-
Notifications
You must be signed in to change notification settings - Fork 535
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Run dockerfile commands with correct user. #12579
Conversation
This updates various things… * Remove the default usage of `USER` in the Dockerfile as this may be too restrictive for daily usage * Use `gosu` and update the entrypoint to fix permissions and drop properly into the `olympia` user * Use `docker-compose run` to actually make sure the entrypoint is run correctly which isn't the case when using `exec` Fixes #12366
Makefile-os
Outdated
@@ -11,17 +11,17 @@ help_submake: | |||
|
|||
.PHONY: update_docker | |||
update_docker: ## update all the docker images | |||
docker-compose exec worker make update_deps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why the change from exec
to run
here and below ? The container should already be running, we don't want another one, we want to re-use the one we have.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As written in the description - I noticed that when using exec
the entrypoint would simply not be executed which lead to many of the permission problems we've seen in folders on the hosts system.
run
on the other hand does run the entrypoint properly. I haven't found another reasonable solution to this and I'm perfectly aware that it's not ideal but as the original web
container stays up I don't think it's an issue.
Also, the storage layers (/deps/
) seem to be shared between those two so that updates do happen on both afaik.
Happy to use exec
if you know any way to make the entrypoint being executed properly.
run
does not start supervisord (the CMD
) again so that there aren't any conflicts from what I see.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the storage layers (
/deps/
) seem to be shared between those two so that updates do happen on both afaik.
That doesn't seem to be true, no. I don't see where that would be set in the configuration, and it doesn't seem to be shared on my machine (I created a file in /deps
using exec
, then checked if it was there using run
, it wasn't).
And it's not just about /deps
: you might want to install a system package using make shell
when you're adding a system dependency, or debugging something. That wouldn't work if it's a different container.
docker-compose.yml
Outdated
@@ -23,7 +23,7 @@ x-env-mapping: &env | |||
services: | |||
worker: &worker | |||
<<: *env | |||
image: addons/addons-server:latest | |||
image: addons/addons-server:fixed-docker-perms |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Is this a permanent change? How is :fixed-docker-perms
being updated? (And could do with a better name if permanent)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, as written in the description…
I pushed a separate fixed-docker-perms tag to dockerhub and updated the docker-compose file to make testing easier.
It's not permanent and will be switched back before I merge this branch.
docker-compose.yml
Outdated
@@ -23,7 +23,7 @@ x-env-mapping: &env | |||
services: | |||
worker: &worker | |||
<<: *env | |||
image: addons/addons-server:latest | |||
image: addons/addons-server:fixed-docker-perms |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Need to revert that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, before I merge that. For testing it's easier to leave it
Makefile-os
Outdated
@@ -11,17 +11,17 @@ help_submake: | |||
|
|||
.PHONY: update_docker | |||
update_docker: ## update all the docker images | |||
docker-compose exec worker make update_deps |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, the storage layers (
/deps/
) seem to be shared between those two so that updates do happen on both afaik.
That doesn't seem to be true, no. I don't see where that would be set in the configuration, and it doesn't seem to be shared on my machine (I created a file in /deps
using exec
, then checked if it was there using run
, it wasn't).
And it's not just about /deps
: you might want to install a system package using make shell
when you're adding a system dependency, or debugging something. That wouldn't work if it's a different container.
…fix-docker-builds
…fix-docker-builds
…erver into 12366-fix-docker-builds
…erver into 12366-fix-docker-builds
a405386
to
cd3fb54
Compare
Alrighty, I updated the implementation slightly.
Now, this seems to work nicely on Linux and I'm not able to reproduce any of the filesystem permission issues we had in the past. I'm not quite sure though how other systems do the mapping so I need more testing for whether the uid/guid mapping is still needed or not. @eviljeff (for Windows) and @muffinresearch (for OSX) are you able to checkout this branch and test if you still see issues with files owned by another account on your systems for files created inside the docker container? If you don't, then we do have a fairly simple solution at hand. |
Yep will do. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Uploading an add-on now works for me 👍
Dockerfile
Outdated
@@ -80,10 +83,15 @@ ENV PIP_SRC=/deps/src/ | |||
ENV NPM_CONFIG_PREFIX=/deps/ | |||
ENV SWIG_FEATURES="-D__x86_64__" | |||
|
|||
RUN useradd -Md /code/ olympia |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Possibly a bit counter-intuitive to set $HOME
to /code
even if we did this historically - does anything actually rely on that behaviour?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I don't think so and I'm not sure we actually need that. I could try without and see where that gets us
scripts/start-docker.sh
Outdated
|
||
# Fix /deps/ folder so that we're able to update the image | ||
# with the `olympia` user | ||
if [[ $deps_uid -ne $uid ]]; then |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I guess this doesn't hurt but why would the user be wrong?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the recent changes, this entrypoint will hopefully be removed - I haven't done that yet while the testing isn't done.
So, don't worry about that just yet.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I put the chown
in the Dockerfile instead which enforces the correct user assignment.
…erver into 12366-fix-docker-builds
…fix-docker-builds
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested locally, it works.
docker-compose.yml
Outdated
@@ -23,9 +23,13 @@ x-env-mapping: &env | |||
services: | |||
worker: &worker | |||
<<: *env | |||
image: addons/addons-server:latest | |||
build: . |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As mentioned on IRC, we don't want to keep that, because this forces a local build instead of a pull. If someone wants to locally build an image, they should either use a custom file if they want to use docker-compose
, or just use regular docker
.
# We are defaulting to the olympia user to avoid any permission related | ||
# issues and files owned by root. This can be overwritten through | ||
# the --user option when calling docker-compose | ||
user: olympia |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Maybe add a simple rootshell
target in Makefile-os
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually... make update_docker
is broken for me:
https://gist.github.com/diox/040421aa6cb3db392e3e9ba6e5b2d3c1
pip
is installing deps in /usr/local/lib
so it won't work with the olympia
user...
I updated quite a bunch of things, I'll add more documentation later once I'm in the colo and will see if the circleci builds work for now. I think we got a tiny bit closer to a working docker environment (and dockerhub builds for that matter…) |
…fix-docker-builds
…erver into 12366-fix-docker-builds
Alright, quick update. I updated the configs to fix docker image build related issues which now requires GROUP_ID/USER_ID to be passed along when building the image manually. I'll update the docs accordingly once I ran a few more tests. The rest is mostly the same from what already has been tested, we're now using user-local python installation and run pip accordingly which works around various issues during image building / make initialize and make update_docker. STR for testing:
|
# Run everything as olympia user, by default. | ||
USER olympia | ||
ARG GROUP_ID=1000 | ||
ARG USER_ID=1000 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These require --build-arg GROUP_ID=$(id -g) --build-arg USER_ID=$(id -u)
- I'll add docs about that later - I found that we don't have any docs at all about local building so I'll do that together with fixing circleci automatic builds (for local dev) as this may change requirements.
This updates various things…
USER
in the Dockerfile as this maybe too restrictive for daily usage
gosu
and update the entrypoint to fix permissions and dropproperly into the
olympia
userdocker-compose run
to actually make sure the entrypoint is runcorrectly which isn't the case when using
exec
Fixes mozilla/addons#6962
Please do test these changes thoroughly, I only briefly ran them on macos and windows but I might not know what to look for specifically.
Things worth testing:
make initialize
works as expected and doesn't trample directory permissionsmake shell
works and initializes itself with theolympia
usermake shell
amake update_deps
works too because we're setting correct permissionsmake update
works as expectedI pushed a separate
fixed-docker-perms
tag to dockerhub and updated the docker-compose file to make testing easier.