New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Write permission error with a shared package cache folder #7227
Comments
I attempted to do exactly the same thing and encountered the same problem, so I second this request. Sharing a pkg cache and environments seems useful to me. Probably a duplicate of this #6953 My
|
So I came across a robust work around (or perhaps 'correct configuration') by using Assuming you have a group called
|
Hi @daveuu
The only workaround I've found is to run chmod -R 777 mycondacache &>/dev/null to fix messy permissions silently. @kalefranz There are a lot of issues around this, do you think one of those propositions could do the job? |
Still experiencing this on our private HPC. Has there been any progress? Updated recommended actions? |
Hi! Never heard about a feature to help on this. |
I have the same problem. I have also tried using FACL but to no avail. Maybe I did something wrong? Anyway: Another way to circumvent the issue is to delete the cache or to run |
Hi @trallnag, I don't understand "to no avail.", Could you please detail a bit more? Your workaround for the permission error also lose the interest of a shared package cache. Doing that way you will download again and again the same packages instead of creating hardlinks against the same files located in the package cache directory. Anyone in the conda team that could help on that? Regards! |
So a solution could be to have a CLI argument to
If I can find more time I could attempt a pull request (but I'm not familiar with the conda code base so no guarantees I'll have the time soon 😢 ) |
Hi @trallnag |
Hi! |
Same issue here, and no real solid solution. |
I ran Edit: So I didn't read trallnag's answer, but at least I can confirm that this way works. |
I am coming here hoping if there is a way to unshare the package cache folder. Even though conda info shows two cache locations, one readonly for the root, one writeable under my home, somehow I am still getting permission errors. Should conda prefer to use the writeable cache directory instead? Admittedly I am using a rather old version of conda (the version shipped by Fedora) -- were there recent improvements on this front?
|
My solution to this is to disable the shared cache. I addec a condarc file (On Fedora it is /usr/share/conda/condarc.d/zz-local.yaml) that flipped the ordering of the per user cache directory and the root (readonly) cache directory.
I am not sure to what extent allow_softlinks helped; just added to be safe that nothing in the per user directory is a symlink to the readonly directory. I have also run conda clean --all as root to purge the root cache. |
|
Same issue here on our shared HPC environment - its a bummer that there is no clean solution (only the workaround of everyone having a local pkgs_dir). |
I got an impression that a local cache server may be used for the caching purpose. |
Like, a LAN mirror of interested channels, and then disable conda's cache? |
@rainwoodman yes. I guess that's the reason that the officials are hesitant in participating this discussion. |
Is that officially recommended in the documentation anywhere? Because, as described in this issue, the docs specifically recommend pointing different users to the same local path: |
I'm seeing this in a shared Jupyterhub instance as of Conda 4.10.3. |
Seeing this behavior in conda 4.10.3. It's causing problems in a shared research environment. Our workaround thus far has been to set a default group ACL so that newly created objects are group read/write. |
@chenghlee @jezdez Could you please give this issue some priority? |
Seems like conda does not support brace expansion. Something like This being said, I think the problem is that the files in On UNIX systems, the default umask is By changing the source code from something like with open(file, 'a'):
pass to old_umask = os.umask(0o002)
os.close(os.open(file, os.O_CREAT, mode=0o664))
os.umask(old_umask) I have this feeling that a lot of the problems w.r.t. permissions could be resolved. For the problems in this thread this would have to be combined with setting GUID on the pkgs directory and proper group management of course. Assuming GUID has been set on the shared pkg directory, a temporary solution (on UNIX) might be to include something like |
Any updates on this? This would solve a lot of headaches for our team if this bug was fixed. |
I was also misled by the documentation into thinking that a shared package cache on our HPC cluster was feasible. A fix would be very useful. |
@jezdez Are there any plans on your side to investigate this issue? I just did some checks how large the "$USER/.conda/pkgs" directories on our system are. |
Just piling in - have a docker container that is built as root and then changed to $USER as an environment variable at runtime. The result is that the $USER has to |
Any news on this? I'm trying to install conda-libmamba-solver and keep bumping into this permissions problem. |
Same problem here, we could solve it by:
Our IT is however not really happy with this solution. |
|
I'm moving this into the sprint candidates for the Anaconda team so we can move this closer to a solution. Per Seb's comment above its not something that conda should be doing and creates potential security issues along with general headaches. |
Why is this issue being hijacked? This was originally about multi-user installs. I fail to see how the file permission problem is even related to the original issue. |
When conda-package-handling >= 2.0 is installed, conda uses the standard library to extract files instead of libarchive. This can affect permissions in some cases; so far we have noticed it in github codespaces, which may be using extended or sticky directory permissions. Is the new behavior better? |
I agree with @hoedt : the new issue title and description is now completely different from the original issue. It was about too strict permissions on JSON cache files. Now it became too loose permissions on unzipped pkgs files @awwad, could you please roll back the change and create a new issue instead (related but different)? The related issues, priority, etc were assigned way before changing it |
I'll assume this got confused with another issue somehow.... Sorry for that. Sure, reverted. At a guess, I'd say that this is likely because a umask-checking solution might address both. |
December 2023, and I'm still seeing this issue with a relatively recent conda version 23.11.0. The multi-user install instructions for Linux should probably include some version of sticky bits getting set on the cache directory or at least instructions on how to turn off the shared cache |
Jan 2024 still having the issue on our server. Only thing seeming to work is deleting the cache for creating a new env :( |
Is this the location where the json are written to the cache? conda/conda/gateways/disk/create.py Line 111 in 72fe69d
|
IIUC the Unix-way of setting umask is to have everyone who wants to use a shared folder, set umask in bashrc. Awfully error-prone. Is there a way to set a directory permission or extended permission? |
Current Behavior
I would like to share the package cache folder of a miniconda install with users in a linux group. I set group write permission for the folder and also set the
guid
bit. With a fresh install, the first user has no problem but the subsequent users get a permission error.I looked within currently open issues but I could not find anything related to my problem. Please point me to anything relevant if I am wrong.
Thanks a lot.
Steps to Reproduce
Expected Behavior
There should maybe be a way to specify the umask when creating the files or to flag the package cache folder as shared in some way.
Environment Information
`conda info`
`conda config --show-sources`
`conda list --show-channel-urls`
The text was updated successfully, but these errors were encountered: