Page MenuHomePhabricator
Create Task
Maniphest T295823

Failures updating python packages in dev environment following Linux Docker improvements
Closed, ResolvedPublicBUG REPORT
Actions

Description

Follow up to T295318: Fix Toolhub developer environment tooling to work on Linux hosts:

There are additional permissions problems inside the "web" (python) container related to the runtime user change.

  1. make web-shell does not set new runtime $HOME in to environment which causes failures for poetry attempting to cache pip information for operations like poetry add $package.
  2. When the $HOME issue is corrected, poetry add $package fails with a permissions error writing to the virtual environment (venv) at /opt/lib/poetry/toolhub-{random hash}-py3.7 inside the container.

The first is a relatively easy fix of adjusting the Makefile command. The second is a trickier issue to resolve without the ability to sudo in the container to change permissions. We could attempt to work around it via rebuilding the venv as the runtime user in some other location at container startup, but hopefully there is some less computationally expensive solution to be found.

Details

SubjectRepoBranchLines +/-
dev: set build time effective UID/GIDwikimedia/toolhubmain+104 -56
Customize query in gerrit

Related Objects
Search...

Event Timeline

bd808 created this task.Nov 16 2021, 9:11 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptNov 16 2021, 9:11 PM
bd808 changed the subtype of this task from "Task" to "Bug Report".Nov 16 2021, 9:11 PM
bd808 added a comment.Nov 16 2021, 9:25 PM

A temporary work around for users of Docker Desktop for MacOS (which does not have the volume mount permissions issue of blocking writes when the runtime container user and the host OS user have mismatched effective UID values) is to set LOCAL_UID=65533 and LOCAL_GID=65533 in your .env. This keeps the runtime effective UID the same during container build and container runtime, which in turn eliminates the file ownership issues for files created during container build.

This also hints that it may be possible to make things work better generally by finding a way to vary the UID/GID for the "somebody" user inside the container at build time. That would allow matching build time and runtime UID/GID across platforms.

bd808 added a subtask: T296046: Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile.Nov 19 2021, 1:30 AM
bd808 added a subtask: T295318: Fix Toolhub developer environment tooling to work on Linux hosts.
bd808 mentioned this in T295832: Evaluate improving/replacing mkdocs-mdpo-plugin to better support TWN integration.Nov 29 2021, 8:00 PM
Raymond_Ndibe moved this task from Backlog to Groomed/Ready on the Toolhub board.Dec 8 2021, 6:52 PM
Raymond_Ndibe moved this task from Groomed/Ready to Backlog on the Toolhub board.Dec 8 2021, 6:58 PM
bd808 mentioned this in rWDPOf61b764efef4: Add helpers for rendering categories.Jan 6 2022, 10:25 PM
apaskulin mentioned this in rWDPO178d0972c414: Content localization plugin.Jan 6 2022, 11:02 PM
bd808 changed the status of subtask T296046: Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile from Open to Stalled.Feb 1 2022, 8:23 PM
Raymond_Ndibe subscribed.Apr 21 2022, 9:07 PM

For linux users (and I suspect everyone else), it is possible to log into the container where you want to install the package using docker container exec -u 0 -it <container name> bash. This allows you to log into the container as root so you can install packages with poetry add <package name>.

This is obviously a hack, but it does help in getting yourself unblocked while we work on a fix for this issue.

bd808 changed the task status from Open to Stalled.Apr 25 2022, 7:32 PM
bd808 triaged this task as Medium priority.
bd808 moved this task from Backlog to Radar on the Toolhub board.
bd808 changed the status of subtask T296046: Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile from Stalled to Open.May 5 2022, 7:23 PM
dduvall closed subtask T296046: Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile as Resolved.Jun 29 2022, 5:02 PM
bd808 reopened subtask T296046: Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile as Open.Jun 29 2022, 11:42 PM
bd808 changed the task status from Stalled to In Progress.Jul 1 2022, 5:18 PM
bd808 moved this task from Radar to Review on the Toolhub board.
gerritbot added a comment.Jul 1 2022, 5:19 PM

Change 810390 had a related patch set uploaded (by BryanDavis; author: Bryan Davis):

[wikimedia/toolhub@main] dev: set build time effective UID/GID

https://gerrit.wikimedia.org/r/810390

gerritbot added a project: Patch-For-Review.Jul 1 2022, 5:19 PM
bd808 claimed this task.Jul 1 2022, 5:19 PM
Restricted Application added a project: User-bd808. · View Herald TranscriptJul 1 2022, 5:19 PM
gerritbot added a comment.Sep 26 2022, 11:33 PM

Change 810390 merged by jenkins-bot:

[wikimedia/toolhub@main] dev: set build time effective UID/GID

https://gerrit.wikimedia.org/r/810390

Maintenance_bot removed a project: Patch-For-Review.Sep 27 2022, 12:30 AM
bd808 closed this task as Resolved.Oct 3 2022, 8:39 PM

This should be fixed now. Please do reopen if the ARGS integration with docker-compose added in https://gerrit.wikimedia.org/r/c/wikimedia/toolhub/+/810390/ is found to be insufficient.

bd808 closed subtask T296046: Allow build time control of effective UID/GID for runtime in Blubber generated Dockerfile as Resolved.Mon, Apr 15, 3:05 PM
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL