-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix(executor/emissary): fix nonroot sidecars + input/output params & artifacts #6403
Conversation
…rams & artifacts Signed-off-by: Yuan Gong <[email protected]>
cmd/argoexec/commands/emissary.go
Outdated
if err := os.MkdirAll(varRunArgo+"/ctr/"+containerName, 0o700); err != nil { | ||
// default umask can be 022 | ||
// setting umask as 0 allow granting write access to other non-root users | ||
syscall.Umask(0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should I put this into os_specific?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
syscall.Umask(0)
is not available on Windows. So you'll need to move this command into os_specific
. The Windows implementation can be a no-op.
Codecov Report
@@ Coverage Diff @@
## master #6403 +/- ##
==========================================
- Coverage 48.81% 48.80% -0.02%
==========================================
Files 253 253
Lines 18153 18155 +2
==========================================
- Hits 8861 8860 -1
- Misses 8324 8327 +3
Partials 968 968
Continue to review full report at Codecov.
|
Hi @alexec, I wonder whether you have any docs or examples for how to add workflows as tests? |
nonroot sidecar example:
nonroot parameter passing
non root hello world workflow:
nonroot artifact passing workflow:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
great stuff! you're correct about Umask - this needs to go into os_specific
cmd/argoexec/commands/emissary.go
Outdated
if err := os.MkdirAll(varRunArgo+"/ctr/"+containerName, 0o700); err != nil { | ||
// default umask can be 022 | ||
// setting umask as 0 allow granting write access to other non-root users | ||
syscall.Umask(0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
syscall.Umask(0)
is not available on Windows. So you'll need to move this command into os_specific
. The Windows implementation can be a no-op.
Signed-off-by: Yuan Gong <[email protected]>
@alexec thanks for the review! Updated to os specific |
Any guidance for this?
|
|
||
import "syscall" | ||
|
||
func CallUmask(mask int) (oldmask int) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
minor - you ignore the return value and you only ever pass in zero - so how about:
func UmaskZero() {
// ...
}
What might be even better is name it after you intent.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
GrantWriteAccessToNonRootUsers
??
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What do you think about AllowGrantingAccessToEveryone?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK, updated
Signed-off-by: Yuan Gong <[email protected]>
@sarabala1979 this needs to be back-ported to v3.1. Do you think we should do another patch release this week? |
…artifacts (#6403) Signed-off-by: Yuan Gong <[email protected]>
This fully fixes emissary + nonroot.
I've tested sidecars, input/output parameters and artifacts
Checklist:
Tips:
git commit --signoff
.make pre-commit -B
to fix codegen or lint problems.