Conditionally set ownership and permissions in entrypoint #110
Conversation
|
@kocolosk see #73 (comment) for apache/couchdb-documentation#3. I think we can't drop this. |
|
Oh geez we already had this conversation back in apache/couchdb-documentation#80 as well didn't we? I will add the |
2.2.0/docker-entrypoint.sh
Outdated
| # we need to set the permissions here because docker mounts volumes as root | ||
| chown -fR couchdb:couchdb /opt/couchdb || true | ||
| # Check that we own everything in /opt/couchdb and fix if necessary | ||
| find /opt/couchdb \! \( -user couchdb -group couchdb \) -exec chown couchdb:couchdb '{}' + |
There was a problem hiding this comment.
So ... I want to test that one a bit. I've already scoped down the chown so it only executes on files that have incorrect ownership. I'm struggling to think of a case where we have files in /opt/couchdb that are not owned by couchdb and yet we're OK to proceed without that ownership change. I guess the best example would be a config file with 0644 permissions owned by root coming in from a volume mount?
There was a problem hiding this comment.
Right, the big issues are config and data files owned by the wrong person. We could conceivably skip changing their ownership as long as we have read/write access....
Another option is to have Couch itself complain when it sees config files it can't read/write, skip all the checks here, and let Couch crash out. We don't do that yet.
It'd be harder to do that for data files since generally we don't start opening db/view files until asked to do so by the user.
2.2.0/docker-entrypoint.sh
Outdated
| # contents of the datadir have the same permissions as they had when they | ||
| # were initially created. This should minimize any startup delay. | ||
| find /opt/couchdb/data -type d ! -perm 0755 -exec chmod 0755 '{}' + | ||
| find /opt/couchdb/data -type f ! -perm 0644 -exec chmod 0644 '{}' + |
|
Missed a couple - once those are fixed this is good to go. Hopefully all the |
kocolosk
force-pushed
the
streamline-ownership-and-permissions
branch
from
61e6cd1 to
3af2fa4
Compare
|
OK after sleeping on it I went ahead and applied the I also tried a smoke test on whether this is actually helping by commenting out all of this code in the entry point and then timing the two Seems like a good idea 😄 There are about 1600 files in a vanilla CouchDB install so anyone with lots of (correctly-permissioned) databases would likely see an even bigger improvement. |
Recursive modification of ownership and permissions in the entrypoint has been implicated in slow container startup times. This change checks the ownership first and only modifies it if necessary. It is modeled after similar changes recently applied to a number of other projects e.g. redis/docker-library-redis#166.
Previously we had been doing a blanket recursive chmod to 770 on everything in the datadir. This had a few problems: - The files themselves need not have the executable bit set - CouchDB itself creates directories and files with 755/644 - Executing lots of chmod operations caused startup delays This patch makes the execution of chmod conditional, and works to set the permissions to what they would normally be when CouchDB creates the the files and directories.
This patch also drops the target permissions from 775/664 to 755/644, as the latter permissions are the ones set by the CouchDB installation itself.
kocolosk
force-pushed
the
streamline-ownership-and-permissions
branch
from
3af2fa4 to
be3fd23
Compare
|
+1 and thanks for the test. |
Overview
Three significant changes here:
-fflag and the silent|| trueguard on these commandsThe last one is perhaps worth discussion. I couldn't find any explanation for why it was added in the first place, and I didn't see it being used on comparable docker-entrypoint files in other projects. I figured that if we feel these commands are important enough to place in the entry point we probably don't want them to be silently ignored.
GitHub issue number
Fixes apache/couchdb-documentation#109
Checklist