Our developer environments create a user upon start that matches the host UID/GID to allow for frictionless use of bind mounts. At image build time the root user prefetches a few DotSlash tools that are used in the entry point script so that the container can be started without network calls. The following shows two tools that use different archive formats and two tools that distribute raw binaries, of which jq was prefetched at build time.
❯ whoami
dd
❯ cat /usr/local/bin/rg
#!/usr/bin/env dotslash
{"name":"rg","platforms":{"linux-x86_64":{"digest":"f73cca4e54d78c31f832c7f6e2c0b4db8b04fa3eaa747915727d570893dbee76","format":"tar.gz","hash":"blake3","path":"ripgrep-14.1.1-x86_64-unknown-linux-musl/rg","providers":[{"type":"http","url":"https://github.com/BurntSushi/ripgrep/releases/download/14.1.1/ripgrep-14.1.1-x86_64-unknown-linux-musl.tar.gz"}],"size":2566310}}}
❯ ls -las (dotslash -- fetch /usr/local/bin/rg) | select name type mode user | to json --raw
[{"name":"rg","type":"file","mode":"r-xr-xr-x","user":"dd"}]
❯ ls -las (dotslash -- fetch /usr/local/bin/rg) | select name type mode user
╭───┬──────┬──────┬───────────┬──────╮
│ # │ name │ type │ mode │ user │
├───┼──────┼──────┼───────────┼──────┤
│ 0 │ rg │ file │ r-xr-xr-x │ dd │
╰───┴──────┴──────┴───────────┴──────╯
❯ cat /usr/local/bin/procs
#!/usr/bin/env dotslash
{"name":"procs","platforms":{"linux-x86_64":{"digest":"9433cce7a903a8d07b85c3d9b9520d699759b4dedc00d5d1123b348355682e15","format":"zip","hash":"blake3","path":"procs","providers":[{"type":"http","url":"https://github.com/dalance/procs/releases/download/v0.14.10/procs-v0.14.10-x86_64-linux.zip"}],"size":2483155}}}
❯ ls -sla (dotslash -- fetch /usr/local/bin/procs) | first | select mode user
╭──────┬───────────╮
│ mode │ r-xr-xr-x │
│ user │ dd │
╰──────┴───────────╯
❯ cat /usr/local/bin/jq
#!/usr/bin/env dotslash
{"name":"jq","platforms":{"linux-x86_64":{"digest":"f4f456f3a1a9a0dbcd9b0c2a77e29d14bc1f8bb036db4f6ff06d8c76a99e5ef2","hash":"blake3","path":"jq-linux-amd64","providers":[{"type":"http","url":"https://github.com/jqlang/jq/releases/download/jq-1.7.1/jq-linux-amd64"}],"size":2319424}}}
❯ ls -sla (dotslash -- fetch /usr/local/bin/jq) | first | select mode user
╭──────┬───────────╮
│ mode │ r-x------ │
│ user │ root │
╰──────┴───────────╯
❯ cat /usr/local/bin/kubectl
#!/usr/bin/env dotslash
{"name":"kubectl","platforms":{"linux-x86_64":{"digest":"6e0155179f71e23f6dca4e2256661b856841798e1c8db668416d1e5b87e40778","hash":"blake3","path":"kubectl","providers":[{"type":"http","url":"https://dl.k8s.io/release/v1.34.2/bin/linux/amd64/kubectl"}],"size":60559544}}}
❯ ls -sla (dotslash -- fetch /usr/local/bin/kubectl) | first | select mode user
╭──────┬───────────╮
│ mode │ r-x------ │
│ user │ dd │
╰──────┴───────────╯
❯ jq --version
dotslash error: problem with `/usr/local/bin/jq`
caused by: failed to execute `/var/cache/dd/dotslash/c6/8413e5b96d4758f5e3aca57599497b0fef034a/jq-linux-amd64`
caused by: Permission denied (os error 13)
❯ kubectl version
Client Version: v1.34.2
Kustomize Version: v5.7.1
Hello again!
I just noticed that when the file referenced by a platform's
pathkey is not executable, DotSlash sets0o500as the default which only allows execution by the owner. This is unexpected as binaries that are released without being executable by all usually indicates an oversight in the distribution process. What's worse (more common) however is binaries that are distributed without being wrapped in an archive, likejqandkubectl, because they necessarily trigger this default behavior. I think the default should be0o555, or at least configurable.Our developer environments create a user upon start that matches the host UID/GID to allow for frictionless use of bind mounts. At image build time the root user prefetches a few DotSlash tools that are used in the entry point script so that the container can be started without network calls. The following shows two tools that use different archive formats and two tools that distribute raw binaries, of which
jqwas prefetched at build time.