azure-cli icon indicating copy to clipboard operation
azure-cli copied to clipboard

Published 20 hours ago verified publisher icon Azure

enable immutable installation of azure-cli

Open katexochen opened this issue 1 year ago • 4 comments

Is your feature request related to a problem? Please describe.

In some situations, it is desired to install software in an immutable way, so that its behavior cannot be changed during at runtime. For example there are distros that are immutable for security and reproducibility reasons (e.g. NixOS). For such distributions, parts or all of the file system might be read-only, and it isn't desired that applications can change their behavior themselves after installation.

The azure-cli has quite some dynamic behavior, especially the dynamic updating of commandIndex.json, extensionCommandTree.json and versionCheck.json allow altering the azure-cli behavior and dynamic updates through the azure-cli itself. In a immutable distribution, such files should likely be read-only, but there currently isn't a way to signal this intend to the azure-cli and the cli expects these files to be writable.

Describe the solution you'd like

There are three things needed to enable this use case:

  1. Add a way to configure an immutable config directory where these files can be placed, for example using an environment variable like AZURE_IMMUTABLE_DIR. When set, the named files are read from this directory instead of the usual azure config directory.
  2. Add a command to generate these files during packaging/installation, so they can be placed in the AZURE_IMMUTABLE_DIR before it is made read only. This can already be triggered by invoking some azure-cli commands, but it would be nice to have a separate command to create these files.
  3. When AZURE_IMMUTABLE_DIR is set during runtime, don't try to regenerate/modify/update the files. Rather print a warning that the installation is immutable and cannot be dynamically updated.

Describe alternatives you've considered

Additional context

katexochen avatar Dec 25 '23 11:12 katexochen

Thank you for opening this issue, we will look into it.

yonzhan avatar Dec 25 '23 11:12 yonzhan

@yonzhan any update on this?

katexochen avatar May 08 '24 11:05 katexochen

extensionCommandTree.json should be writable. When a user installs a new extension, this file needs to be updated.

bebound avatar May 10 '24 03:05 bebound

extensionCommandTree.json should be writable. When a user installs a new extension, this file needs to be updated.

@bebound the premise of this issue is that it isn't, and a user won't be able to install dependencies manually at runtime. However, it is possible to install extensions at build/install time.

If you like, take a look at the patch (https://github.com/NixOS/nixpkgs/pull/276695/files#diff-adaa6028ca555f7a9ef98a985e944653898b95cd4e55f10ae8e3df51d287d2ea) we are applying in nixpkgs, where we move the extensions index into the nix store, which is read-only.

katexochen avatar May 13 '24 09:05 katexochen