Add knob to skip adding extended ACL to labdir (srl-labs#2028)

* Add knob to skip adding extended ACL to labdir This PR adds the "--skip-labdir-acl" knob to the deploy call. Setting it will skip adding extended ACL to the lab dir. * aligned flag names * added --skip-labdir-acl in one of the tests --------- Co-authored-by: Roman Dodin <dodin.roman@gmail.com>
james-m-henderson · Apr 29, 2024 · f753f6b · f753f6b
1 parent efbba05
commit f753f6b
Show file tree

Hide file tree

Showing 5 changed files with 35 additions and 12 deletions.
diff --git a/clab/clab.go b/clab/clab.go
@@ -996,11 +996,14 @@ func (c *CLab) Deploy(ctx context.Context, options *DeployOptions) ([]runtime.Ge
 
 	log.Info("Creating lab directory: ", c.TopoPaths.TopologyLabDir())
 	utils.CreateDirectory(c.TopoPaths.TopologyLabDir(), 0755)
-	// adjust ACL for Labdir such that SUDO_UID Users will
-	// also have access to lab directory files
-	err = utils.AdjustFileACLs(c.TopoPaths.TopologyLabDir())
-	if err != nil {
-		log.Infof("unable to adjust Labdir file ACLs: %v", err)
+
+	if !options.skipLabDirFileACLs {
+		// adjust ACL for Labdir such that SUDO_UID Users will
+		// also have access to lab directory files
+		err = utils.AdjustFileACLs(c.TopoPaths.TopologyLabDir())
+		if err != nil {
+			log.Infof("unable to adjust Labdir file ACLs: %v", err)
+		}
 	}
 
 	// create an empty ansible inventory file that will get populated later

diff --git a/clab/deploy_options.go b/clab/deploy_options.go
@@ -7,11 +7,12 @@ import (
 
 // DeployOptions represents the options for deploying a lab.
 type DeployOptions struct {
-	reconfigure    bool   // reconfigure indicates whether to reconfigure the lab.
-	skipPostDeploy bool   // skipPostDeploy indicates whether to skip post-deployment steps.
-	graph          bool   // graph indicates whether to generate a graph of the lab.
-	maxWorkers     uint   // maxWorkers is the maximum number of workers for node creation.
-	exportTemplate string // exportTemplate is the path to the export template.
+	reconfigure        bool   // reconfigure indicates whether to reconfigure the lab.
+	skipPostDeploy     bool   // skipPostDeploy indicates whether to skip post-deployment steps.
+	graph              bool   // graph indicates whether to generate a graph of the lab.
+	maxWorkers         uint   // maxWorkers is the maximum number of workers for node creation.
+	exportTemplate     string // exportTemplate is the path to the export template.
+	skipLabDirFileACLs bool   // skip setting the extended File ACL entries on the lab directory.
 }
 
 // NewDeployOptions creates a new DeployOptions instance with the specified maxWorkers value.
@@ -38,6 +39,12 @@ func (d *DeployOptions) SetSkipPostDeploy(b bool) *DeployOptions {
 	return d
 }
 
+// SetSkipLabDirFileACLs sets the skipLabDirFileACLs deployment option.
+func (d *DeployOptions) SetSkipLabDirFileACLs(b bool) *DeployOptions {
+	d.skipLabDirFileACLs = b
+	return d
+}
+
 // SkipPostDeploy returns the skipPostDeploy option value.
 func (d *DeployOptions) SkipPostDeploy() bool {
 	return d.skipPostDeploy

diff --git a/cmd/deploy.go b/cmd/deploy.go
@@ -47,6 +47,9 @@ var deployFormat string
 // subset of nodes to work with.
 var nodeFilter []string
 
+// skipLabDirFileACLs skips provisioning of extended File ACLs for the Lab directory.
+var skipLabDirFileACLs bool
+
 // deployCmd represents the deploy command.
 var deployCmd = &cobra.Command{
 	Use:          "deploy",
@@ -74,6 +77,7 @@ func init() {
 		defaultExportTemplateFPath, "template file for topology data export")
 	deployCmd.Flags().StringSliceVarP(&nodeFilter, "node-filter", "", []string{},
 		"comma separated list of nodes to include")
+	deployCmd.Flags().BoolVarP(&skipLabDirFileACLs, "skip-labdir-acl", "", false, "skip the lab directory extended ACLs provisioning")
 }
 
 // deployFn function runs deploy sub command.
@@ -132,7 +136,8 @@ func deployFn(_ *cobra.Command, _ []string) error {
 	deploymentOptions.SetExportTemplate(exportTemplate).
 		SetReconfigure(reconfigure).
 		SetGraph(graph).
-		SetSkipPostDeploy(skipPostDeploy)
+		SetSkipPostDeploy(skipPostDeploy).
+		SetSkipLabDirFileACLs(skipLabDirFileACLs)
 
 	containers, err := c.Deploy(ctx, deploymentOptions)
 	if err != nil {

diff --git a/docs/cmd/deploy.md b/docs/cmd/deploy.md
@@ -135,6 +135,14 @@ Read more about [node filtering](../manual/node-filtering.md) in the documentati
 
 The `--skip-post-deploy` flag can be used to skip the post-deploy phase of the lab deployment. This is a global flag that affects all nodes in the lab.
 
+#### skip-labdir-acl
+
+The `--skip-labdir-acl` flag can be used to skip the lab directory access control list (ACL) provisioning.
+
+The extended File ACLs are provisioned for the lab directory by default, unless this flag is set. Extended File ACLs allow a sudo user to access the files in the lab directory that might be created by the `root` user from within the container node.
+
+While this is useful in most cases, sometimes extended File ACLs might prevent your lab from working, especially when your lab directory end up being mounted from the network filesystem (NFS, CIFS, etc.). In such cases, you can use this flag to skip the ACL provisioning.
+
 ### Environment variables
 
 #### `CLAB_RUNTIME`

diff --git a/tests/01-smoke/03-bridges-and-host.robot b/tests/01-smoke/03-bridges-and-host.robot
@@ -34,7 +34,7 @@ Create linux bridge
 
 Deploy ${lab-name} lab
     ${rc}    ${output} =    Run And Return Rc And Output
-    ...    sudo -E ${CLAB_BIN} --runtime ${runtime} deploy -t ${CURDIR}/${lab-file}
+    ...    sudo -E ${CLAB_BIN} --runtime ${runtime} deploy --skip-labdir-acl -t ${CURDIR}/${lab-file}
     Log    ${output}
     Should Be Equal As Integers    ${rc}    0