$HOME=/root for daemons run via s6-setuidgid

[folex]

Currently, both fluence and ipfs are ran via s6-setuidgid abc for privilege drop.

However, as stated in the issue just-containers/s6-overlay#165 (comment), it doesn't change $HOME variable in any way. As a result, $HOME is set to /root.

That poses a problem if a program relies on the $HOME variable: they will use /root as their $HOME while having no permissions to write and/or read there.

For example, any NodeJS program that uses os.homedir() is susceptible to that problem, as described in this issue nodejs/node#5582.

We've met this behavior with Ceramic JS CLI (see ceramic-cli-utils.ts#L26):

  node:internal/process/promises:245
            triggerUncaughtException(err, true /* fromPromise */);
            ^
  
  [Error: EACCES: permission denied, mkdir '/root/.ceramic'] {
    errno: -13,
    code: 'EACCES',
    syscall: 'mkdir',
    path: '/root/.ceramic'
  }

Solution

The solution to this is to use execline's tools to unset $HOME env variable. Either emptyvar or unexport will do.

[stanleyjs]

@folex can you make this an arg to s6-setuidgid or somewhere else?

I currently have an application where I need to dynamically build a user specified as an environment variable at runtime in a container, pip install -e a directory as the user, and run jupyter under the user. pip reads $HOME and builds all of its directories according to that. I need to be able to pass a $HOME variable in; it's a little bit of duct-tape but I'm not sure there's a way around it

[folex]

@stanleyjs Hi there!

Are you trying to integrate jupyter with Fluence? That would be awesome!

This PR doesn't get in your way: it only unsets $HOME for ipfs and fluence daemons inside fluencelabs/fluence container. You can add your daemons, and they will receive $HOME = /root. However, note that this value might be incorrect and misleading for your use-case.

[stanleyjs]

Oops - my bad. I thought this was on the s6-overlay repo, I didn't notice that I had changed repos when I clicked through an issue.

…

On Fri, Feb 4, 2022, 5:20 AM folex ***@***.***> wrote: @stanleyjs <https://github.com/stanleyjs> Hi there! Are you trying to integrate jupyter with Fluence? That would be awesome! This PR doesn't get in your way: it only unsets $HOME for ipfs and fluence daemons inside fluencelabs/fluence container. — Reply to this email directly, view it on GitHub <#14 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AEAUIDBTVXHSLFWJBBH2Q6DUZOY6DANCNFSM5GBVHQRQ> . Triage notifications on the go with GitHub Mobile for iOS <https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675> or Android <https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[folex]

That was my guess :)

Good luck with jupyter and s6! Btw, they're very helpful on Discord.

P.S. If you ever feel interested in p2p networks, you're always welcome here :)