refactor(cli): keep alteration scripts folder writable by gid 0 #6328
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
COMPARE TO
|
| Name | Diff |
|---|---|
| Dockerfile | 📈 +112 Bytes |
| packages/cli/src/commands/database/alteration/utils.ts | 📈 +615 Bytes |
bpow
changed the title
bpow
force-pushed
the
no-rmdir-alteration-scripts
branch
from
77ad153 to
a29e68e
Compare
|
just force-pushed with commits that have the same content but are now gpg-signed. |
|
Hi, @bpow the code look good, but would you mind change the commits to follow Conventional Commits in order to pass the CI tests? |
|
This PR is stale because it has been open 10 for days with no activity. Remove stale label or comment or this will be closed in 5 days. |
wangsijie
force-pushed
the
no-rmdir-alteration-scripts
branch
from
a29e68e to
3c53e65
Compare
wangsijie
changed the title
facilitates running in rootless container with r/w mounted alteration-scripts directory (fixed logto-io#6327)
wangsijie
force-pushed
the
no-rmdir-alteration-scripts
branch
from
3c53e65 to
d848b61
Compare
wangsijie
approved these changes
Sep 25, 2024
wangsijie
pushed a commit
that referenced
this pull request
Jan 24, 2025
facilitates running in rootless container with r/w mounted alteration-scripts directory (fixed #6327)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
One possible approach to address #6327.
Ensures that /etc/logto/packages/cli/alteration-scripts is present and writable by gid 0.
Does not remove/replace this directory each time, just removes the contents. This ensures that
the writabiliy remains (and also allows this to be a separately-mounted directory.
The reasons for doing this are described in #6327, but briefly, the desire is to let logto be
run from within docker as a non-root user (although gid 0 would still be required unless
the alteration-scripts are on a separately-mounted directory with appropriate permissions).
I propose this approach rather than making all of /etc/logto/packages/cli as writable by gid 0 since keeping more things read-only just seems safer overall.
Testing
So far I have only tested by running with a custom docker-compose.yml that is modified to have
user: 1001:0for the app container, and it does apply seeding as desired. I have not testedon openshift/k8s yet (will need to build a container image accessible to my openshift cluster
to do that), but wanted to put this out there for possible discussion.
Checklist
.changesetNot sure which of these you would want for this type of change (I think this may qualify at most as a
@logto/cli: minimalunder .changeset, but accept input on that).