Skip to content

Ensure containers EH and SB files can be used from non-root containers #7764

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Feb 25, 2025
Merged

Ensure containers EH and SB files can be used from non-root containers #7764

merged 2 commits into from
Feb 25, 2025

Conversation

sebastienros
Copy link
Member

@sebastienros sebastienros commented Feb 25, 2025
edited
Loading

Description

  • Added file modes to containers using IAspireStore
  • Changed default tests store folder to one that doesn't have non-root read permissions
  • Enable SB and EH functional tests making use of non-root permissions
  • Added unit tests to ensure expected file mode is set

Fixes #7759

Checklist

  • Is this feature complete?
    • Yes. Ready to ship.
    • No. Follow-up changes expected.
  • Are you including unit tests for the changes and scenario tests if relevant?
    • Yes
    • No
  • Did you add public API?
    • Yes
      • If yes, did you have an API Review for it?
        • Yes
        • No
      • Did you add <remarks /> and <code /> elements on your triple slash comments?
        • Yes
        • No
    • No
  • Does the change make any security assumptions or guarantees?
    • Yes
      • If yes, have you done a threat model and had a security review?
        • Yes
        • No
    • No
  • Does the change require an update in our Aspire docs?

@sebastienros sebastienros force-pushed the sebros/storepermissions branch from 4952a9b to 3dc36e6 Compare February 25, 2025 02:32
@sebastienros sebastienros changed the title [TEST] Investigate EH functional tests failures Ensure containers EH and SB files can be used from non-root containers Feb 25, 2025
@sebastienros sebastienros marked this pull request as ready for review February 25, 2025 02:35
@Copilot Copilot AI review requested due to automatic review settings February 25, 2025 02:35
Copilot
Copilot AI reviewed Feb 25, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot reviewed 5 out of 5 changed files in this pull request and generated 1 comment.

Comments suppressed due to low confidence (1)

tests/Shared/DistributedApplicationTestingBuilderExtensions.cs:32

  • Ensure that the temporary directory created via CreateTempSubdirectory() is appropriately cleaned up after tests run to prevent leaving unused directories on disk.
builder.Configuration["Aspire:Store:Path"] = Directory.CreateTempSubdirectory().FullName;

@sebastienros
Copy link
Member Author

/backport to release/9.1

@github-actions GitHub Actions
Copy link
Contributor

Started backporting to release/9.1: https://github.com/dotnet/aspire/actions/runs/13512541462

@github-actions github-actions bot mentioned this pull request Feb 25, 2025
Closed
captainsafia
captainsafia reviewed Feb 25, 2025
View reviewed changes
src/Aspire.Hosting.Azure.EventHubs/AzureEventHubsExtensions.cs
// The docker container runs as a non-root user, so we need to grant other user's read/write permission
if (!OperatingSystem.IsWindows())
{
var mode = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.UserExecute |
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need the execute privileges here and elsewhere?

tests/Shared/DistributedApplicationTestingBuilderExtensions.cs
// We create the Aspire Store in a folder with user-only access. This way non-root containers won't be able
// to access the files unless they correctly assign the required permissions for the container to work.

builder.Configuration["Aspire:Store:Path"] = Directory.CreateTempSubdirectory().FullName;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do we need to do any exception handling here in case we're not able to create the temporary subdirectory?

tests/Aspire.Hosting.Azure.Tests/AzureEventHubsExtensionsTests.cs
@@ -110,6 +110,46 @@ public async Task VerifyAzureEventHubsEmulatorResource(bool referenceHub)
}
}

[Fact]
[RequiresDocker]
public async Task AzureEventHubsNs_ProducesAndConsumes()
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why this versus a playground test?

@mitchdenny
Copy link
Member

@captainsafia I think these are good questions, we hopefully have a plane for changing the way we deal with permissions like this for mounts coming from DCP in 9.2. But I think this is OK for 9.1.

@mitchdenny mitchdenny merged commit 3d3ccd4 into main Feb 25, 2025
71 checks passed
@mitchdenny mitchdenny deleted the sebros/storepermissions branch February 25, 2025 08:27
@github-actions github-actions bot added the area-integrations Issues pertaining to Aspire Integrations packages label Mar 10, 2025
@github-actions github-actions bot locked and limited conversation to collaborators Apr 9, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@captainsafia captainsafia captainsafia left review comments

Copilot code review Copilot Copilot left review comments

@mitchdenny mitchdenny mitchdenny approved these changes

@radical radical Awaiting requested review from radical radical is a code owner

@eerhardt eerhardt Awaiting requested review from eerhardt eerhardt is a code owner

@davidfowl davidfowl Awaiting requested review from davidfowl

Assignees
No one assigned
Labels
area-integrations Issues pertaining to Aspire Integrations packages
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

IAspireStore 's default permissions are incompatible with non-root containers
3 participants
@sebastienros @mitchdenny @captainsafia