From eb35d9b30a29f37244be3bf828dcbb1f86f02371 Mon Sep 17 00:00:00 2001 From: Ievgen Popovych Date: Sun, 19 Nov 2023 23:15:32 +0200 Subject: [PATCH] nvidia-ctk hook chmod: Ignore permission errors In some cases we might get a permission error trying to chmod - most likely this is due to something beyond our control like whole `/dev` being mounted. Do not fail container creation in this case. Due to loosing control of the program after `exec()`-ing `chmod(1)` program and therefore not being able to handle errors - refactor to use `chmod(2)` syscall instead of `exec()` `chmod(1)` program. Fixes: #143 Signed-off-by: Ievgen Popovych --- cmd/nvidia-ctk/hook/chmod/chmod.go | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/cmd/nvidia-ctk/hook/chmod/chmod.go b/cmd/nvidia-ctk/hook/chmod/chmod.go index 8dbdf86a..90b4968f 100644 --- a/cmd/nvidia-ctk/hook/chmod/chmod.go +++ b/cmd/nvidia-ctk/hook/chmod/chmod.go @@ -17,16 +17,15 @@ package chmod import ( + "errors" "fmt" "io/fs" "os" "path/filepath" "strconv" "strings" - "syscall" "github.com/NVIDIA/nvidia-container-toolkit/internal/logger" - "github.com/NVIDIA/nvidia-container-toolkit/internal/lookup" "github.com/NVIDIA/nvidia-container-toolkit/internal/oci" "github.com/urfave/cli/v2" ) @@ -126,17 +125,16 @@ func (m command) run(c *cli.Context, cfg *config) error { return nil } - locator := lookup.NewExecutableLocator(m.logger, "") - targets, err := locator.Locate("chmod") - if err != nil { - return fmt.Errorf("failed to locate chmod: %v", err) + for _, path := range paths { + err = os.Chmod(path, desiredMode) + // in some cases this is not an issue (e.g. whole /dev mounted), see #143 + if errors.Is(err, fs.ErrPermission) { + m.logger.Debugf("Ignoring permission error with chmod: %v", err) + err = nil + } } - chmodPath := targets[0] - args := append([]string{filepath.Base(chmodPath), cfg.mode}, paths...) - - //nolint:gosec // TODO: Can we harden this so that there is less risk of command injection - return syscall.Exec(chmodPath, args, nil) + return err } // getPaths updates the specified paths relative to the root.