New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make write access work by default on Linux #11
Comments
It not being writable would be a bug. Definitely not something that should be documented, but rather fixed. The 99% use case of fresh-node as I use it every day is to run Can you paste the Docker distro/version, Linux distro/version, Fresh version, parameters to fresh-node, and the permissions of the MW directory? |
I've got Ubuntu 18.04 with 4.15.0-43-generic docker version
fresh-node
from my machine
from fresh
But still I get this when I run
|
Can you check your Docker agent configuration? Maybe there is something there that is limiting the daemon from writing to this directory. I cannot reproduce this on macOS. |
I also have this problem but not enough time to dig into it right now. As far as I know the issue is that fresh is actually running (normally) as UID 65534. In my case this is also nobody on the machine running docker. This unsurprisingly doesn't have permission to source files owned by my user. What we have done in the past is things like this: https://gerrit.wikimedia.org/r/plugins/gitiles/mediawiki/extensions/Wikibase/+/master/client/data-bridge/Dockerfile e.g. building images that use to correct permissions as the developer user account. It looks like with some cursory googling but almost 0 OSx knowledge on my part that the mac docker agent does some special permission faking to make it appear that the container process has ownership even if normally it wouldn't. See https://docs.docker.com/docker-for-mac/osxfs/#ownership I think on Linux nothing special is done like this at all so given the container if running as nobody it has the same permissions as nobody on the host (i.e. not enough to write to my user dir) |
Thanks, I also found https://denibertovic.com/posts/handling-permissions-with-docker-volumes/ based on this. It looks to me like Docker is effectively broken on Linux then. I realise now the internals of why this is hard and difficult, but the use case of being able to mount a directory and have it be read-write seems rather important and should be able to work out of the box with nothing more than run-time flag to I'm open to other suggestions for how to get this working :) |
On an upstream issue (moby/moby#2259) I noticed the following comment:
This may be worth trying out. Not just for fixing read-write on Linux, but also more generally to avoid needing root (ref #4). |
I can confirm that podman works, but the script needs some modification:
So the final command looks something like: podman run --userns=keep-id --rm --interactive --tty -e 'HOME=/tmp' \
--mount=type=bind,source="$mountsrc",destination="$mountdest" \
$( if [ -n "$bind_git_ro" ]; then printf %s "--mount=type=bind,source="$mountsrc"/.git,target="$mountdest"/.git,readonly"; fi ) \
${docker_args[@]+"${docker_args[@]}"} \
--entrypoint /bin/sh \
"$imagename:$imageversion" \
-c "cd $mountdest/;$welcomecmd;bash" |
I had this same issue on Ubuntu v19.10. I added |
While trying to play video games, I came across this similar approach which seems to suggest the idea works for some: add_run_args_for_as_me () {
USER_HOME="${HOME}"
WORKDIR="${USER_HOME}"
add_run_arg --env="USER_NAME=$(whoami)"
add_run_arg --env="USER_UID=$(id -u)"
add_run_arg --env="USER_GID=$(id -g)"
add_run_arg --env="USER_HOME=${USER_HOME}"
} These variables appear to feed into the entrypoint which otherwise defaults to presumably sensible values. There are likely some Windows eccentricities in the script but I thought the structure of it looked nice and it might overall be a good reference to consider. I'm sure there's other Docker wrappers out that solve similar problems too but happened upon this one. |
I found similar ideas in the upstream issue at moby/moby#2259. However, I got the impression that was frowned upon by some more seasoned Linux users because these user IDs would not actually exist within the container. It's interesting that Linux apparently allows mounting directories in a way that has foreign/unregistered user IDs associated with some if its files, and even allows a shell to be opened acting as a user ID that doesn't exist. The down side, as I gather from various comments at moby/moby#2259, is that various programs don't work if you invoke docker-run this way due to there being no username available, no home shell or home directory etc. The workaround mentioned there in various different forms (incl. a stackoverflow answer) is to call But, maybe we're lucky to not yet have needed any program or npm package that fails under these conditions. I certainly don't mind giving it a try! |
Seems to have made it into docker-wine's entrypoint too. I can corroborate NFS id / group mapping difficulties irrespective of Docker! |
This allows write access to work on Linux hosts. See #11 for discussion. h/t to @niedzielski for the suggestion. Change-Id: I836534f71d55985d5720b7d8e1e708c7f93ebd45
When using fresh under Linux with
npm install
you mostly get write access errors. It might be nice to add a hint about the rights needed to the readme.In that case it's also a bit misleading, that the script says something like
/mediawiki (read-write)
although the directory is not writable.The text was updated successfully, but these errors were encountered: