Run dockerfile commands with correct user.

[EnTeQuAk]

This updates various things…

• Remove the default usage of USER in the Dockerfile as this may
  be too restrictive for daily usage
• Use gosu and update the entrypoint to fix permissions and drop
  properly into the olympia user
• Use docker-compose run to actually make sure the entrypoint is run
  correctly which isn't the case when using exec

Fixes mozilla/addons#6962

Please do test these changes thoroughly, I only briefly ran them on macos and windows but I might not know what to look for specifically.

Things worth testing:

• make initialize works as expected and doesn't trample directory permissions
• make shell works and initializes itself with the olympia user
• inside make shell a make update_deps works too because we're setting correct permissions
• make update works as expected

I pushed a separate fixed-docker-perms tag to dockerhub and updated the docker-compose file to make testing easier.

[diox]

Why the change from exec to run here and below ? The container should already be running, we don't want another one, we want to re-use the one we have.

[EnTeQuAk]

As written in the description - I noticed that when using exec the entrypoint would simply not be executed which lead to many of the permission problems we've seen in folders on the hosts system.

run on the other hand does run the entrypoint properly. I haven't found another reasonable solution to this and I'm perfectly aware that it's not ideal but as the original web container stays up I don't think it's an issue.

Also, the storage layers (/deps/) seem to be shared between those two so that updates do happen on both afaik.

Happy to use exec if you know any way to make the entrypoint being executed properly.

run does not start supervisord (the CMD) again so that there aren't any conflicts from what I see.

[diox]

Also, the storage layers (/deps/) seem to be shared between those two so that updates do happen on both afaik.

That doesn't seem to be true, no. I don't see where that would be set in the configuration, and it doesn't seem to be shared on my machine (I created a file in /deps using exec, then checked if it was there using run, it wasn't).

And it's not just about /deps: you might want to install a system package using make shell when you're adding a system dependency, or debugging something. That wouldn't work if it's a different container.

[eviljeff]

Is this a permanent change? How is :fixed-docker-perms being updated? (And could do with a better name if permanent)

[EnTeQuAk]

No, as written in the description…

I pushed a separate fixed-docker-perms tag to dockerhub and updated the docker-compose file to make testing easier.

It's not permanent and will be switched back before I merge this branch.

[diox]

Need to revert that

[EnTeQuAk]

Yes, before I merge that. For testing it's easier to leave it

[diox]

Also, the storage layers (/deps/) seem to be shared between those two so that updates do happen on both afaik.

That doesn't seem to be true, no. I don't see where that would be set in the configuration, and it doesn't seem to be shared on my machine (I created a file in /deps using exec, then checked if it was there using run, it wasn't).

And it's not just about /deps: you might want to install a system package using make shell when you're adding a system dependency, or debugging something. That wouldn't work if it's a different container.

[EnTeQuAk]

Alrighty, I updated the implementation slightly.

• I created a olympia user in the Dockerfile
• I commented out the entrypoint for now (see below for why)
• I made use of the user option in docker-compose.yml

Now, this seems to work nicely on Linux and I'm not able to reproduce any of the filesystem permission issues we had in the past. I'm not quite sure though how other systems do the mapping so I need more testing for whether the uid/guid mapping is still needed or not.

@eviljeff (for Windows) and @muffinresearch (for OSX) are you able to checkout this branch and test if you still see issues with files owned by another account on your systems for files created inside the docker container?

If you don't, then we do have a fairly simple solution at hand.

[muffinresearch]

Alrighty, I updated the implementation slightly.

* I created a `olympia` user in the `Dockerfile`

* I commented out the entrypoint for now (see below for why)

* I made use of the `user` option in docker-compose.yml

Now, this seems to work nicely on Linux and I'm not able to reproduce any of the filesystem permission issues we had in the past. I'm not quite sure though how other systems do the mapping so I need more testing for whether the uid/guid mapping is still needed or not.

@eviljeff (for Windows) and @muffinresearch (for OSX) are you able to checkout this branch and test if you still see issues with files owned by another account on your systems for files created inside the docker container?

If you don't, then we do have a fairly simple solution at hand.

Yep will do.

[muffinresearch]

Uploading an add-on now works for me 👍

[muffinresearch]

Possibly a bit counter-intuitive to set $HOME to /code even if we did this historically - does anything actually rely on that behaviour?

[EnTeQuAk]

I don't think so and I'm not sure we actually need that. I could try without and see where that gets us

[diox]

I guess this doesn't hurt but why would the user be wrong?

[EnTeQuAk]

With the recent changes, this entrypoint will hopefully be removed - I haven't done that yet while the testing isn't done.

So, don't worry about that just yet.

[EnTeQuAk]

I put the chown in the Dockerfile instead which enforces the correct user assignment.

[diox]

Tested locally, it works.

[diox]

As mentioned on IRC, we don't want to keep that, because this forces a local build instead of a pull. If someone wants to locally build an image, they should either use a custom file if they want to use docker-compose, or just use regular docker.

[diox]

Maybe add a simple rootshell target in Makefile-os ?

[diox]

Actually... make update_docker is broken for me:
https://gist.github.com/diox/040421aa6cb3db392e3e9ba6e5b2d3c1

pip is installing deps in /usr/local/lib so it won't work with the olympia user...

[EnTeQuAk]

I updated quite a bunch of things, I'll add more documentation later once I'm in the colo and will see if the circleci builds work for now. I think we got a tiny bit closer to a working docker environment (and dockerhub builds for that matter…)

[EnTeQuAk]

Alright, quick update. I updated the configs to fix docker image build related issues which now requires GROUP_ID/USER_ID to be passed along when building the image manually. I'll update the docs accordingly once I ran a few more tests.

The rest is mostly the same from what already has been tested, we're now using user-local python installation and run pip accordingly which works around various issues during image building / make initialize and make update_docker.

STR for testing:

• checkout this branch (and latest changes)
• docker-compose pull to pull the latest build (build is done and uploaded now)
• docker-compose up -d
• make initialize (to re-initialize everything, updates deps etc which will shouldn't run into permission errors)
• (alternatively just running make update_docker should be a good test-candidate too)
• Then, upload an add-on, does this work? Do you see any root owned files, does accessing/downloading that file work?

[EnTeQuAk]

These require --build-arg GROUP_ID=$(id -g) --build-arg USER_ID=$(id -u) - I'll add docs about that later - I found that we don't have any docs at all about local building so I'll do that together with fixing circleci automatic builds (for local dev) as this may change requirements.