SweetOps #geodesic for August, 2022

Discussions related to https://github.com/cloudposse/geodesic

Archive: https://archive.sweetops.com/geodesic/

2022-08-01

Release notes from geodesic

10:00:41 PM

v1.2.3 Included Tools Update AWS CLI packages @renovate (<a class=”issue-link js-issue-link” data-error-text=”Failed to load title” data-id=”1299518463” data-permission-text=”Title is private” data-url=”https://github.com/cloudposse/geodesic/issues/796“…

Release v1.2.3 · cloudposse/geodesic attachment image

Included Tools Update AWS CLI packages @renovate (#796) This PR contains the following updates: Package Change Age Adoption Passing Confidence awscli (source, changelog) ==1.25.22 -> ==…

renovate - Overview

renovate has one repository available. Follow their code on GitHub.

Update AWS CLI packages by renovate[bot] · Pull Request #796 · cloudposse/geodesic attachment image

This PR contains the following updates: Package Change Age Adoption Passing Confidence awscli (source, changelog) ==1.25.22 -> ==1.25.43 boto3 ==1.24.22 -> ==1.24.43 Release No…

2022-08-30

Joe Niland

01:06:59 AM

Is there a standard way to add to the PATH env var when building a custom geodesic image? For example, I want to add /usr/local/go/bin to the PATH.

I’ve tried ENV PATH="/usr/local/go/bin:$PATH" in the Dockerfile. And appending export PATH=… in /root/.bashrc also from the Dockerfile.

The way I’m currently doing it is to add export PATH="/usr/local/go/bin:${PATH}" in a file in ~/.geodesic/overrides.d/

Is there a better way?

Erik Osterman (Cloud Posse)

02:34:15 PM

@Jeremy G (Cloud Posse)

Matt Gowie

12:06:48 AM

@Jeremy G (Cloud Posse) friendly ping on this.

We’re installing golang in our toolbox Containerfile and then we’d like to make sure that it is in the PATH. When we set the PATH in the Containerfile, it gets overwritten so we haven’t been able to accomplish it that way. So right now, we’re doing this by using an overrides file locally on the host machine, but that doesn’t scale with many team members.

To skip over digging deep into the internals of the Geodesic bash-fu, we figured you’d have a solution for us. Any thoughts?

Jeremy G (Cloud Posse)

01:33:52 AM

Replacement for /etc/profile. Add it to your repo as rootfs/etc/profile

Jeremy G (Cloud Posse)

01:35:29 AM

Sorry I missed the first mention of this (I blame Slack).

This is not Geodesic’s doing. The issue is that PATH is explicitly set under Debian via /etc/profile. Every time a bash shell starts, the PATH gets reset rather than inherited. This is likely due to Debian’s orientation as a more secure Linux for running servers, in that blocks a lot of attack vectors that rely on swapping out executables by rewriting PATH.

The only fix is to replace Debian’s /etc/profile with one that does not change the PATH, but that could be a subtle breaking change and I am reluctant to overwrite system files like that in the base Geodesic. Among other reasons are that this will obscure and revert any future changes made by Debian and it will break the default expected (secure) behavior of Debian.

You can, of course, do it yourself. Just add the /etc/profile replacement I posted just before this to your Docker context as rootfs/etc/profile and ensure your Dockerfile has the Geodesic standard line

COPY rootfs/ /

Jeremy G (Cloud Posse)

01:41:19 AM

@Joe Niland No, I don’t think there is a better way than using overrides.d; this is the kind of thing that was designed for. Unless you mean you want everyone using the image to get it, in which case I would advise you to do what I advised @Matt Gowie to do above, which is set the PATH in the Dockerfile and replace /etc/profile with something that does not reset it.

Matt Gowie

02:07:12 AM

@Jeremy G (Cloud Posse) overriding /etc/profile looks great. That was what we were looking for. Thanks for that.

We also can use RUN to just append our PATH addition to the end of that file, which I also like so we’re not undoing Debian’s default of clearing the PATH. We’ll likely go that route.

cc @Joe Niland

Joe Niland

02:25:03 AM

@Jeremy G (Cloud Posse) thanks very much for the clarification. I didn’t realise that was the case with Debian. Yes, the question arose because we want to make it a standard ‘feature’ of this custom Geodesic image.

Jeremy G (Cloud Posse)

02:25:27 AM

@Matt Gowie @Joe Niland I’m preparing a PR that will set the PATH the way Alpine does, among other things. That is, it appends to the inherited path rather than reseting it.

Joe Niland

02:26:25 AM

Sounds great! Thank you

Matt Gowie

03:15:46 AM

Awesome — Thanks Jeremy

Jeremy G (Cloud Posse)

03:21:43 AM

This should do it. Please review and LMK what you think. https://github.com/cloudposse/geodesic/pull/801

what

• Copy Alpine PATH initialization to Debian, replacing Debian behavior of clobbering preexisting PATH • Update Debian 11.3 -> 11.4 • Update Alpine 3.15.4 -> 3.16.2 • Miscellaneous cleanups

why

• Debian behavior is to ignore any existing value of PATH environment variable when launching bash and set it to a predefined value. This makes it impossible to set the PATH in the Dockerfile. Alpine’s approach (taken from Arch Linux) is to append the path components to any existing PATH value, allowing users to set a preferred path, but still ensuring that all expected/required directories are included in PATH to start. • Keep up-to-date • Clean up little things that were nevertheless irritating

references

• Supersedes and closes #790 • Supersedes and closes #799

Jeremy G (Cloud Posse)

03:34:43 AM

@Joe Niland @Matt Gowie You can try it out by using