Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

opa binary in 0.25.0-debug docker image is sensitive to working directory #2974

Closed
nairb774 opened this issue Dec 4, 2020 · 2 comments · Fixed by #2979
Closed

opa binary in 0.25.0-debug docker image is sensitive to working directory #2974

nairb774 opened this issue Dec 4, 2020 · 2 comments · Fixed by #2979
Assignees
@tsandall
Labels
bug
Projects
Open Policy Agent

Comments

@nairb774
Copy link
Contributor

nairb774 commented Dec 4, 2020

Expected Behavior

That running the following will allow checking the formatting of rego files (used in CI)

$ docker run --rm \
  --volume $PWD:/test \
  --workdir /test \
  openpolicyagent/opa:0.25.0-debug@sha256:b39280c50cded838266f52ce5a8c80529225eecda92eeafa1c3561605ab2e5b1 \
  fmt --list .

Actual Behavior

Running the image results in the following error:

/opa: error while loading shared libraries: libwasmer.so: cannot open shared object file: No such file or directory.

This can also be triggered with the non-debug container as well, but the debug container is used in our CI as it has a shell that CircleCI uses for running CI steps.

Steps to Reproduce the Problem

Run the above command from a directory containing rego files to check the formatting on. The actual rego contents, I hope, aren't really that important as the binary doesn't seem to even be getting to main.

The important part to call out about the above command is the use of --workdir to change the current working directory to something other than the default /.

Additional Info

Pulling the opa binary apart with readelf it looks like the the RUNPATH is using a relative path:

Dynamic section at offset 0x10aede8 contains 27 entries:
  Tag        Type                         Name/Value
 0x0000000000000001 (NEEDED)             Shared library: [libpthread.so.0]
 0x0000000000000001 (NEEDED)             Shared library: [libwasmer.so]
 0x0000000000000001 (NEEDED)             Shared library: [libc.so.6]
 0x000000000000001d (RUNPATH)            Library runpath: [./:/go/src/github.com/open-policy-agent/opa/vendor/github.com/wasmerio/go-ext-wasm/wasmer]
 0x000000000000000c (INIT)               0x404000
 0x000000000000000d (FINI)               0xbf3414
 0x0000000000000019 (INIT_ARRAY)         0x14afdd8
 0x000000000000001b (INIT_ARRAYSZ)       8 (bytes)
 0x000000000000001a (FINI_ARRAY)         0x14afde0
 0x000000000000001c (FINI_ARRAYSZ)       8 (bytes)
 0x000000006ffffef5 (GNU_HASH)           0x4003a8
 0x0000000000000005 (STRTAB)             0x401da8
 0x0000000000000006 (SYMTAB)             0x4007b8
 0x000000000000000a (STRSZ)              5042 (bytes)
 0x000000000000000b (SYMENT)             24 (bytes)
 0x0000000000000015 (DEBUG)              0x0
 0x0000000000000003 (PLTGOT)             0x14b0000
 0x0000000000000002 (PLTRELSZ)           2496 (bytes)
 0x0000000000000014 (PLTREL)             RELA
 0x0000000000000017 (JMPREL)             0x4033c8
 0x0000000000000007 (RELA)               0x403380
 0x0000000000000008 (RELASZ)             72 (bytes)
 0x0000000000000009 (RELAENT)            24 (bytes)
 0x000000006ffffffe (VERNEED)            0x403330
 0x000000006fffffff (VERNEEDNUM)         2
 0x000000006ffffff0 (VERSYM)             0x40315a
 0x0000000000000000 (NULL)               0x0

which makes running the binary sensitive to the current working directory. Ideally the location of libwasmer.so would be in a location referenced with an absolute path so the binary can be run from any directory.
@tsandall
Copy link
Member

tsandall commented Dec 4, 2020

Thanks for filing this @nairb774! It should be a relatively simple fix. I'll take a look tomorrow.

@tsandall tsandall added the bug label Dec 4, 2020
@tsandall tsandall added this to TODO (Things That Should Be Done) in Open Policy Agent via automation Dec 4, 2020
@tsandall tsandall moved this from TODO (Things That Should Be Done) to In Progress in Open Policy Agent Dec 4, 2020
@tsandall tsandall self-assigned this Dec 4, 2020
tsandall added a commit to tsandall/opa that referenced this issue Dec 4, 2020
@tsandall
build: Fix rpath to refer to absolute location
e005fa4 
We originally set the rpath to be relative to the $ORIGIN which
apparently changes if the working directory is overriden. This change
just fixes the rpath to contain /usr/lib/opa and then updates the
Dockerfile to copy the libwasmer.so file into this new directory.

Fixes open-policy-agent#2974

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
@tsandall tsandall mentioned this issue Dec 4, 2020
Merged
Open Policy Agent automation moved this from In Progress to Done Dec 4, 2020
tsandall added a commit that referenced this issue Dec 4, 2020
@tsandall
build: Fix rpath to refer to absolute location
0625a79 
We originally set the rpath to be relative to the $ORIGIN which
apparently changes if the working directory is overriden. This change
just fixes the rpath to contain /usr/lib/opa and then updates the
Dockerfile to copy the libwasmer.so file into this new directory.

Fixes #2974

Signed-off-by: Torin Sandall <torinsandall@gmail.com>
@nairb774
Copy link
Contributor Author

nairb774 commented Dec 7, 2020

Thank you!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsandall tsandall

Labels
bug
Projects
Open Policy Agent
  
Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

build: Fix rpath to refer to absolute location tsandall/opa
2 participants
@nairb774 @tsandall