Make the root-downloaded images available to non-root users

DRAFT: DOESN'T WORK YET, the files are not getting the xattr set for some reason # Background The RHEL-AI bootc image contains the ilab container image pre-pulled. This image is downloaded using the `root` user into a container image storage. # Issue Non-root users which try to run the `ilab` wrapper which launches a container using the `ilab` image face a very large pull because as of today, they're not even using the storage root pulls into as an additional image store # Solution Modify the wrapper such that podman will use the root storage configuration. This is achieved through the `CONTAINERS_STORAGE_CONF` environment variable. # Issue 2 Since the storage is populated by the root user, the storage is readable/searchable only by root. # Solution This change runs `chmod a+rx -R /usr/lib/containers` to make the storage directory and its contents accessible to non-root users. However, this has the effect of modifying the permissions of all the in-container files to be world-readable and world-executable. This is not ideal. To overcome this, we modify the `storage.conf` file to set the `force_mask` to "shared" (alias for `0755`) and the `mount_program` to `/usr/bin/fuse-overlayfs`, so that the original in-image file permissions are recorded in the `user.containers.override_stat` xattr.
containers · Jul 29, 2024 · 3dcb09e · 3dcb09e
1 parent f9ed8bb
commit 3dcb09e
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 2 deletions.
diff --git a/training/ilab-wrapper/ilab b/training/ilab-wrapper/ilab
@@ -16,6 +16,8 @@ if [[ "$1" = "shell" ]]; then
 	export PARAMS=()
 fi
 
+export CONTAINERS_STORAGE_CONF="/etc/containers/storage.conf"
+
 PODMAN_COMMAND=("podman" "run" "--rm" "-it"
 	"--device" "${CONTAINER_DEVICE}"
 	"--security-opt" "label=disable" "--net" "host"

diff --git a/training/nvidia-bootc/Containerfile b/training/nvidia-bootc/Containerfile
@@ -187,7 +187,11 @@ fi
 # Also make sure not to duplicate if a base image already has it specified.
 RUN grep -q /usr/lib/containers/storage /etc/containers/storage.conf || \
     sed -i -e '/additionalimage.*/a "/usr/lib/containers/storage",' \
-	/etc/containers/storage.conf
+	/etc/containers/storage.conf && \
+    sed -i -e 's/^# force_mask.*$/force_mask = "shared"/' \
+    /etc/containers/storage.conf && \
+    sed -i -e 's@^#mount_program = .*@mount_program = "/usr/bin/fuse-overlayfs"@' \
+    /etc/containers/storage.conf
 
 COPY duplicated/ilab-wrapper/ilab /usr/bin/ilab
 RUN chmod +x /usr/bin/ilab
@@ -212,7 +216,10 @@ RUN --mount=type=secret,id=${INSTRUCTLAB_IMAGE_PULL_SECRET}/.dockerconfigjson \
          IID=$(sudo podman --root /usr/lib/containers/storage pull --authfile /run/secrets/${INSTRUCTLAB_IMAGE_PULL_SECRET}/.dockerconfigjson ${INSTRUCTLAB_IMAGE}); \
     else \
          IID=$(sudo podman --root /usr/lib/containers/storage pull ${INSTRUCTLAB_IMAGE}); \
-    fi
+    fi \
+    && chmod a+rx -R /usr/lib/containers
+
 RUN podman system reset --force 2>/dev/null
 
 LABEL image_version_id="${IMAGE_VERSION_ID}"
+