Page MenuHomePhabricator

Convert wdqs docker image to not run blazegraph as root
Closed, ResolvedPublic8 Estimated Story Points


Currently the wdqs docker images in the wikibase-docker repo run blazegraph as root and should not.

A new user "blazegraph" should be created in the docker image and used for running the blazegraph process.
In order to remain backward compatible the entry point may have to have checks in place running as root to alter file permissions of files such as the wdqs journal file.
The final blazegraph process however should run as the new user "blazegraph".

Acceptance criteria

  • blazegraph process is not run as root, instead run as the new "blazegraph" user
  • Users previously running blazegraph as root should not have any issues when upgrading to new image (with file permissions etc)
  • All wdqs docker image version are updated
  • Follow best practices for creating users and groups in docker images, this probably means specifying the user ID and group ID when creating the user

Event Timeline

Restricted Application added a subscriber: Aklapper. ยท View Herald Transcript
Addshore triaged this task as Medium priority.Nov 5 2019, 12:02 PM
Addshore set the point value for this task to 8.
Addshore moved this task from Ready to estimate to Ready to pick up on the Wikidata-Campsite board.

This is mostly done except for existing volumes part. No matter what I do, an existing volume still is owned as root and causing the whole thing to fail:

amsa@amsa-Latitude-7480:~/wikibase-docker$ docker-compose run wdqs /bin/bash
bash-4.4$ ls -l
total 84916
-rw-r--r--    1 blazegra blazegra      3252 Dec 13 12:01
-rw-r--r--    1 blazegra blazegra  79796363 Nov 27 12:44 blazegraph-service-0.3.10-SNAPSHOT.war
-rwxrwxr-x    1 blazegra blazegra       448 Jul 17 10:42
drwxr-xr-x    2 root     root          4096 Jul  9 15:56 data
-rw-rw-r--    1 blazegra blazegra      1483 Jul 17 10:42
drwxrwxr-x    1 blazegra blazegra      4096 Aug 22 10:09 docs
-rwxrwxr-x    1 blazegra blazegra       344 Jul 17 10:42
-rw-rw-r--    1 blazegra blazegra   7074499 Jul 17 11:20 jetty-runner-9.4.12.v20180830.jar
-rw-rw-r--    1 blazegra blazegra      2202 Jul 17 10:42 ldf-config.json
drwxr-xr-x    1 blazegra blazegra      4096 Nov 27 12:52 lib
-rwxrwxr-x    1 blazegra blazegra      1133 Jul 17 10:42
-rwxrwxr-x    1 blazegra blazegra       949 Jul 17 10:42
-rwxrwxr-x    1 blazegra blazegra       824 Jul 17 10:42
-rwxrwxr-x    1 blazegra blazegra      1345 Jul 17 10:42
-rwxr-xr-x    1 blazegra blazegra       833 Nov 13 16:01
-rw-r--r--    1 blazegra blazegra      2431 Dec 16 14:11 mwservices.json
-rw-rw-r--    1 blazegra blazegra         0 Jul 17 10:42 prefixes.conf
drwxrwxr-x    1 blazegra blazegra      4096 Jul 17 10:42 queries
-rwxrwxr-x    1 blazegra blazegra      3603 Jul 17 10:42
-rwxr-xr-x    1 blazegra blazegra      2656 Nov 13 16:01
-rw-rw-r--    1 blazegra blazegra      2901 Jul 17 10:42 services.json
-rw-r--r--    1 blazegra blazegra      2721 Dec 13 12:01 whitelist.txt

Any ideas?

The current WIP is

Some notes: and

Okay after talking to Adam about it in mattermost, We decided to go with the solution of running entry point as root and then changing to not-root later.

Ready for review now.

It should be verified that's the newly built by CI docker image works as expected.

Tarrow added a subscriber: Tarrow.

Happy to say this appears to be done.
Tested by:

  • Checking user inside container using docker-compose run
  • checking the image starts and the updater was able to write then I was able to query
  • Breaking the permissions on the volume
  • running the image again and seeing it correctly chown'ed