Support running as non-root user #18
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Previously, we relied on various paths inside the image that required root privileges to read or write. Specifically: 1. We need to write the env var supplied license to `/usr/local/stata/stata.lic`. This is handle via symlink 2. We used the /root/entrypoint.sh - this has been move to /usr/local/bin/entrypoint.sh 3. We shipped various core libraries in /root/ado/plus, which is one of the default per-user locations. Apart from the path permissions, the 'plus' package namespace is often used by users in their own code[1]. So instead, switch to /usr/local/ado, the default SITE location, which a) is outside /root/ and b) matches our intended usage, and is b/w compat with users using their own PLUS or PERSONAL paths in analysis code. 4. We autoload ./libraries/*.ado, which is now done as the user running the command, so need to also work non-root. For now, to avoid further collisions with use of PLUS, we add them to the SITE dir. This did require making the SITE dir world writable, so that we can link into it. Given the changes above, added test coverage for both the stata libraries shipped with the docker image, as well as studies with ./libraries/. [1] https://github.com/opensafely/hh-classification-research/blob/734f2bf08959582a2ef7524c8355e1494f04d243/analysis/global.do
bloodearnest
force-pushed
the
run-as-non-root
branch
from
1d0d429 to
64d8b2b
Compare
inglesp
approved these changes
Dec 30, 2022
Closed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Previously, we relied on various paths inside the image that required
root privileges to read or write. Specifically:
/usr/local/stata/stata.lic. This is handle via symlink/usr/local/bin/entrypoint.sh
the default per-user locations. Apart from the path permissions, the
'plus' package namespace is often used by users in their own code[1].
So instead, switch to /usr/local/ado, the default SITE location,
which a) is outside /root/ and b) matches our intended usage, and is
b/w compat with users using their own PLUS or PERSONAL paths in
analysis code.
the command, so need to also work non-root. For now, to avoid further
collisions with use of PLUS, we add them to the SITE dir. This did
require making the SITE dir world writable, so that we can link into
it.
Given the changes above, added test coverage for both the stata
libraries shipped with the docker image, as well as studies with
./libraries/.