-
-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
revert smarter entrypoint script by 2.10 #78
Comments
This is somewhat confusing ... I'm both able to and not able to reproduce this.
Works exactly as expected. But if I do $ docker run --rm --volume "$(pwd):/data" pandoc/core:latest docs/patient-guide.md -o output.pdf -t html
/usr/local/bin/docker-entrypoint.sh: exec: line 11: docs/patient-guide.md: Permission denied It seems like the ash shell's # (in docker container)
$ command -v docs/patient-guide.md
docs/patient-guide.md
$ command -v test.txt And apparently it's not a builtin, but a script floating around: #!/bin/sh
# $FreeBSD: src/usr.bin/alias/generic.sh,v 1.2 2005/10/24 22:32:19 cperciva Exp $
# This file is in the public domain.
builtin `echo ${0##*/} | tr \[:upper:] \[:lower:]` ${1+"$@"}
# file: /usr/bin/command I'm not sure what to make of this. |
Some more googling shows that it's a bad idea |
I created a PR which double-checks that the value returned by |
I see that @maxheld83 approves, but to be honest the more I think about it the more I think this isn't robust enough. @zspitz reports in pandoc/pandoc-action-example#3 (comment)
This is subtle, but fundamentally different than the error I reported:
Why I'm worried: $ ls -al tidepool-hebrew-docs/docs/*.md
-rwxrwxr-x. 1 sven sven 6.3K Mar 4 13:46 tidepool-hebrew-docs/docs/patient-guide.md*
-rwxrwxr-x. 1 sven sven 74 Mar 4 13:46 tidepool-hebrew-docs/docs/test.md* The executable bit on those files is set, meaning that the proposed patch will produce the exact same error message. We either need to be smarter, or dumber. In this particular scenario, we can coach @zspitz to remove the executable bit from their |
I see four options right now:
All of these options are bad in their own way. I prefer 3, but 4 should be manageable, too. |
I would note that I am pretty much entirely developing on Windows, where (IIUC) I have to do this through Git. Admittedly, it could be argued that anyone who is familiar with Docker is also familiar with Linux permissions; but that isn't true in my case -- I've gotten to the Docker container via GitHub Actions, and have virtually no prior experience with Docker. |
Yeah, I definitely don't think you're alone in that! Permissions are important and all, but I think we can do better. Here's what I was thinking of doing in pseudocode:
Basically, the idea is see if it's executable. If it is, try and extract the shebang line and see if it is a usable command. The likelihood that anybody has a markdown document that starts with exactly Still fleshing out the implementation, but wanted to solicit input. I wonder, for example, if we need to go the extra step of checking if the shebang line has a valid command ( P.S. In my previous post I mentioned |
Sounds good! if [ "${1#-}" != "${1}" ] || \
[ ! -x "$(command -v "${1}")" ] || \
[ "$(head -c2 "${1}")" != '#!' ]
then
set -- pandoc "$@"
fi
exec "$@" |
Not my call, but I'm in favor of 1)
My (limited) experience with images for popular tools (such as pandoc) has been a simple
So I've come to expect that. I'm personally not much worried about users being confused by that, because that just means they need to understand how docker My (limited) experience has been that the multiplicative complexity of "smart" solutions bites you in the behind in the medium and long term. |
@svenevs and I had a quick chat about this and I think we now both agree with you @maxheld83. |
Isn't there a simpler solution to keep the smarts and not loose the argument issue? Check if the arg is an existing file first, then if it begins with a dash, then if it is a valid shell command. The only possible argument that can be out of order is the input filename(s) which will exist as files at run-time. |
I am not super experienced with a whole bunch of other docker images, but the ones I have used such as the R images did not seem to feature this kind of cleverness, so I am used to overwriting the entrypoint if I need to. |
We took inspiration (and most of the code for and so on. But there doesn't seem to be consensus about how the magic is supposed to work. E.g. some projects require users to specify an executable as argument, but run additional magic for some executable names, e.g. elasticsearch. Other projects keep it simple: Python doesn't set an entrypoint at all, but just sets It seems hard to identify a common theme here. In the end, there will always be users who will be surprised by our choices. I tend to agree with @maxheld83 that simplicity trumps magic, especially now that we have even better documentation in the form of pandoc-action-examples. I'd either go for |
We are gearing up for an exciting new quasi-release that adds both ubuntu based images and crossref. This will be getting pushed out as
In other words, all new images being released will have the entrypoint reverted to
Unfortunately, there is no robust enough solution to warrant its use given the kinds of errors and confusion it causes. It basically boils down to (a) CC: @RicardoLinck (#105 interested party) |
May I ask which feature(s) to be installed in which image(s); how ? cells will be filled?
|
This is our current design:
It has the drawback that we can publish |
@tarleb thanks for answering. I would wait for crossref release for every pandoc release (I have been doing so) so It is still fine for me. |
need to preserve docker entry point and tex version on these images see #78
Just for the record since this discussion seems to have wandered into other areas— Regarding the issue of entry points, since my original comment I have come around to the OP and @svenevs' way of thinking such as here. So called "smart" entry points are more trouble than they are worth. I started using them on several other projects and included a lot more smarts. It was pretty snazzy, but the edge cases just kept cropping up. I've since reverted to plain hard coded entry points that are clearly the main purpose of the container and left all the other uses to specify their own entry point. This has cleared up a lot of confusion, caused less unexpected CI errors, etc. I would support the same move for these Pandoc containers: |
Edit from future: see #78 (comment) for reversion deadlines / strategy.
The smarter entrypoint script introduced in 51cb2b6 closing #54 may add some unwelcome complexity.
For example (maybe the only case), @zspitz noticed that the entrypoint script won't let pandoc containers accept pandoc arguments and input files in arbitrary orders (see pandoc/pandoc-action-example#3 and jgm/pandoc-website#38).
@tarleb suggested to improve the auto detection, but I'm wondering whether it would not just make more sense to revert to something simple:
I know a lot of thought went into #54 so feel free to close this.
My expectation was actually that there'd be no such cleverness, and it surprised me that this could be a source of problems; much like @zspitz I would've never guessed it.
In #54, @tarleb mentioned that:
But isn't
ENTRYPOINT ["pandoc"]
the default for containers?And users can always override with
docker run --entrypoint=/bin/bash pandoc ls
, right?I'm also not sure the helper script in the dockerfile docs apply here:
(emphasis added).
But this (more than one step) isn't the case for
pandoc
, right?The text was updated successfully, but these errors were encountered: