feat(config): allow customisation of runtime group name (#440) #440
Conversation
mdonadoni
changed the title
mdonadoni
force-pushed
the
fix-groupadd
branch
from
f867232
to
f643a81
Compare
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## master #440 +/- ##
==========================================
- Coverage 36.35% 36.33% -0.03%
==========================================
Files 26 26
Lines 1576 1577 +1
==========================================
Hits 573 573
- Misses 1003 1004 +1
|
reana_commons/config.py
Outdated
| @@ -303,6 +303,9 @@ def kubernetes_node_label_to_dict(node_label): | |||
| WORKFLOW_RUNTIME_USER_NAME = os.getenv("WORKFLOW_RUNTIME_USER_NAME", "reana") | |||
| """Default OS user name for running job controller.""" | |||
|
|
|||
| WORKFLOW_RUNTIME_GROUP_NAME = os.getenv("WORKFLOW_RUNTIME_GROUP_NAME", "reana") | |||
There was a problem hiding this comment.
Hmm, I wonder whether we need to create a new group name here at all. We do need to use the GID=0 during runtime for the appropriate workspace file access permissions, but cannot we simply use the default root group name directly without introducing a new "reana" group?
$ docker run -i -t --rm docker.io/library/ubuntu:20.04 /bin/bash -c 'grep :0: /etc/group'
root:x:0:That said, it seems nice and consistent to introduce the new variable WORKFLOW_RUNTIME_GROUP_NAME instead of using hard-coded "root". But perhaps its default value could be simply "root" and not "reana"? And perhaps we might not actually need to create any such a group and just use the default?
There was a problem hiding this comment.
Yes, creating a new group is not needed if we keep WORKFLOW_RUNTIME_USER_GID set to zero. However that is needed if the GID is not zero, as otherwise the useradd call fails.
We can check whether the group already exists or not, and if it doesn't then groupadd is called. What do you think?
There was a problem hiding this comment.
I have updated reana-workflow-controller's PR to only create the group if there is no group with the given GID
There was a problem hiding this comment.
Sounds good. We may perhaps want to set WORKFLOW_RUNTIME_GROUP_NAME to be root by default, so that its value would correspond with WORKFLOW_RUNTIME_USER_GID's default value being 0.
There was a problem hiding this comment.
Regarding the default name, I would keep reana as I see two scenarios:
- gid is zero, so normally the
rootgroup already exists -> nothing to do - gid is not zero, so we create a new group
reana, as we cannot name thisroot
What do you think?
There was a problem hiding this comment.
After discussing among us, I have changed reana to root and I have also added a comment explaining what to do in case the group id needs to be changed.
There was a problem hiding this comment.
Yes, it's nice to have default values expressing the "reality", hence 0=root. And if someone would like to change them, they will find a little "how to" note on what to do.
mdonadoni
force-pushed
the
fix-groupadd
branch
from
f643a81
to
13f7c8b
Compare
mdonadoni
force-pushed
the
fix-groupadd
branch
from
13f7c8b
to
5cec305
Compare
Closes reanahub/reana-workflow-controller#561