash  (+ `umask`)                  # interactive

Now docker run -it --rm my-mambaforge-aarch64:latest bash -c umask prints 0022 ! Good!

But mulled-build still fails me despite using my custom Docker images because the default invfile.lua uses /bin/sh ...:

galaxy/lib/galaxy/tool_util/deps/mulled/invfile.lua

Line 90 in bc0d075

.run('/bin/sh', '-c', preinstall
galaxy/lib/galaxy/tool_util/deps/mulled/invfile.lua

Line 106 in bc0d075

.withConfig({entrypoint = {'/bin/sh', '-c'}})
galaxy/lib/galaxy/tool_util/deps/mulled/invfile.lua

Line 121 in bc0d075

.withConfig({entrypoint = {'/bin/sh', '-c'}})
galaxy/lib/galaxy/tool_util/deps/mulled/invfile.lua

Line 127 in bc0d075

.withConfig({entrypoint = {'/bin/sh', '-c'}})

I guess it uses /bin/sh because it is the most common one and should exist on every Linux out there.

Would it be possible to make this configurable via VAR. ?

Galaxy Version and/or server at which you observed the bug

mulled-build-tool 23.2.1

To Reproduce

Execute the following on Linux ARM64 machine/VM:

conda create -n test123
conda activate test123
conda install font-ttf-ubuntu involucro
mkdir /tmp/mulled && cd /tmp/mulled
mulled-build build 'font-ttf-ubuntu=0.83' --involucro-path $(which involucro) --verbose
ls -laR

It will fail with

drwxr-x--- 2 root      root       80 Mar  6 13:39 conda-meta
drwxr-x--- 2 root      root      320 Mar  6 13:39 fonts
ls: cannot open directory './build/dist/conda-meta': Permission denied
ls: cannot open directory './build/dist/fonts': Permission denied

Expected behavior

No Permission denied errors.

Screenshots
N/A

Additional context

Please ask me if you need more details!

The text was updated successfully, but these errors were encountered:

bgruening · 2024-03-07T13:42:40Z

@martin-g thanks for the detailed report. Yes it should be possible to make the shell configureable. And yes we have chosen this shell because this is the most common one that should be everywhere.

martin-g · 2024-03-07T13:43:09Z

In addition would be a good idea to make DIRNAME configurable as the images -

galaxy/lib/galaxy/tool_util/deps/mulled/mulled_build.py

Line 60 in bc0d075

DIRNAME = os.path.dirname(__file__)

?

Something like

DIRNAME = os.environ.get("INVFILE_DIRNAME", os.path.dirname(__file__))

This way I could use a custom invfile.lua if needed.

martin-g · 2024-03-07T13:52:08Z

In the meantime if someone has an idea how to set umask for /bin/sh, I am all ears! :-)

This is needed to be able to set umask=022 for the Linux aarch64 images that use umask=027 by default. /bin/sh does not load /etc/profile nor any other rcfile. See bioconda/bioconda-recipes#46177 for full details and galaxyproject/galaxy#17631 for a summary. Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>

… mulled-build's shell By default mulled-build uses `/bin/sh -c' - a non-interactive, non-login shell. Because of this it does not load any rcfile, like `/etc/profile`. By making the shell options configurable the user can pass `-set SHELL_OPTS="-lc"`, i.e. to make it a login shell and load the rcfile. Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>

… if needed mulled-build.py uses invfile.lua that comes pre-packaged with galaxy-tool-util. It would be nice if the user could specify a custom invfile.lua when (s)he needs to use a modified recipe for the image creation Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>

galaxyproject#17693 (comment) Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>

…rname Issue #17631: Make it possible to use custom invfile.lua if needed

… mulled-build's shell By default mulled-build uses `/bin/sh -c' - a non-interactive, non-login shell. Because of this it does not load any rcfile, like `/etc/profile`. By making the shell options configurable the user can pass `-set SHELL_OPTS="-lc"`, i.e. to make it a login shell and load the rcfile. Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>

martin-g mentioned this issue Mar 11, 2024

Build Bioconductor-BiocGenerics for linux-aarch64 bioconda/bioconda-recipes#46177

Closed

martin-g mentioned this issue Mar 11, 2024

Replace /bin/sh with a wrapper to /bin/bash bioconda/bioconda-containers#77

Closed

martin-g mentioned this issue Mar 13, 2024

Issue #17631: Make it possible to pass custom options to mulled-build's shell #17692

Closed

1 task

martin-g added a commit to martin-g/galaxy that referenced this issue Mar 13, 2024

Issue galaxyproject#17631: Apply suggestion by @mvdbeek

f2fc73a

galaxyproject#17693 (comment) Signed-off-by: Martin Tzvetanov Grigorov <mgrigorov@apache.org>

mvdbeek added a commit that referenced this issue Mar 13, 2024

Merge pull request #17693 from martin-g/17631-configurable-invfile-di…

9a4a5bc

…rname Issue #17631: Make it possible to use custom invfile.lua if needed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Replase usage of `/bin/sh` with a shell that reads `/etc/profile` #17631

Replase usage of `/bin/sh` with a shell that reads `/etc/profile` #17631

martin-g commented Mar 7, 2024

bgruening commented Mar 7, 2024

martin-g commented Mar 7, 2024

martin-g commented Mar 7, 2024

Replase usage of /bin/sh with a shell that reads /etc/profile #17631

Replase usage of /bin/sh with a shell that reads /etc/profile #17631

Comments

martin-g commented Mar 7, 2024

bgruening commented Mar 7, 2024

martin-g commented Mar 7, 2024

martin-g commented Mar 7, 2024

Replase usage of `/bin/sh` with a shell that reads `/etc/profile` #17631

Replase usage of `/bin/sh` with a shell that reads `/etc/profile` #17631