2021-01-01 12:30 阅读 2

using venv with setuidgid

I am looking to use venv for a project. I create it during build, and i want it to be sourced before the running a service. i've tried the following approaches (which did not work):

  • put source /venv/bin/activate at head of run script
  • exec s6-setuidgid user source /venv/bin/activate; command
  • source /venv/bin/activate in /etc/profile
  • source /venv/bin/activate in /home/user/.profile

those don't work.

so, any idiomatic way of having the venv sourced inside the setuidgid command, before I call the real command?


  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

4条回答 默认 最新

  • weixin_39879674 weixin_39879674 2021-01-01 12:30

    I believe (but could be wrong) that "source" is a shell built-in.

    Is your run script written in bash/sh or execline? It should work in bash/sh.

    点赞 评论 复制链接分享
  • weixin_39576149 weixin_39576149 2021-01-01 12:30

    it is #!/bin/sh on Alpine 3.11.

    one thought that came to mind was that it needs to be part of setuidgid because it is the command 'runner'. so, putting it above the setuidgid in the run script does not work, because it does not penetrate into setuidgid.

    something i have not tried yet is to create a run wrapper of sorts:

    source_and_run $1
    source_and_run() {
      source /venv

    and have setuidgid call it with the command to run. what do you think?

    点赞 评论 复制链接分享
  • weixin_39879674 weixin_39879674 2021-01-01 12:30

    Do you have an example Dockerfile with the failure?

    I put together a small demo that uses source and s6-setuidgid in a service that works. The service just sources a file, calls "s6-setuidgid nobody env" to dump the environment variables, then shuts the container down.

    You should see the TEST environment variable in your output.

    FROM alpine:3.11
    ADD https://github.com/just-containers/s6-overlay/releases/download/v1.21.8.0/s6-overlay-amd64.tar.gz /tmp/
    RUN tar xzf /tmp/s6-overlay-amd64.tar.gz -C /
    RUN echo "export TEST=a-value" > /source-me
    RUN mkdir -p /etc/services.d/test-source \
        && echo "#!/bin/sh" > /etc/services.d/test-source/run \
        && echo "source /source-me" >> /etc/services.d/test-source/run \
        && echo "exec s6-setuidgid nobody env" >> /etc/services.d/test-source/run \
        && echo "#!/bin/sh"    > /etc/services.d/test-source/finish \
        && echo "s6-svscanctl -t /var/run/s6/services" >> /etc/services.d/test-source/finish \
        && chmod +x /etc/services.d/test-source/run \
        && chmod +x /etc/services.d/test-source/finish
    ENTRYPOINT ["/init"]

    If you can provide an example using virtualenv I can take a deeper look.

    点赞 评论 复制链接分享
  • weixin_39576149 weixin_39576149 2021-01-01 12:30

    yup. tested again and it's working. weird.

    anyways, thank you and keep on the good work

    点赞 评论 复制链接分享