Horust icon indicating copy to clipboard operation
Horust copied to clipboard

Published 20 hours ago verified publisher icon FedericoPonzi

Permission fixer scripts

Open FedericoPonzi opened this issue 5 years ago • 2 comments

Something similar to: https://github.com/just-containers/s6-overlay#fixing-ownership--permissions

Usually when you start a docker container, you want to fix permissions on the volumes (so needs to happen at runtime and not build time). Without this feature, you would need to create a service which runs and won't be restarted, which is a bit ugly because services are long running processes and one shot services are not suitable for being supervised.

The idea is to provide a format similar to s6-overlay's.

This is suitable if you want to avoid spawning another process and thus makes faster startups.

FedericoPonzi avatar Mar 07 '20 11:03 FedericoPonzi

The relevant section from the s6-overlay's docs:

Fixing ownership & permissions

Sometimes it's interesting to fix ownership & permissions before proceeding because, for example, you have mounted/mapped a host folder inside your container. Our overlay provides a way to tackle this issue using files in /etc/fix-attrs.d. This is the pattern format followed by fix-attrs files:

path recurse account fmode dmode
  • path: File or dir path.
  • recurse: (Set to true or false) If a folder is found, recurse through all containing files & folders in it.
  • account: Target account. It's possible to default to fallback uid:gid if the account isn't found. For example, nobody,32768:32768 would try to use the nobody account first, then fallback to uid 32768 instead. If, for instance, daemon account is UID=2 and GID=2, these are the possible values for account field:
    • daemon: UID=2 GID=2
    • daemon,3:4: UID=2 GID=2
    • 2:2,3:4: UID=2 GID=2
    • daemon:11111,3:4: UID=11111 GID=2
    • 11111:daemon,3:4: UID=2 GID=11111
    • daemon:daemon,3:4: UID=2 GID=2
    • daemon:unexisting,3:4: UID=2 GID=4
    • unexisting:daemon,3:4: UID=3 GID=2
    • 11111:11111,3:4: UID=11111 GID=11111
  • fmode: Target file mode. For example, 0644.
  • dmode: Target dir/folder mode. For example, 0755.

Here you have some working examples:

/etc/fix-attrs.d/01-mysql-data-dir:

/var/lib/mysql true mysql 0600 0700

/etc/fix-attrs.d/02-mysql-log-dirs:

/var/log/mysql-error-logs true nobody,32768:32768 0644 2700
/var/log/mysql-general-logs true nobody,32768:32768 0644 2700
/var/log/mysql-slow-query-logs true nobody,32768:32768 0644 2700

FedericoPonzi avatar Mar 07 '20 15:03 FedericoPonzi

I think with the same PR, we should add some general mechanism for system initialization. I would like to see some intuitive directory hierarchy that allows system initialization, with: 1. permissions fixer scripts 2. one.shot scripts. I'm wondering if it would make sense to allow also "one shot services" which could be run as reaction to other services status. So something like:

type = oneshot
after = ["boot.service" : "exited"]

FedericoPonzi avatar Aug 03 '20 12:08 FedericoPonzi