Conversation
Needed to update the default orbit db binary blob to reflect
the new perms. So that it is clear I am not pulling a Jia Tan,
you can use these commands to verify that the only difference
is the owner/timestamp metadata within the tar and that the
db file is unchanged:
$ git show HEAD^:test.sh | sed -n '80,116p' | xxd -r | tar -ztv
-rw-r--r-- 0/0 36864 2024-04-01 17:03 orbit.db
$ git show HEAD:test.sh | sed -n '80,116p' | xxd -r | tar -ztv
-rw-r--r-- 100/100 36864 2024-04-03 13:11 orbit.db
$ diff -s <(git show HEAD^:test.sh | sed -n '80,116p' | xxd -r | tar -zxO orbit.db) \
<(git show HEAD:test.sh | sed -n '80,116p' | xxd -r | tar -zxO orbit.db)
Files /dev/fd/63 and /dev/fd/62 are identical
It was unfortunately necessary to change the copy command in smtp/Containerfile to copy the whole mnt directory instead of the subdirectory because of a bug in podman where the actual directory that is copied does not preserve its user/group information and is always reset to root:root. The contents keep their permission changes however, so it is fine to just copy all of /mnt (which should be owned by root:root in the final image anyways) so that the email_data folder and its contents are all preserved. There is nothing in /mnt besides email_data so this really has no impact on security or the final image size etc.
theyoyojo
requested changes
Apr 3, 2024
theyoyojo
left a comment
theyoyojo
left a comment
Contributor
There was a problem hiding this comment.
Tests fail as follows:
...
Traceback (most recent call last):
File "/orbit/hyperspace.py", line 203, in <module>
hyperspace_main(sys.argv[1:])
File "/orbit/hyperspace.py", line 197, in hyperspace_main
args.do(args)
File "/orbit/hyperspace.py", line 121, in do_newuser
db.usr_ins((args.username, do_bcrypt_hash(args, get=True),
File "/orbit/db.py", line 98, in usr_ins
def usr_ins(usr): return _set(USR_INS, usr)
^^^^^^^^^^^^^^^^^^
File "/orbit/db.py", line 31, in _set
def _set(cmd, reps=()): return _do(cmd, reps, set_=True, get_=True)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
File "/orbit/db.py", line 17, in _do
ret = new.execute(cmd, reps)
^^^^^^^^^^^^^^^^^^^^^^
sqlite3.OperationalError: attempt to write a readonly database
...
Something funky going on with the blob?
Contributor
Author
|
perhaps you need to purge your volumes? The tests pass for me |
theyoyojo
approved these changes
Apr 4, 2024
Contributor
|
after purging volumes, tests now pass |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Its official, we have gone fully rootless. (technically the master process of nginx spawns as root and only the workers drop their privs and run as nginx:nginx, but it is good to keep it this way because the alternative makes the bind mount for socks more tricky)