-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support other output modes than 0555 #5588
Comments
Overriding the default 0555 [1,2], which doesn't make sense for Terraform configs, etc. Bazel still (as of 0.15.0) doesn't support setting permissions for the tarball itself [3], but we can address that in followup work if/when it becomes possible. [1]: https://docs.bazel.build/versions/master/be/pkg.html#pkg_tar [2]: bazelbuild/bazel#2925 [3]: bazelbuild/bazel#5588
The output of
Even then, |
Overriding the default 0555 [1,2], which doesn't make sense for Terraform configs, etc. Bazel still (as of 0.15.0) doesn't support setting permissions for the tarball itself [3], but we can address that in followup work if/when it becomes possible. [1]: https://docs.bazel.build/versions/master/be/pkg.html#pkg_tar [2]: bazelbuild/bazel#2925 [3]: bazelbuild/bazel#5588
Avoiding: $ ./tests/run.sh ... cp: cannot create regular file ‘tectonic-dev/smoke’: Permission denied $ ls -l tectonic-dev/smoke -r-xr-xr-x. 1 trking trking 48972051 Sep 10 12:14 tectonic-dev/smoke Ideally the Bazel output would have appropriate permissions by default, but it currently provides no way to set write permission on its output files [1]. With this commit, you can run run.sh multiple times in succession without blowing away tectonic-dev between runs. [1]: bazelbuild/bazel#5588
Avoiding: $ ./tests/run.sh ... cp: cannot create regular file ‘tectonic-dev/smoke’: Permission denied $ ls -l tectonic-dev/smoke -r-xr-xr-x. 1 trking trking 48972051 Sep 10 12:14 tectonic-dev/smoke Ideally the Bazel output would have appropriate permissions by default, but it currently provides no way to set write permission on its output files [1]. With this commit, you can run run.sh multiple times in succession without blowing away tectonic-dev between runs. [1]: bazelbuild/bazel#5588
Avoiding: $ ./tests/run.sh ... cp: cannot create regular file ‘tectonic-dev/smoke’: Permission denied $ ls -l tectonic-dev/smoke -r-xr-xr-x. 1 trking trking 48972051 Sep 10 12:14 tectonic-dev/smoke Ideally the Bazel output would have appropriate permissions by default, but it currently provides no way to set write permission on its output files [1]. With this commit, you can run run.sh multiple times in succession without blowing away tectonic-dev between runs. [1]: bazelbuild/bazel#5588
Avoiding: $ ./tests/run.sh ... cp: cannot create regular file ‘tectonic-dev/smoke’: Permission denied $ ls -l tectonic-dev/smoke -r-xr-xr-x. 1 trking trking 48972051 Sep 10 12:14 tectonic-dev/smoke Ideally the Bazel output would have appropriate permissions by default, but it currently provides no way to set write permission on its output files [1]. With this commit, you can run run.sh multiple times in succession without blowing away tectonic-dev between runs. [1]: bazelbuild/bazel#5588
Avoiding: $ ./tests/run.sh ... cp: cannot create regular file ‘tectonic-dev/smoke’: Permission denied $ ls -l tectonic-dev/smoke -r-xr-xr-x. 1 trking trking 48972051 Sep 10 12:14 tectonic-dev/smoke Ideally the Bazel output would have appropriate permissions by default, but it currently provides no way to set write permission on its output files [1]. With this commit, you can run run.sh multiple times in succession without blowing away tectonic-dev between runs. [1]: bazelbuild/bazel#5588
why do artifacts have a permission of 555, even if they aren't executable? why not use 444 unless it is a directory or marked as an executable? |
That's a good question, but changing it is going to be a breaking change for someone, so we are not going to change it without careful reflection. |
@aiuto Breaking in theory or breaking in practice? Are there known tools/systems that expect the execution bit on non-executable files? |
We follow Hyrum's Law - that someone will end up depending on every observable behavior of your code, documented or not. So we assume that theory is equivalent to practice. I'm sure there is someone who generates a bash script with one rule, then passes it as data to another genrule and then expects it to run. So changing it to 444 would break them. This is not so far fetched. What I meant was that if we are going to make any behavior change, let's figure out the real needs first. Is executable/non-executable sufficient? Do we need files which are non-readable by other users? Do we want to be able to set arbitrary modes for output, so that if we repackaged that output with pkg_deb it would have the "right" file modes for the package? |
I just found this, and I have a real need. I was setting the modes explicitly to what I needed them to be and they are reverted to 555, which is breaking my rules. Why are the modes adjusted at all? Can we have an opt-out option? Maybe another magic flag in the |
#4059 has more background on this: specifically, artifacts are always executable for historical reasons. Quoting @ulfjack: "The reason is that Google's remote execution system marks all files as executable in order to avoid having to have multiple copies of the same file available locally (multiple hard-links to the same file have the same mod bits)." Fixing this has nothing to do with local execution and is a broader change to how Bazel actually treats artifacts. Changing teams. |
I haven't heard a compelling use case for this (I'd be curious to hear what @alanfalloon experienced with broken rules). Given the complexity of the change, keeping at a low priority. |
Here are some of the ways that this behaviour has broken my rules:
