ENH: add permission handling to ioc-deploy

[ZLLentz]

Description

Changes

• Implement permission handling onto ioc-deploy
• Add subcommand for changing permissions without deploying a new release (update-perms)
• Allow for full paths to be used as deploy and permission targets (--path-override, -p)
• Improve readability of --help text output

Details

When we deploy a release, we'll also apply write protection. Write protection is defined as:

• All files and directories are read-only

This was previously more complicated, but now we'll simplify it to make the rules understandable. Users will need to restore the write permissions if they wish to rebuild on a new architecture.

Write permissions can be added to or removed from existing releases with invocations like:

ioc-deploy update-perms rw -p path/to/my/release
ioc-deploy update-perms ro -p path/to/my/release

Allowing writes is the same as allowing user and group writes to all files and folders.

Motivation and Context

https://jira.slac.stanford.edu/browse/ECS-6122
closes #193

How Has This Been Tested?

• make distclean, make clean, and rm -rf fail to remove built files after running the deploy script.
• you can remove a release after enabling write permission

Where Has This Been Documented?

Updated the readme

[ZLLentz]

Marking as ready for review, will ask for reviewers after the holiday weekend

[ZLLentz]

I'm going to do a tiny bit more cleanup here based on self-review

[ZLLentz]

I'm happy with how this behaves now. You'll still be able to undo a release if you'd like to but it won't be possible to do this accidentally now. I think we could discuss a bit about small permutations to this- should we be more protective, and require cross-compiles to unlock the write permissions? Should we mess with the .git directory? Maybe if people have opinions on this in the future we can revisit.

[tangkong]

I'm interested in what happens when two different users try to undo each others write permission settings here. I want to give this a closer look but I have some questions to start

[tangkong]

Maybe I'm just slow here, but what's the difference between the files affected when allow_write=True and allow_write=False?

• allow_write=True --> recursively applies to everything inside deploy_dir except for ".git"
• allow_write=False --> everything tracked by git and their subdirectories recursively, excepting ".git", but then also things not tracked by git?

Is there something missing from the union of "things tracked by git" and "things not tracked by git"?

[tangkong]

Maybe I haven't internalized what the directory structure here looks like

[ZLLentz]

This is a good question that might prompt some edits

I think it's normal to expect that the set of files affected by these two is the same- maybe I should edit so that it is.

The perspective here is something like "there are some directory objects that should never be write-protected because the group wants to be ably to casually recompile on a new arch", but there is no such constraint in the other direction.

• allow_write=True -> no constraints, (re-)implemented separately in the simplest way without constraint logic
• allow_write=False -> please allow me to be able to log into the rocky9 build host and create e.g. bin/rhel9_x86_64 even if I've already built/protected once e.g. bin/rhel7_x86_64

When implementing the False variant with the above goal, I decided that a simple way to do this is to only write protect directories that contain files generated from make, e.g. those not tracked by git.

Cons of this approach:

• Confusing code
• git safedir thing will pop up when you try to write protect someone else's release

Alternates I considered that maybe you think are better:

• Make it simpler: full write permissions or no write permissions for the entire tree, require using the script to unlock for a new make
• Go for the minimal number of allowed directories: look for folders with OS-names in them, allow only those directories to stay unprotected

I ignored .git because it seemed weird to be messing with it but maybe it's better to mess with it for simplicity's sake

Open to all thoughts and suggestions here

[tangkong]

Easy agree: I think ignoring .git makes perfect sense

Ok so the difference is that when we set allow_write=False, we do not write protect the build artifact directories generated by make build

It looks like the code is gathering build_dir_paths, then also write-protecting them. Do we actually want to make these writable? (are these the bin/rhel_xx_xx directories?)

[ZLLentz]

The make generates files and folders such as:

bin/rhel7_x86_64/adsIoc

Which is the main executable that needs to continue to exist in this example
The intention is to write protect bin/rhel7_x86_64 without write protecting bin:

── [drwxrwxr-x]  bin
│   └── [dr-xr-xr-x]  rhel7-x86_64
│       └── [-r-xr-xr-x]  adsIoc

So that we can't accidentally remove the folder and delete adsIoc, but we can create a parallel folder in bin for a new arch.

[ZLLentz]

The final thing I need to do is to follow Tyler's suggestion of running a real IOC.

I'm going to stand up a simple PV notepad test IOC starting from https://github.com/pcdshub/ioc-tst-pvNotepad. I'll go all the way through iocmanager to verify everything looks normal, then clean up my iocData mess.

If this doesn't work, I'll investigate why and see if any specific directories need to be writable.

[ZLLentz]

It seemed to work just fine. The PVs are online in the test subnet e.g. TST:DEPLOY:STRING responds to puts and gets and maintains its value with autosave after reboot. The deploy directory is fully write-protected:

zlentz@psbuild-rocky9-01:~$ tree -p /cds/group/pcds/epics/ioc/tst/pvNotepad/R0.2.0
/cds/group/pcds/epics/ioc/tst/pvNotepad/R0.2.0
├── [-r--r--r--]  LICENSE.md
├── [-r--r--r--]  Makefile
├── [-r--r--r--]  README.md
├── [dr-xr-sr-x]  build
│   ├── [-r--r--r--]  IOC_APPL_TOP
│   ├── [-r--r--r--]  Makefile
│   ├── [dr-xr-sr-x]  archive
│   │   ├── [-r--r--r--]  ioc-tst-pyqt4.archive
│   │   └── [-r--r--r--]  ioc-tst-try-deploy.archive
│   ├── [dr-xr-sr-x]  autosave
│   │   ├── [-r--r--r--]  ioc-tst-pyqt4.req
│   │   └── [-r--r--r--]  ioc-tst-try-deploy.req
│   └── [dr-xr-sr-x]  iocBoot
│       ├── [-r--r--r--]  Makefile
│       ├── [dr-xr-sr-x]  ioc-tst-pyqt4
│       │   ├── [-r--r--r--]  IOC_APPL_TOP
│       │   ├── [-r--r--r--]  Makefile
│       │   ├── [-r-xr-xr-x]  edm-ioc-tst-pyqt4.cmd
│       │   ├── [-r--r--r--]  envPaths
│       │   ├── [-r--r--r--]  ioc-tst-pyqt4.archive
│       │   ├── [-r--r--r--]  ioc-tst-pyqt4.req
│       │   ├── [-r--r--r--]  ioc-tst-pyqt4.sub-arch
│       │   ├── [-r--r--r--]  ioc-tst-pyqt4.sub-req
│       │   ├── [-r-xr-xr-x]  launchgui-ioc-tst-pyqt4.cmd
│       │   ├── [-r-xr-xr-x]  pydm-ioc-tst-pyqt4.cmd
│       │   └── [-r-xr-xr-x]  st.cmd
│       └── [dr-xr-sr-x]  ioc-tst-try-deploy
│           ├── [-r--r--r--]  IOC_APPL_TOP
│           ├── [-r--r--r--]  Makefile
│           ├── [-r-xr-xr-x]  edm-ioc-tst-try-deploy.cmd
│           ├── [-r--r--r--]  envPaths
│           ├── [-r--r--r--]  ioc-tst-try-deploy.archive
│           ├── [-r--r--r--]  ioc-tst-try-deploy.req
│           ├── [-r--r--r--]  ioc-tst-try-deploy.sub-arch
│           ├── [-r--r--r--]  ioc-tst-try-deploy.sub-req
│           ├── [-r-xr-xr-x]  launchgui-ioc-tst-try-deploy.cmd
│           ├── [-r-xr-xr-x]  pydm-ioc-tst-try-deploy.cmd
│           └── [-r-xr-xr-x]  st.cmd
├── [-r--r--r--]  ioc-tst-pyqt4.cfg
└── [-r--r--r--]  ioc-tst-try-deploy.cfg

6 directories, 34 files

[ZLLentz]

This is ready pending re-review of my commit storm, or pending if we want to try to test or damage /cds/group/pcds/epics/ioc/tst/pvNotepad/R0.2.0. I'm somewhat curious if other users can remove it or use the permissions handlers here to un-protect it, for example, but knowing the answers to that won't necessarily change how I feel about this.

[tangkong]

As suspected, I cannot change permissions to this directory:

me:~/src/engineering_tools/scripts(enh_ioc_deploy_perms +)$ ./ioc-deploy -n ioc-tst-pvNotepad -r R0.2.0 --allow-write True
INFO     ioc-deploy: ioc-deploy: checking inputs
INFO     ioc-deploy: Allowing writes to /reg/g/pcds/epics/ioc/tst/pvNotepad/R0.2.0
Confirm target? yes/true or no/false
yes
ERROR    ioc-deploy: [Errno 1] Operation not permitted: '/reg/g/pcds/epics/ioc/tst/pvNotepad/R0.2.0'
ERROR    ioc-deploy: ioc-deploy errored out

I think this error is simple enough to catch and let the user know that there's a permission conflict. If the chmod fails maybe we check who the original owner is and report that the user should contact that person.

[ZLLentz]

I'm going to try to sudo chown my test deployment to Robert to self-test the new messages I just added.

[ZLLentz]

zlentz@psbuild-rhel7-01:~$ ./github/engineering_tools/scripts/ioc-deploy --name ioc-tst-pvnotepad -r 0.2.0 --allow-write true
INFO     ioc-deploy: ioc-deploy: checking inputs
INFO     ioc-deploy: Allowing writes to /reg/g/pcds/epics/ioc/tst/pvNotepad/R0.2.0
Confirm target? yes/true or no/false
y
ERROR    ioc-deploy: OSError during chmod: [Errno 1] Operation not permitted: '/reg/g/pcds/epics/ioc/tst/pvNotepad/R0.2.0'
ERROR    ioc-deploy: Please contact file owner roberttk or someone with sudo permissions if you'd like to change the permissions here.
ERROR    ioc-deploy: For example, you might try 'sudo chmod -R ug+w /reg/g/pcds/epics/ioc/tst/pvNotepad/R0.2.0' from a server you have sudo access on.
ERROR    ioc-deploy: ioc-deploy errored out

[tangkong]

I'm pretty happy with this (maybe now that I understand it more fully). I have a bit of phrasing nitpicks, not I'm not too worried.

I do think that it might make more sense to have allow-writes be a subcommand of ioc-deploy, such that you'd invoke it like:

$ ioc-deploy update_perms {RW, RO} -n ioc-tst-thing -r R1.0.0   # runs update perms mode
$ ioc-deploy -n ioc-tst-thing -r R1.0.0  # normal deploy process

It does seem like tacking on --allow-write true as an optional arg would first deploy the IOC, then adjust its permissions.

if that's too much work or you're sick of fussing with this, I think it's totally skippable. This will be useful as it is now

[ZLLentz]

I do think that it might make more sense to have allow-writes be a subcommand of ioc-deploy

This is good feedback and I think it's pretty easy to implement

[ZLLentz]

argparse is a bit restricting as soon as you want to do anything interesting- it was more annoying than expected to get subcommands to behave as I wanted, but I think I addressed everything in a reasonable or close-to-reasonable way

[tangkong]

Yea adding a subparser is always finicky in argparse. We have some rather complicated boilerplate in other places for it. (looking at you atef)

No more quips from me. Well done here 👍

[tangkong]

Amazing ✨ I'd advocate for this to be its own script in engineering tools but is anyone else writing thorough argparse docstrings?

[ZLLentz]

You're right, I considered making a standalone script that just stdin -> stdout but I couldn't conceptualize it quickly and didn't feel like increasing my scope.

The idea would be something like

ioc-deploy --help | readme-ify

I think using help text output in general for the readme is really common even if not everything uses argparse

[ZLLentz]

I'm going to make this an issue

[tangkong]

This is truly an extra mile QOL addition, but I can't argue with the results. I think normally sub-commands just don't work if you don't specify it as the first argument, and I'd have left it at that haha

[slactjohnson]

LGTM. Nice work!