Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Scala apps fail with Permission denied when run with a different user (due to sbt target bin script permissions) #655

Open
edmorley opened this issue Apr 29, 2024 · 0 comments
Open

Scala apps fail with Permission denied when run with a different user (due to sbt target bin script permissions) #655

edmorley opened this issue Apr 29, 2024 · 0 comments
Labels
buildpack: heroku/scala

Comments

@edmorley
Copy link
Member

edmorley commented Apr 29, 2024
edited
Loading

The upstream CNB spec encourages operators to use separate Linux users for build vs run images:
https://github.com/buildpacks/spec/blob/platform/0.13/platform.md#run-image

We've decided not to do this for the Heroku base images (at least for now), since we're not able to control application code, and we believe it will otherwise cause compatibility issues with a number of existing apps:
heroku/base-images#268

However, it would be ideal if our buildpacks and Getting started guide app templates at least supported the app images being run with a separate user (or with read-only layers), so that they can work with other base images or platforms that might choose to use separate users or mount the layers as read-only.

Testing all of our officially supported languages in the builder image (by adding --user nobody to the docker run invocation), I found that the Scala getting started guide app failed to boot:

bash: line 1: target/universal/stage/bin/scala-getting-started: Permission denied

(see: https://github.com/heroku/cnb-builder-images/actions/runs/8877305233/job/24370681312#step:8:26)

This is because that script only has the execute permission set for the owner (user heroku) and not the group or others:

$ docker run --rm --entrypoint launcher scala-test ls -l target/universal/stage/bin/scala-getting-started
-rwxr--r-- 1 heroku heroku 13426 Jan  1  1980 target/universal/stage/bin/scala-getting-started

This appears to be because sbt-native-packager uses setExecutable(true), which only applies to the owner:
https://github.com/sbt/sbt-native-packager/blob/0f69b0cb11102da2b48b5232231bce73ce01331c/src/main/scala/com/typesafe/sbt/packager/Stager.scala#L23-L38
https://docs.oracle.com/javase/8/docs/api/java/io/File.html#setExecutable-boolean-

One fix would be to change that line to .setExecutable(true, false), however, I presume sbt-native-packager might be reluctant to accept such a change.

Presumably the only other option would be for the sbt buildpack to set the permissions on any bin scripts itself?
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
buildpack: heroku/scala
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@edmorley