This repository was archived by the owner on Sep 30, 2024. It is now read-only.
docker-images: explicitly create storage folders in Dockerfile… #7991
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ggilmore
changed the title
uwedeportivo
approved these changes
Jan 23, 2020
There was a problem hiding this comment.
@ggilmore walked me through these changes yesterday, and his description of this PR is super nice.
i don't have concerns about the prometheus image changes.
LGTM
|
@uwedeportivo We'll need to release a new version of sourcegraph/prometheus. What should the tag be? It's currently at |
|
actually sourcegraph/prometheus versioning is decoupled from prometheus/prometheus versioning |
|
The kubernetes upgrade path seems to work fine. I’ll merge this in the
morning and cherry pick this into 3.12
…On Thu, Jan 23, 2020 at 4:44 PM uwedeportivo ***@***.***> wrote:
actually sourcegraph/prometheus versioning is decoupled from
prometheus/prometheus versioning
it's at 10.0.6 (version.sh in docker-images/prometheus). so 10.0.7 ?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<https://github.com/sourcegraph/sourcegraph/pull/7991?email_source=notifications&email_token=ACE2UOZ5HZP5AOAINOXF4BDQ7I2V5A5CNFSM4KK4DXX2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJZL2VY#issuecomment-577944919>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACE2UOYFRC3CH7NMJIUN33DQ7I2V5ANCNFSM4KK4DXXQ>
.
|
ggilmore
changed the title
ggilmore
added a commit
that referenced
this pull request
Jan 24, 2020
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part of #7829
See also https://github.com/sourcegraph/infrastructure/pull/1792
Many of our docker images write to external volumes for caches, data storage, etc. The file system permissions are identical from both the container's and host's POV.
For example, let's say you mount a folder (
/data) into a container and on the host, only uid11has r/w access to it. If the container is running as some other unprivileged user (say uid22) then the container process can't access the folder. This is the source of all the permission issues/container crashes in #7829.There are multiple ways to mount volumes in Docker:
When using bind mounts, what we currently tell people to do by default, if the host folder that's being mounted has mismatched file permissions you're forced to run
chmodcommands as a workaround. This is hacky, brittle, and might not be possible to run in every environment.When using 'named' volumes, the method that's recommended in the official documentation, the volume's initial contents and permissions are propagated from the container. However, this only applies if the path in the container that the volume is being attached to existed beforehand (otherwise, the volume will be attached with root permissions).
This PR ensures that all of the storage paths in our docker images are created ahead of time in their respective Dockerfiles with permissions that are accessible to our "sourcegraph" user.
There was one complication with https://github.com/sourcegraph/sourcegraph/tree/master/docker-images/prometheus. The upstream image that we inherit from explicitly declares a
VOLUMEin the Dockerfile with permissions that are only writeable via their default "nobody" user. It is not possible to change the permissions on this volume with a Dockerfile that inherits from this image. (Note that using explicitVOLUME's in Dockerfiles has been a long-standing complaint of many base images: docker-library/postgres#404, moby/moby#3465, moby/moby#3465). The workaround used here is to effectively copy the upstream Dockerfile's assets into our own Dockerfile that deliberately omits thatVOLUMEdirective. We'll need to ensure that our Dockerfile is kept in sync whenever we need to upgrade the Prometheus version, but https://github.com/prometheus/prometheus/commits/master/Dockerfile doesn't change all that often in practice.--- Test plan
I'm pretty confident our users won't need to do any manual migration due to this change. (Our k8s configuration still runs all our images as root, and anyone still using bind mounts shouldn't have to do anything since the existing host folder's permissions still override anything that's set in the container).
However, just to be sure, we'll need to test a fresh kubernetes deployment, the kubernetes upgrade path, and a fresh docker-compose deployment( note that https://github.com/sourcegraph/deploy-sourcegraph-docker/tree/permission depends on changes from this PR). This change doesn't affect sourcegraph/server.