Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Wrong directory permission on deployment #116

Closed
eboileau opened this issue Jul 1, 2024 · 5 comments
Closed

Wrong directory permission on deployment #116

eboileau opened this issue Jul 1, 2024 · 5 comments
Assignees
@eboileau
Labels
type:bug Something isn't working
Milestone
Second release

Comments

@eboileau
Copy link
Collaborator

eboileau commented Jul 1, 2024
edited
Loading

A clear and concise description of what the bug is.

On deployment, __create_local_folders.py is run, and directories under HOST_DATA_DIR end up with the wrong ownership. This is "commented out" in the installation playbook. mini_cron.sh should also be more forgiving.

This can be fixed after install, but ideally we want a clean install.
@eboileau eboileau added the type:bug Something isn't working label Jul 1, 2024
@eboileau eboileau self-assigned this Jul 1, 2024
eboileau added a commit that referenced this issue Jul 12, 2024
@eboileau
FIX config, start #116, refactor FileService
3e81a5f
@eboileau eboileau added this to the Second release milestone Jul 16, 2024
@eboileau
Copy link
Collaborator Author

We now have conflicting directory creation between create_local_folders (container) and FileService (both dev and prod): this should happen only once, probably by FileService, and be safe (create if not exists, i.e. exists_ok=True).

@eboileau
Copy link
Collaborator Author

The only tricky one is IMPORT_DIR, which should exists on startup... see also #126

@HaraldWilhelmi
Copy link

As discussed with Etienne:

  • Whenever possible SCI-MODOM should create missing directories. Setting them up is the responsibility of the FileService. That should be done by now.
  • The little housekeeping job (mini-cron.sh) running in the container outside of Flask should silently ignore directories, which have not been created yet. This is a TODO.

HaraldWilhelmi pushed a commit that referenced this issue Jul 22, 2024
making housekeeping more robust (#116)
27518aa
@HaraldWilhelmi
Copy link

Etienne pointed out that we should also move out as much as possible from docker/scripts/__create_local_folders.py.
What needs to stay?

  • Everything needed by the docker-compose.yml (HOST_SECRETS_DIR, HOST_IMPORT_DIR, HOST_DATA_DIR, HOST_BACKUP_DIR, HOST_CONFIG_DIR, HOST_DB_DATA_DIR)
  • Everything needed by the script itself (HOST_SECRETS_DIR, HOST_CONFIG_DIR)

@HaraldWilhelmi
Copy link

Permission setup:

  • Host user is mapped to root (UID 0) inside the container.
  • Host user's primary group is mapped to group root (GID 0) inside the container.
  • The data of user 'app' is not accessible from the outside of the container (except for root).

Possible approach:

  • Use inside the container GID 0 with umask 007, and setgid on directories.
  • The app user has access thanks to being the owner.
  • From outside the files are accessible via the group's permission.

To do that, we need:

  • Change permissions to GID 0 for pretty much everything in the container on startup.
  • Use setgid bit on directories.
  • Tell the file service to use umask 007.

HaraldWilhelmi pushed a commit that referenced this issue Jul 23, 2024
Fixing permissions (#116)
fff9a16
HaraldWilhelmi pushed a commit that referenced this issue Jul 23, 2024
Fixing permissions, next try (#116)
f9896a2
HaraldWilhelmi pushed a commit that referenced this issue Jul 23, 2024
Fixing permissions, third try (#116)
b7a17d5
HaraldWilhelmi pushed a commit that referenced this issue Jul 23, 2024
Fixing permissions, 4th try (#116)
4fafd8e
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees

@eboileau eboileau

Labels
type:bug Something isn't working
Projects
None yet
Milestone
Second release
Development

No branches or pull requests
2 participants
@HaraldWilhelmi @eboileau