Discussion:
[Tools-discuss] Docker image pulls in home directory
Eric Rescorla
2018-07-26 12:54:08 UTC
Permalink
Hi folks,

I see that the docker/run script pulls in one's home directory as the
image's home directory. e.g.,

docker run -ti -p $PORT:8000 -v "$HOME:/home/$WHO"
\
-e USER="$WHO" -e DATADIR="${parent#$HOME/}/data" -e CWD="${PWD#$HOME/}" \
-e TAG="$TAG" -e FILEDIR=${FILEDIR#$HOME} -e UID="$WHOUID" -e
GID="$WHOGID" \
"$REPO:$TAG" "$@"

I noticed this because my .bashrc contains mac-only commands which don't
execute properly.

In general, I'd prefer only to pull in a very limited set of files
(essentially the datatracker source itself), because I don't want
datatracker to have access to my home directory [0] but I don't see an
argument to suppress this behavior. Would people object to a patch that
mapped in just the source into some subdirectory (potentially as an option)

Thanks,
-Ekr

[0] I recognize that docker doesn't provide complete isolation, but this is
about incompetence (mine), not malice.
Henrik Levkowetz
2018-07-26 13:19:28 UTC
Permalink
Post by Eric Rescorla
Hi folks,
I see that the docker/run script pulls in one's home directory as the
image's home directory. e.g.,
docker run -ti -p $PORT:8000 -v "$HOME:/home/$WHO"
\
-e USER="$WHO" -e DATADIR="${parent#$HOME/}/data" -e CWD="${PWD#$HOME/}" \
-e TAG="$TAG" -e FILEDIR=${FILEDIR#$HOME} -e UID="$WHOUID" -e
GID="$WHOGID" \
I noticed this because my .bashrc contains mac-only commands which don't
execute properly.
In general, I'd prefer only to pull in a very limited set of files
(essentially the datatracker source itself), because I don't want
datatracker to have access to my home directory [0] but I don't see an
argument to suppress this behavior. Would people object to a patch that
mapped in just the source into some subdirectory (potentially as an option)
As an option, sure. As the default, no. There were reasons to do it this
way, and it took a lot of work to get everything in place (and adapted to
different versions of docker) so I'd rather not mess with the default.

Make sure to test your patch both under linux and mac.

Henrik
Post by Eric Rescorla
Thanks,
-Ekr
[0] I recognize that docker doesn't provide complete isolation, but this is
about incompetence (mine), not malice.
___________________________________________________________
Tools-discuss mailing list
https://www.ietf.org/mailman/listinfo/tools-discuss
Please report datatracker.ietf.org and mailarchive.ietf.org
bugs at http://tools.ietf.org/tools/ietfdb
Please report tools.ietf.org bugs at
http://tools.ietf.org/tools/issues
___________________________________________________________
Tools-discuss mailing list
Tools-***@ietf.org
https://www.ietf.org/mailman/listinfo/tools-discuss

Please report datatracker.ietf.org and mailarchive.ietf.org
bugs at http://tools.ietf.org/tools/ietfdb
or send email to datatracker-***@ietf.org

Please report tools.ietf.org bugs at
http://tools.ietf.org/tools/issues
or send email to ***@tools.ietf.org
Eric Rescorla
2018-07-26 13:21:01 UTC
Permalink
Post by Henrik Levkowetz
Post by Eric Rescorla
Hi folks,
I see that the docker/run script pulls in one's home directory as the
image's home directory. e.g.,
docker run -ti -p $PORT:8000 -v "$HOME:/home/$WHO"
\
-e USER="$WHO" -e DATADIR="${parent#$HOME/}/data" -e
CWD="${PWD#$HOME/}" \
-e TAG="$TAG" -e FILEDIR=${FILEDIR#$HOME} -e UID="$WHOUID" -e
GID="$WHOGID" \
I noticed this because my .bashrc contains mac-only commands which don't
execute properly.
In general, I'd prefer only to pull in a very limited set of files
(essentially the datatracker source itself), because I don't want
datatracker to have access to my home directory [0] but I don't see an
argument to suppress this behavior. Would people object to a patch that
mapped in just the source into some subdirectory (potentially as an option)
As an option, sure. As the default, no. There were reasons to do it this
way, and it took a lot of work to get everything in place (and adapted to
different versions of docker) so I'd rather not mess with the default.
Sure, no problem.


