pre-commit: Permission issue with rootless containers

I tried to use a docker_image hook on a RHEL7.7 system using podman with the podman-docker package installed [This setup allows for rootless containers]. The hook attempts to modify the file, but gets a “permission denied” error. From looking at the source code, I see that pre-commit is roughly trying to execute:

docker run -u $(id -u):$(id -g)  -v $(pwd):/src:rw,Z --workdir /src -it <ENTRY> <FILE>

The hook does try to run, but results in permission error.

If, however, I remove the -u option from the source code (locally, languages/docker.py, docker_cmd()), then the hook runs fine:

About this issue

Original URL
State: open
Created 5 years ago
Reactions: 5
Comments: 35 (12 by maintainers)

Commits related to this issue

run-in-node-container: support rootless mode run-in-node-container is used for javascript "rollup", so the tools running in the container produce files which must be owned by the user on the host. T... — committed to markmc/test-infra by markmc 2 years ago

Most upvoted comments

I don’t understand the AttributeError check. Also, this function can actually return None if rootless is True. What about:

def get_docker_user():
    output = subprocess.check_output(('docker', 'system', 'info'), text=True)
    for line in output.splitlines():
        # rootless docker has "rootless"
        # rootless podman has "rootless: true"
        if line.strip().startswith('rootless'):
            if not 'false' in line:
                return ()  # no -u for rootless
            break
    return ('-u', f'{os.getuid()}:{os.getgid()}')

hroncok on Jun 3, 2020

Probably need to add a check whether the current user is not root. Or if they have capabilities to set uid/gid.

webknjaz on May 31, 2020

@asottile - yes I do! I try and find some time to tackle it.

dkolepp on Apr 23, 2020

Update: I installed docker 19.03 on Centos 7.7 using the instructions found here: https://docs.docker.com/engine/security/rootless/#prerequiresites

This allows the docker daemon to run as a non-root user. This mode allows the docker daemon to be installed in user space, and does not require privileges to install or run the docker daemon, as long as certain prerequisites are satisfied.

With this type of install, the exact same issue is observed as with (rootless) podman.

dkolepp on Dec 17, 2019

What about if the local docker daemon is setup as so: https://docs.docker.com/engine/security/rootless/

Pretty sure the above approach by docker is using the same set of linux kernel features that podman is using. Rootless containers are a must for any one that is security-minded.

dkolepp on Dec 16, 2019