pending change: Docker-Coq's default umask

Question

pending change: Docker-Coq's default umask

erikmd opened this issue 5 months ago · comments

Erik Martin-Dorel commented 5 months ago

Cc @Zimmi48 @proux01 @Blaisorblade @palmskog @JasonGross @Alizter @tchajed @anton-trunov @liyishuai FYI:

to overcome (part of) the usual permissions issues with docker images,

I plan to change the default umask in a couple of days (no sooner than on this Friday 8 March).

typically: change the /home/coq/.opam subdirectories' permissions so they are 775, instead of 755.

(Don't worry, I definitely don't think of 777, and I don't plan to change the UID:GID of the main user neither!)

So, I don't see this as a non-backward compatible patch, but given this is not a tiny change,
this is an "issue heads-up" allowing one to react, if some of you would have concern about such a move!

Kind regards

Ali Caglayan · Answer 1 · Thu Mar 07 2024 06:10:59 GMT+0800 (China Standard Time)

Is this specifically about the permission issue here?

https://github.com/coq-community/docker-coq-action#permissions

I'm guessing that we don't need to do anything on our end, but we could probably remove the permissions workarounds that we have once it is done right?

Erik Martin-Dorel · Answer 2 · Thu Mar 07 2024 19:09:48 GMT+0800 (China Standard Time)

Is this specifically about the permission issue here?

not this one: the issue documented at https://github.com/coq-community/docker-coq-action#permissions
appears because the container user coq=1000:1000 can't directly touch the github-actions workspace.
I plan to fix this as well in the next release of docker-coq-action,
using coq-community/docker-coq-action#86 (comment)

The issue that motivates #63 is a converse issue: it appears because some use cases to reuse Docker-Coq (within a CDE)
require to spin a shell with a different user than 1000:1000, and the current workaround is to do something like
sudo chown $uid:$gid -R /home/coq/.opam, which is very expensive. With the intended fix, we will just need to do
sudo usermod -aG coq $USER, which is "O(1)" ^^

I'm guessing that we don't need to do anything on our end, but we could probably remove the permissions workarounds that we have once it is done right?

Correct. The workarounds for https://github.com/coq-community/docker-coq-action#permissions will just become no-ops.

Erik Martin-Dorel · Answer 3 · Sat Mar 09 2024 05:51:15 GMT+0800 (China Standard Time)

First commit: coqorg/base:5.0.0 from coq-community/docker-base@9e46553 after 12 minutes 56 seconds

tree -arp /home/coq → docker-base-5.0.0_9e46553_tree.txt

Second commit: coqorg/base:5.0.0 from coq-community/docker-base@510d5d2 after 12 minutes 44 seconds

tree -arp /home/coq → docker-base-5.0.0_510d5d2_tree.txt

Summary: both commits are useful, and the chmod -R g=u /home/coq/.opam command induced no build-time overhead.