Permissions `0555` for content does not work.

[gabyx]

What steps did you take:

I want files to become read-only with 0555:

apiVersion: vendir.k14s.io/v1alpha1
kind: Config

directories:
  - path: external/custodian
    permissions: 0700

    contents:
      - path: .
        git:
          url: https://gitlab.com/data-custodian/custodian.git
          ref: fix/tooling
          depth: 1

        includePaths:
          - tools/just/**/*

        newRootPath: "tools/just"
        permissions: 0555
        legalPaths: []

vendir --file vendir.yaml

What happened:

vendir: Error: Syncing directory 'external/custodian':
  Moving staging directory '.vendir-tmp-1894435614/staging' to final location 'external/custodian': rename .vendir-tmp-1894435614/staging external/custodian: permission denied

What did you expect:

Files in external/content should be made 0555 (readonly), but they cant.

[joaopapereira]

The permissions field sets the directory permissions you define, not the content. I do not think that there is a way for you to change the permissions for the folder's content.

[gabyx]

@joaopapereira: Hm,... ok if the content cannot be changed, how can I make the files read-only? thats basically what I wanted?

Couldnt vendir do that techincally? I mean it does not even need sudo...

[joaopapereira]

I think that #250 is about something similar to what you are asking.; The main issue I see with this feature is what will happen if there are folders inside the things you are synching in and example:

apiVersion: vendir.k14s.io/v1alpha1
kind: Config
directories:
- path: config/_ytt_lib
  contents:
  - path: app
    git:
      url: https://github.com/carvel-dev/ytt-library-for-kubernetes
      ref: origin/develop
    newRootPath: app

vendir sync
Fetching: config/_ytt_lib + app (git from https://github.com/carvel-dev/ytt-library-for-kubernetes@origin/develop)

  --> git init
  warning: templates not found in /Users/joaopereira/.git_templates
  Initialized empty Git repository in /Users/joaopereira/workspace/carvel/kbld/tmp/.vendir-tmp-2005978411/incoming/git/.git/
  --> git config credential.helper store --file /Users/joaopereira/workspace/carvel/kbld/tmp/.vendir-tmp-2005978411/incoming/git-auth/.git-credentials
  --> git remote add origin https://github.com/carvel-dev/ytt-library-for-kubernetes
  --> git config remote.origin.tagOpt --tags
  --> git fetch origin develop
  From github.com:carvel-dev/ytt-library-for-kubernetes
   * branch            develop    -> FETCH_HEAD
   * [new branch]      develop    -> origin/develop
  --> git -c advice.detachedHead=false checkout develop
  Switched to a new branch 'develop'
  branch 'develop' set up to track 'origin/develop'.
  --> git submodule update --init --recursive
  --> git rev-parse HEAD
  bba7985ed8ac94bb55b95cfaf20cbcd3521b8f88
  --> git describe --tags bba7985ed8ac94bb55b95cfaf20cbcd3521b8f88
  fatal: No names found, cannot describe anything.
  --> git log -n 1 --pretty=%B bba7985ed8ac94bb55b95cfaf20cbcd3521b8f88
  Merge pull request #7 from carvel-dev/nh-fix-add-to-issues

  Fix add-to-issues to point to carvel-dev

Lock config

apiVersion: vendir.k14s.io/v1alpha1
directories:
- contents:
  - git:
      commitTitle: 'Merge pull request #7 from carvel-dev/nh-fix-add-to-issues...'
      sha: bba7985ed8ac94bb55b95cfaf20cbcd3521b8f88
    path: app
  path: config/_ytt_lib
kind: LockConfig

Succeeded

After that we chmod the directory: chmod u-w config/_ytt_lib/*

If we try to sync again:

vendir sync
Fetching: config/_ytt_lib + app (git from https://github.com/carvel-dev/ytt-library-for-kubernetes@origin/develop)

  --> git init
  warning: templates not found in /Users/joaopereira/.git_templates
  Initialized empty Git repository in /Users/joaopereira/workspace/carvel/kbld/tmp/.vendir-tmp-3736058965/incoming/git/.git/
  --> git config credential.helper store --file /Users/joaopereira/workspace/carvel/kbld/tmp/.vendir-tmp-3736058965/incoming/git-auth/.git-credentials
  --> git remote add origin https://github.com/carvel-dev/ytt-library-for-kubernetes
  --> git config remote.origin.tagOpt --tags
  --> git fetch origin develop
  From github.com:carvel-dev/ytt-library-for-kubernetes
   * branch            develop    -> FETCH_HEAD
   * [new branch]      develop    -> origin/develop
  --> git -c advice.detachedHead=false checkout develop
  Switched to a new branch 'develop'
  branch 'develop' set up to track 'origin/develop'.
  --> git submodule update --init --recursive
  --> git rev-parse HEAD
  bba7985ed8ac94bb55b95cfaf20cbcd3521b8f88
  --> git describe --tags bba7985ed8ac94bb55b95cfaf20cbcd3521b8f88
  fatal: No names found, cannot describe anything.
  --> git log -n 1 --pretty=%B bba7985ed8ac94bb55b95cfaf20cbcd3521b8f88
  Merge pull request #7 from carvel-dev/nh-fix-add-to-issues

  Fix add-to-issues to point to carvel-dev

vendir: Error: Syncing directory 'config/_ytt_lib':
  Deleting dir config/_ytt_lib: unlinkat config/_ytt_lib/app/deployment.yml: permission denied

The chmod itself would not be a problem, but I think that the next sync might be.

As I said in the beginning, that other issue talks about post-sync hooks, which might be an interesting approach that we could think about implementing, but in the end, the problem I stated above still can happen. Changing the way vendir replaces the folders after the sync could solve this, but not sure what other consequences might come from it.

[gabyx]

I thought that the options foe permission are essentialy that: you can make it writable only but vendir sync still works because it handles that like toggling the folder writable (or deleting it) and then syncing again and then making it again read only. But somehow thats not what it does, which is a but weird :)?

[github-actions[bot]]

This issue is being marked as stale due to a long period of inactivity and will be closed in 5 days if there is no response.