Create directory for common unprivileged app dependencies
ClosedPublic
Actions

Authored by dduvall on Aug 23 2017, 5:12 PM.

Details

Reviewers

thcipriani
mobrovac
mmodell

Group Reviewers

Release-Engineering-Team

Commits

rGBLBR588a5eec5428: Create directory for common unprivileged app dependencies

Patch without arc

git checkout -b D756 && curl -L https://phabricator.wikimedia.org/D756?download=true | git apply

Summary

Establish /opt/lib as the location for installing application
dependencies that are installed via unprivileged execution and from
untrusted sources. The directory is created during the privileged build
phase and owned by the unprivileged runtime user.

Depends on D741

Test Plan

Run go test ./... or arc unit.

Diff Detail

Repository

rGBLBR Blubber

Lint

Automatic diff as part of commit; lint not applicable.

Unit

Automatic diff as part of commit; unit tests not applicable.

Event Timeline

dduvall created this revision.Aug 23 2017, 5:12 PM

Restricted Application added a reviewer: mmodell. · View Herald TranscriptAug 23 2017, 5:12 PM

Restricted Application added a reviewer: Release-Engineering-Team. · View Herald Transcript

Restricted Application added a project: Release-Engineering-Team. · View Herald Transcript

Harbormaster completed remote builds in B2146: Diff 1993.Aug 23 2017, 5:12 PM

dduvall added a child revision: D757: Install node modules into common local directory.Aug 23 2017, 5:16 PM

mobrovac added inline comments.Aug 24 2017, 2:22 PM

config/runs.go
9	Why `/opt/local` ? Also, would it be possible to configure it rather than hard-code it?

I remember talking about the necessity for this directory.

Accepting this revision to unblock additional patches; however, I think this should either be made configurable (as @mobrovac suggests) and/or follow the conventions being established in T169998: RFC: Container path conventions

This revision is now accepted and ready to land.Aug 29 2017, 4:01 PM

dduvall added inline comments.Aug 31 2017, 9:17 PM

config/runs.go
9	I chose `/opt/local` based on my (probably incorrect) interpretation of its role in the FHS. Looking at FHS 3.0 now, I would say `/opt/lib` is more correct but I honestly think this is just one of those things that could be debated endlessly. There are currently limitations of scope between config elements that prevents this from being configurable at the moment but I plan on factoring out those limitations soon.

I'm ok with it with the caveat that I'd like to see a refectoring of the code to allow this path to be configurable.

Ups, forgot to accept :)

mmodell accepted this revision.Sep 5 2017, 9:39 AM

Changed shared lib directory to /opt/lib

Closed by commit rGBLBR588a5eec5428: Create directory for common unprivileged app dependencies (authored by dduvall). · Explain WhySep 5 2017, 4:33 PM

This revision was automatically updated to reflect the committed changes.

dduvall mentioned this in D759: Define `NODE_ENV` and always define `NODE_PATH`.Sep 5 2017, 5:34 PM

Revision Contents
Changeset List

			Path	Packages
M			config/runs.go (8 lines)
M			config/runs_test.go (2 lines)
M			config/variant.go (6 lines)

Diff	ID	Base	Description	Created	Lint	Unit
Base			Base
Diff 1	1993	6b11245		Aug 23 2017, 5:12 PM	★	★
Diff 2	2026	a0ece14	Changed shared lib directory to /opt/lib	Sep 5 2017, 4:31 PM	★	★
Diff 3	2027	a0ece14	rGBLBR588a5eec5428de559f55207b72e5e35a8ad72719	Sep 5 2017, 4:32 PM	★	★

Status	Author	Revision
Closed	dduvall	D770 Add shared lib node module bins to PATH
Closed	dduvall	D769 Smarter copies/sharedvolume/default behavior
Closed	dduvall	D768 Support `copies` config entry for multi-stage builds
Closed	dduvall	D759 Define `NODE_ENV` and always define `NODE_PATH`
Closed	dduvall	D757 Install node modules into common local directory
Closed	dduvall	D756 Create directory for common unprivileged app dependencies
Closed	dduvall	D741 Use real types for build instructions