User loses delete permission after migration to torizon/debian:3-bookworm

Hello Toradex Community

We experience a problem after migrating to Toradex’ debian bookworm base container from the earlier arm64v8-debian-base. Usign the same Dockerfile, our created user dosen’t have permission to delete any file. Please see the minimal example below. This was only reproducible on the SoM running TorizonOS, but not when pulling the container on an arm64 laptop. It was also not reproducible on a more recent version of TorizonOS.
As you can see below, the newly created user myuser is not allowed to delete file in its own user directory. Interestingly tough, using rm -f seems to do the trick. We would however very much like to have the exact same permissions and behaviour as on previous versions.

Any help on this topic is greatly appreciated. Please let me know if any other information is required. Thank you very much.

Minimal example ( TorizonCore 5.7.2)

sh-5.0$ docker run --rm -it torizon/debian:3-bookworm
root@24231a3ec667:/# adduser --disabled-password --gecos "" myuser
Adding user `myuser' ...
Adding new group `myuser' (1001) ...
Adding new user `myuser' (1001) with group `myuser (1001)' ...
Creating home directory `/home/myuser' ...
Copying files from `/etc/skel' ...
Adding new user `myuser' to supplemental / extra groups `users' ...
Adding user `myuser' to group `users' ...
root@24231a3ec667:/# su myuser
myuser@24231a3ec667:/$ cd home/myuser
myuser@24231a3ec667:~$ touch afile
myuser@24231a3ec667:~$ rm afile
rm: cannot remove 'afile': Operation not permitted
myuser@ 24231a3ec667:~$ ls -la
total 20
drwx------ 2 myuser myuser 4096 Sep  2 11:04 .
drwxr-xr-x 1 root   root   4096 Sep  2 11:03 ..
-rw-r--r-- 1 myuser myuser  220 Sep  2 11:03 .bash_logout
-rw-r--r-- 1 myuser myuser 3526 Sep  2 11:03 .bashrc
-rw-r--r-- 1 myuser myuser  807 Sep  2 11:03 .profile
-rw-r--r-- 1 myuser myuser    0 Sep  2 11:04 afile
myuser@ 24231a3ec667:~$ echo "hello" >> afile
myuser@ 24231a3ec667:~$ cat afile
hello
myuser@ 24231a3ec667:~$ rm -f afile
myuser@ 24231a3ec667:~$

Expected behaviour (TorizonCore 5.7.2)

sh-5.0$ docker run --rm -it torizon/arm64v8-debian-base
root@24370b27fe60:/# adduser --disabled-password --gecos "" myuser
Adding user `myuser' ...
Adding new group `myuser' (1001) ...
Adding new user `myuser' (1001) with group `myuser' ...
Creating home directory `/home/myuser' ...
Copying files from `/etc/skel' ...
root@24370b27fe60:/# su myuser
myuser@24370b27fe60:/$ cd home/myuser
myuser@24370b27fe60:~$ touch afile
myuser@24370b27fe60:~$ rm afile
myuser@24370b27fe60:~$

tdx-info output

Software summary
------------------------------------------------------------
Bootloader:               U-Boot
Kernel version:           5.4.193-5.7.2+git.b60d3160fd04 #1-TorizonCore SMP PREEMPT Fri Dec 23 15:47:24 UTC 2022
Kernel command line:      root=LABEL=otaroot rootfstype=ext4 quiet logo.nologo vt.global_cursor_default=0 plymouth.ignore-serial-consoles splash fbcon=map:3 ostree=/ostree/boot.0/torizon/020545d935d9f72873c9b5be7c5bb59b1c7cc1886ca7979b5e9e3950434b330e/0 kernel.sched_rt_runtime_us=-1
Distro name:              NAME="TorizonCore"
Distro version:           VERSION_ID=5.7.2-build.20
Distro variant:           VARIANT="Docker"
Hostname:                 rstest
------------------------------------------------------------

Hardware info
------------------------------------------------------------
HW model:                 Toradex Apalis iMX8QM V1.1 on Apalis Evaluation Board
Toradex version:          0037 V1.1B
Serial number:            06738340
Processor arch:           aarch64
------------------------------------------------------------

Running the Toradex base container on an arm64 Mac

docker run --rm -it torizon/debian:3-bookworm
root@e21a25d91fc2:/# adduser --disabled-password --gecos "" myuser
Adding user `myuser' ...
Adding new group `myuser' (1001) ...
Adding new user `myuser' (1001) with group `myuser (1001)' ...
Creating home directory `/home/myuser' ...
Copying files from `/etc/skel' ...
Adding new user `myuser' to supplemental / extra groups `users' ...
Adding user `myuser' to group `users' ...
root@e21a25d91fc2:/# su myuser
myuser@e21a25d91fc2:/$ cd /home/myuser
myuser@e21a25d91fc2:~$ touch afile
myuser@e21a25d91fc2:~$ rm afile
myuser@e21a25d91fc2:~$

I also tried the same on the same SoM running TorizonOS 6.6.1 and it worked without any problems.

sh-5.1$ sudo tdx-info
Password:

Software summary
------------------------------------------------------------
Bootloader:               U-Boot
Kernel version:           5.15.148-6.6.1+git.23a8e831749d #1-TorizonCore SMP PREEMPT Thu Feb 29 20:25:21 UTC 2024
Kernel command line:      root=LABEL=otaroot rootfstype=ext4 quiet logo.nologo vt.global_cursor_default=0 plymouth.ignore-serial-consoles splash fbcon=map:3 ostree=/ostree/boot.1/torizon/42030519c913f0e3ac912532a62fb43aca3c0735968f33b9a7cae8e6c9bdc1de/0 kernel.sched_rt_runtime_us=-1
Distro name:              NAME="TorizonCore"
Distro version:           VERSION_ID=6.6.1-build.14
Distro variant:           VARIANT="Docker"
Hostname:                 rstest
------------------------------------------------------------

Hardware info
------------------------------------------------------------
HW model:                 Toradex Apalis iMX8QM V1.1 on Apalis Evaluation Board
Toradex version:          0037 V1.1B
Serial number:            06738340
Processor arch:           aarch64
------------------------------------------------------------
sh-5.1$ docker run --rm -it torizon/debian:3-bookworm
root@84790f2e20cc:/# adduser --disabled-password --gecos "" myuser
Adding user `myuser' ...
Adding new group `myuser' (1001) ...
Adding new user `myuser' (1001) with group `myuser (1001)' ...
Creating home directory `/home/myuser' ...
Copying files from `/etc/skel' ...
Adding new user `myuser' to supplemental / extra groups `users' ...
Adding user `myuser' to group `users' ...
root@84790f2e20cc:/# su myuser
myuser@84790f2e20cc:/$ cd /home/myuser
myuser@84790f2e20cc:~$ touch afile
myuser@84790f2e20cc:~$ rm afile
myuser@84790f2e20cc:~$

Hi, I’m the Toradex AI Assistant. I’m in early beta, and I would appreciate your feedback.
The Toradex Support team will follow up with you shortly!

Did you like my answer?

It seems like you are experiencing a permissions issue with the myuser user in the TorizonCore 5.7.2 environment when using the torizon/debian:3-bookworm container. This issue does not occur in the torizon/arm64v8-debian-base container or on a more recent version of TorizonCore (6.6.1).

Here are a few steps and considerations to help troubleshoot and potentially resolve this issue:

1. Check File System Attributes:

   • Ensure that there are no special file system attributes set on the files or directories that might be causing this issue. You can use the lsattr command to check for any attributes.

2. Compare User and Group IDs:

   • Verify that the user and group IDs for myuser are consistent across different environments. Sometimes mismatched IDs can cause permission issues.

3. SELinux or AppArmor:

   • Check if SELinux or AppArmor is enabled and enforcing policies that might restrict file operations. You can check the status with sestatus for SELinux or aa-status for AppArmor.

4. Docker Security Options:

   • Ensure that the Docker container is not running with restrictive security options that might prevent file deletions. You can inspect the container’s security options with docker inspect <container_id>.

5. Kernel Differences:

   • Since the issue is not reproducible on a more recent version of TorizonCore, it might be related to kernel differences. Check the kernel changelogs between the versions to see if there are any relevant changes.

6. Use rm -f as a Workaround:

   • While not ideal, using rm -f seems to work as a temporary workaround. This might indicate that there is a specific permission or attribute issue that rm -f bypasses.

7. Update TorizonCore:

   • If possible, consider updating to the more recent version of TorizonCore (6.6.1) where the issue does not occur. This might be the simplest solution if there are no other constraints.

8. Check Dockerfile and Container Configuration:

   • Review your Dockerfile and container configuration to ensure there are no settings that might affect file permissions. For example, ensure that the USER directive is correctly set.

If none of these steps resolve the issue, it might be helpful to provide additional details such as the exact Dockerfile used and

Hi @kferrari

That’s really a weird issue. I tested it on my setup and I got the same results as you described.

Is there anything in your project that requires Torizon 5?
The BSP 5 is close to reaching the EOL and your issue seems to be solved on Torizon 6.

Hi @kferrari

I just checked with the Torizon team.

The version of the container image you are using torizon/debian:3-bookworm is not compatible with TorizonCore 5.7.2.

The tag of the image to be used in each version of Torizon is defined with an environment variable $CT_TAG_DEBIAN.

In the case of TorizonCore 5.7.2, you should use the container image torizon/debian:2-bullseye.

Dear @allan.tx

Thank you very much for the swift reply! That makes perfect sense, I should have just checked the $CT_TAG_DEBIAN.

We will update our compatibility matrix and make sure devices using our latest application stack are updated to Torizon 6 first.

Thank you again and have a great day,
Kim