(bug) fix permissions problems with pregen cache access

[grokspawn]

Signed-off-by: Jordan jordan@nimblewidget.com

Description of the change:
create opm serve cache artifacts to serve for any uid by generating as 0777 (dirs) / 0666 (files).

Several options were evaluated, and we landed on a combo of relaxing the umask during cache generation coupled with updated permission of created artifacts to provide world read-/write-ability.

characterization	URI	verdict
original perms conflict	docker.io/grokspawn/catalog-permissions:orig	0700/0600 FAIL
0770/0660 perms	docker.io/grokspawn/catalog-permissions:permbump	0700/0600 FAIL
0777/0666 perms	docker.io/grokspawn/catalog-permissions:permbumpall	0700/0600 FAIL
0777/0666 perms + umask	docker.io/grokspawn/catalog-permissions:final-umask	0777/0666 SUCCESS
0750/0640 perms + umask	docker.io/grokspawn/opm:umask-no-other	0750/0640 SUCCESS

To build a candidate opm replacement image, !!IN LINUX!! do

cd $your-operator-registry-clone
GOENV=CGO_ENABLED=0 make static 
cp bin/opm .
docker build -f release/goreleaser.opm/Dockerfile -t [tag] .
docker push [tag]

Then create the catalog image:

mkdir -p /tmp/ctest
cd /tmp/ctest
mkdir catalog
[path-to-opm] generate dockerfile catalog

and finally, edit the FROM line in the catalog.Dockerfile to point to the pushed tag for the opm replacement image.

Motivation for the change:
c.f. OCPBUGS-650.

Cache generation code was creating for uid 1001 and permissions of 0700 (dirs) / 0600 (files), so later deployment in a pod would fail unless uid matched.

Reviewer Checklist

• Implementation matches the proposed design, or proposal is updated to match implementation
• Sufficient unit test coverage
• Sufficient end-to-end test coverage
• Docs updated or added to /docs
• Commit messages sensible and descriptive

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: grokspawn

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [grokspawn]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[codecov]

Codecov Report

Merging #1018 (e21be48) into master (7470c35) will decrease coverage by 0.00%.
The diff coverage is 29.41%.

@@            Coverage Diff             @@
##           master    #1018      +/-   ##
==========================================
- Coverage   51.67%   51.66%   -0.01%     
==========================================
  Files         102      102              
  Lines        9153     9164      +11     
==========================================
+ Hits         4730     4735       +5     
- Misses       3515     3521       +6     
  Partials      908      908              

Impacted Files	Coverage Δ
alpha/model/model.go	92.64% <ø> (ø)
alpha/property/property.go	92.68% <0.00%> (-4.76%)	⬇️
pkg/registry/query.go	61.48% <25.00%> (+0.26%)	⬆️
alpha/declcfg/declcfg_to_model.go	93.13% <100.00%> (+0.06%)	⬆️
alpha/declcfg/model_to_declcfg.go	100.00% <100.00%> (ø)
alpha/property/scheme.go	100.00% <100.00%> (ø)

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

[grokspawn]

/hold @joelanford asked if we can umask+0750/0640 with effect in a cluster, so ima test

[grokspawn]

/hold cancel
umask+0750/0640 appears to work for any arbitrary uid

[bentito]

Yeah I was wondering same, are any lesser RWX for any of the Group and Other perms possible.

[joelanford]

This does mean that if a non-owner encounters a stale cache, they'll fail instead of repopulating the cache because they won't be able to delete the existing stale files. IMO, that's reasonable though. Outcome is "file/dir owner is responsible for making sure cache is not stale".

[grokspawn]

As there was previously a 'user is root' implicit aspect in the past (which has been replaced with never-be-root-if-you-can-help-it), there appears to be a 'group is root' implicit aspect presently which allows other to have no privileges.

If/when that changes, this will also need to change.

[joelanford]

https://github.com/operator-framework/operator-registry/runs/8100687382?check_suite_focus=true#step:4:155

Oh joy! Looks like we get to experience the fun of using a windows-specific source code file to do something different than syscall.Umask (which does not exist in Windows). My guess is that we'll just make that a no-op on Windows.

[perdasilva]

/hold in case you agree with my nit

[perdasilva]

/lgtm

[perdasilva]

/lgtm

[perdasilva]

/hold cancel