Besides those concrete examples, there is also the case that the current behaviour is both wrong and surprising. Modes are just as much a part of the file as the content -- if not the entire POSIX mode, then certainly the executable bits. Chmoding my outputs after an action is just as wrong as normalizing newlines on every output. As a rule author, it breaks basic assumptions about how actions are executed, and requires me to jump through hoops to work around this issue. It is somewhat understandable that something like the remote cache is limited to a subset of POSIX behaviour (not preserving xattrs for example) so cached artifacts could lose some permission information. But even in those situations, basic permissions should be preserved: for example, even git preserves executable information in its tree representations. That said, local actions should preserve anything the local filesystems supports so you can always I also don't particularly find the Hyrums law argument very convincing: if people were depending on outputs magically becoming executable, then their rules are wrong -- this is just hiding it. We should gate the fix behind an incompatible-flag for a couple of releases to give them a chance to fix their rules, but its not a reason to avoid fixing this bug. |
cc @alexjski |
There is a mode difference in the result files. Gem sources are 644 as they should be while outputs of dependencies are 555 (e.g. LICENSE, NOTICE). In fact, there should be no executable in the gem so it seems fair to simply force-set mode to 644 on everything. bazelbuild/bazel#5588
After action execution, permission of output files is changed to [`0555`](#5588). This PR updates remote module in following ways to make the behavior consistent: 1. Ignores `isExecutable` field of downloaded outputs from remote cache since the permission will be set to `0555` after action execution. 2. Always set `isExecutable` to `true` instead of reading the real permission bits from file system when uploading local outputs. 3. Do `chmod 0555` instead of `chmod 0755` when fetching inputs files for local actions which are outputs of previous remote actions. This should improve cache hit rate for builds that use dynamic execution and build without bytes. Caveat: actions that depend on permission bits of input files (e.g. zip actions) shouldn't be executed dynamically since we have no control of input file permissions when running remotely. They should be always executed either locally or remotely. b/198297058 Closes #13980. PiperOrigin-RevId: 397257861
@janakdr, perhaps the required change to address this issue is complex, but maybe the priority in this case shouldn't be determined solely based on it's complexity. I understand decisions were made way back to simplify Google's remote execution system and avoid making copies of the same file locally with hard links, but isn't it a safer security practice to not make files executable if you don't have to? Some of the generated files could be part of a public-facing deliverable. It's not only the contents of a file that make up a deliverable but its accompanying metadata. This behaviour is specially incorrect if it's overriding the user's desired execution bits. Could there at least be an option to force a desired mode for the generated file? |
I'm not opposed to this change being made. However, my subteam at Google does not have the bandwidth to make it. I would be open to an external contribution. @philwo for broader Bazel visibility if this is a high-enough priority that someone inside Google should work on it. |
Thank you Janak. @bazelbuild/remote-execution WDYT? |
Strongly in favor of avoiding implicit executable-bit setting by the clients, echoing many of the non-hyrum sentiments in this issue. The executable bit adds a major impact to remote systems when there's a client side filter that just ends up making a majority of the input files (as prior outputs) for remote ex have the bit permutation, for non-fuse systems that use hard links (like buildfarm) creating upfront cost, expiration time sink, and cas thrash. |
Thank you for contributing to the Bazel repository! This issue has been marked as stale since it has not had any activity in the last 1+ years. It will be closed in the next 14 days unless any other activity occurs or one of the following labels is added: "not stale", "awaiting-bazeler". Please reach out to the triage team ( |
FWIW, |
Description of the problem / feature request:
When building tarballs with
pkg_tar
, the output tarball has a 0555 mode. But tarballs are generally not going to be executable. I think the default mode should be 0666 or, if you want to be very conservative 0444. In both those cases, it would be nice to respect the user's umask, as long as it did not interfere with reproducible builds. An alternative would be to provide an explicitpkg_tar
parameter that functions similarly to the existingmode
(althoughmode
is for files packaged inside the tarball, not for the tarball itself, #2925).Feature requests: what underlying problem are you trying to solve with this feature?
Claiming that output tarballs are executable makes it harder to auto-complete sibling paths that are executable. And if you attempt to execute the tarball, I think an EPERM is more obvious than "cannot execute binary file".
Bugs: what's the simplest, easiest way to reproduce this bug? Please provide a minimal example if possible.
What operating system are you running Bazel on?
RHEL 7.5 (Linux).
What's the output of
bazel info release
?If
bazel info release
returns "development version" or "(@non-git)", tell us how you built Bazel.Installed from COPR.
Have you found anything relevant by searching the web?
#2925 is similar, but (as mentioned above), it's about the content of the tarball and not the tarball itself. I didn't see anything on SO or bazel-discuss@.
The text was updated successfully, but these errors were encountered: