[content-service] enable public read on gitpod repo root folder

[sagor999]

Description

This fixes permissions on gitpod repo to ensure it has public read enabled (breaks some workflows that relies on that).

Related Issue(s)

Fixes gitpod-io/workspace-images#640

How to test

Start a new workspace in current production.
do ls -la /workspace and notice that permissions on gitpod repo are 0750.

Start a workspace from preview env of this PR
do ls -la /workspace and notice that permissions on gitpod repo are now set to correct 0755.

Release Notes

Ensure correct permissions are set on gitpod repo inside the workspace.

Documentation

[sagor999]

/hold
holding to make sure someone from workspace team can review this changes as well, in case if there is a better way to implement this.

[mustard-mh]

Works as expected.

When we checkout git repo, we correctly set permissions to 0755, but it is done in ws-daemon via git initializer.

But why not move it to where it create?

[sagor999]

But why not move it to where it create?

@mustard-mh
we already create folder with 0755 permissions, but that folder is created from ws-daemon. I think when we shift permissions inside container, we somehow lose public r+x permissions on that folder. So this fix is a workaround to this.

[mustard-mh]

gitpod/components/content-service/pkg/initializer/git.go

Line 73 in cc2f3b3

if err := os.MkdirAll(ws.Location, 0770); err != nil {

gitpod/components/content-service/pkg/git/git.go

Line 316 in 08acca8

err = os.MkdirAll(c.Location, 0755)

As we can see lines above, we create folder in line 73, then exec creation in line 316, so only 73 will works if it create success(c and ws is same object).

/workspace/<repo> folder should be 0770, but no idea why golang cannot set the write flag in group permission, see screen capture below.

Screen Capture

[mustard-mh]

So change this to 0755 should works

gitpod/components/content-service/pkg/initializer/git.go

Line 73 in cc2f3b3

if err := os.MkdirAll(ws.Location, 0770); err != nil {

[sagor999]

/hold

[sagor999]

@mustard-mh you are 💯 right! I thought I tried that change and for some reason it was not working, but I guess I messed something up when testing that exact fix. 🤦‍♂️
Thank you for double checking! Updated PR.

[sagor999]

/unhold

[mustard-mh]

LGTM

[kylos101]

/werft run

👍 started the job as gitpod-build-pavel-images-640.9
(with .werft/ from main)

[kylos101]

@sagor999 what do you mean by breaks some workflows that relies on that? For example, will we need a communication plan for this, for workflows that we break?

[kylos101]

/werft run

👍 started the job as gitpod-build-pavel-images-640.10
(with .werft/ from main)

[kylos101]

/werft run

👍 started the job as gitpod-build-pavel-images-640.11
(with .werft/ from main)

[kylos101]

/werft run

👍 started the job as gitpod-build-pavel-images-640.12
(with .werft/ from main)

[kylos101]

Rebased with main (preview environment would not build, was getting install config validation errors), and tested with the working preview environment, and the following worked like a champ:

touch private.env
docker-compose up db

cc: @alanwilter

Nice work, @sagor999 ! 💪