[pvc] run git commands as gitpod user when using pvc

[sagor999]

Description

When using PVC, we run content-init from inside the supervisor, which runs as root user.
This causes git clone to run as root, causing cloned repo to be owned by root.
Workaround was to do chown as the end of clone, but on big repos it is slow.

This allows to run git op as gitpod user instead, thus not needing to do chown at the end.

Related Issue(s)

Fixes #12892

How to test

Open and close all kind of various ways of opening a workspace.
This code should only affect PVC code path, so to properly test you need to enable PVC feature flag on your account first.

Release Notes

none

Documentation

Werft options:

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview with-large-vm=true
• /werft with-integration-tests=workspace
  Valid options are all, workspace, webapp, ide

[werft-gitpod-dev-com]

started the job as gitpod-build-pavel-chown.4 because the annotations in the pull request description changed
(with .werft/ from main)

[sagor999]

/werft run

👍 started the job as gitpod-build-pavel-chown.8
(with .werft/ from main)

[sagor999]

/werft run

👍 started the job as gitpod-build-pavel-chown.12
(with .werft/ from main)

[sagor999]

/werft run

👍 started the job as gitpod-build-pavel-chown.14
(with .werft/ from main)

[werft-gitpod-dev-com]

started the job as gitpod-build-pavel-chown.16 because the annotations in the pull request description changed
(with .werft/ from main)

[werft-gitpod-dev-com]

started the job as gitpod-build-pavel-chown.17 because the annotations in the pull request description changed
(with .werft/ from main)

[jenting]

When using PVC, we run content-init from inside the supervisor, which runs as root user.

Can we move the content-init operation ring1 or ring2 that runs as the gitpod user? So we don't need to specify run git clone as gitpod user.

[sagor999]

@jenting frankly speaking, I am not sure, as there are a lot of moving parts in between ring0 and ring2. 🤔
Also I think there is some expectation that when ring1 or ring2 executes, that content init was already done.
Basically, if content init were to fail in ring2, it might break something else somewhere. 🤷
But if this solution is a no go for some reason, then I guess we can explore the option of trying to run content init inside ring2. 🤔

@csweichel do you have any thoughts on this? ^

[jenting]

sudo is required?

[sagor999]

yeah. that is the whole point here, and assumes that this runs as root (which it is from ring0).
so it runs sudo -u gitpod git ...

[jenting]

At this code phase, is the permission root?

If yes, I am thinking using runuser is more suitable or not. 🤔
https://prasadlinuxblog.wordpress.com/2012/09/04/392/

[utam0k]

Is it safe from a security viewpoint?

[sagor999]

@jenting I am not sure if there is any meaningful difference in our case for sudo vs runuser. WDYT?

@utam0k I don't think so. That code was already running as root (supervisor) prior to this changes.

[jenting]

Agree with you.

[utam0k]

I just want to confirm with you about it. 💯

[kylos101]

👋 @sagor999 did you mean to link this to #14003, instead of #12892 ?

I ask because this PR uses chown still, but as gitpod user, instead of root.

Does this PR solve the underlying performance issue, where using chown is slow? Can you share a link to a branch that is super slow in prod now, that is really fast using the preview environment for this PR? In other words, so we can see this actually improves (reduces) the time it takes to open a workspace?

[sagor999]

@kylos101 no. It is linked to the correct issue that it is fixing.
And yes, it uses chown on the folder only (non recursive), which might be removed after this PR is merged: #14096

[jenting]

LGTM.

I can't think of any concerns about this change. So I'm okay to 🚢 it.