Make sure to test your patch both under linux and mac.
Willdo.

-Ekr
Post by Henrik Levkowetz
Henrik
Thanks,
Post by Eric Rescorla
-Ekr
[0] I recognize that docker doesn't provide complete isolation, but this is
about incompetence (mine), not malice.
___________________________________________________________
Tools-discuss mailing list
https://www.ietf.org/mailman/listinfo/tools-discuss
Please report datatracker.ietf.org and mailarchive.ietf.org
bugs at http://tools.ietf.org/tools/ietfdb
Please report tools.ietf.org bugs at
http://tools.ietf.org/tools/issues
Antony Stone
2018-07-26 13:23:37 UTC
Permalink
Post by Henrik Levkowetz
Post by Eric Rescorla
In general, I'd prefer only to pull in a very limited set of files
(essentially the datatracker source itself), because I don't want
datatracker to have access to my home directory [0] but I don't see an
argument to suppress this behavior. Would people object to a patch that
mapped in just the source into some subdirectory (potentially as an option)
As an option, sure. As the default, no.
This seems a bit ambiguous to me - are you (Henrik) saying that "yes, you
object to the patch as an option", or "yes, the patch as an option would be
fine"?
Post by Henrik Levkowetz
There were reasons to do it this way, and it took a lot of work to get
everything in place (and adapted to different versions of docker) so I'd
rather not mess with the default.
Make sure to test your patch both under linux and mac.
Henrik
Post by Eric Rescorla
Thanks,
-Ekr
[0] I recognize that docker doesn't provide complete isolation, but this
is about incompetence (mine), not malice.
Regards,
--
Antony Stone
Systems admin
IETF Tools servers
https://www.linkedin.com/in/antonystone

___________________________________________________________
Tools-discuss mailing list
Tools-***@ietf.org
https://www.ietf.org/mailman/listinfo/tools-discuss

Please report datatracker.ietf.org and mailarchive.ietf.org
bugs at http://tools.ietf.org/tools/ietfdb
or send email to datatracker-***@ietf.org

Please report tools.ietf.org bugs at
http://tools.ietf.org/tools/issues
or send email to ***@tools.ietf.org
Henrik Levkowetz
2018-07-26 13:27:03 UTC
Permalink
Post by Antony Stone
Post by Henrik Levkowetz
Post by Eric Rescorla
In general, I'd prefer only to pull in a very limited set of files
(essentially the datatracker source itself), because I don't want
datatracker to have access to my home directory [0] but I don't see an
argument to suppress this behavior. Would people object to a patch that
mapped in just the source into some subdirectory (potentially as an option)
As an option, sure. As the default, no.
This seems a bit ambiguous to me - are you (Henrik) saying that "yes, you
object to the patch as an option", or "yes, the patch as an option would be
fine"?
The latter :-)
Post by Antony Stone
Post by Henrik Levkowetz
There were reasons to do it this way, and it took a lot of work to get
everything in place (and adapted to different versions of docker) so I'd
rather not mess with the default.
Make sure to test your patch both under linux and mac.
Henrik
Post by Eric Rescorla
Thanks,
-Ekr
[0] I recognize that docker doesn't provide complete isolation, but this
is about incompetence (mine), not malice.
Regards,
___________________________________________________________
Tools-discuss mailing list
Tools-***@ietf.org
https://www.ietf.org/mailman/listinfo/tools-discuss

Please report datatracker.ietf.org and mailarchive.ietf.org
bugs at http://tools.ietf.org/tools/ietfdb
or send email to datatracker-***@ietf.org

Please report tools.ietf.org bugs at
http://tools.ietf.org/tools/issues
or send email to ***@tools.ietf.org

Loading...