Fix #35011: use uid of data directory for containers

Author: LEDfan

.github/workflows/workflows.yaml

@@ -46,5 +46,6 @@ jobs:
       - name: Run Tests
         run: |
           docker network create sp-shared-network
+          docker plugin install "grafana/loki-docker-driver:3.2.1" --alias loki --grant-all-permissions
           export SPO_DOCKER_GID=$(getent group docker | cut -d: -f3)
           mvn -B test

src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/CraneConfig.kt

@@ -36,6 +36,7 @@ import eu.openanalytics.shinyproxyoperator.sha1
 import io.github.oshai.kotlinlogging.KotlinLogging
 import kotlinx.coroutines.CoroutineScope
 import kotlinx.coroutines.Dispatchers
+import kotlinx.coroutines.IO
 import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withContext
@@ -56,7 +57,8 @@ class CraneConfig(private val dockerClient: DockerClient,
                   private val inputDir: Path,
                   private val redisConfig: RedisConfig,
                   private val caddyConfig: CaddyConfig,
-                  private val persistentState: PersistentState) {
+                  private val persistentState: PersistentState,
+                  private val dataDirUid: Int) {
 
     private val yamlMapper = ObjectMapper(YAMLFactory())
     private val fileManager = FileManager()
@@ -145,6 +147,7 @@ class CraneConfig(private val dockerClient: DockerClient,
                 .hostConfig(hostConfig)
                 .labels(dockerActions.labelsForCrane(shinyProxy.realmId, hash))
                 .env("SPRING_CONFIG_IMPORT=/opt/crane/generated.yml")
+                .user(dataDirUid.toString())
                 .build()
 
             logger.info { "${logPrefix(shinyProxyInstance)} [Crane] Creating new container" }

src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/DockerOrchestrator.kt

@@ -53,6 +53,7 @@ import org.mandas.docker.client.messages.HostConfig
 import org.mandas.docker.client.messages.LogConfig
 import java.io.FileWriter
 import java.nio.file.Files
+import java.nio.file.LinkOption
 import java.nio.file.Path
 import java.time.OffsetDateTime
 import java.time.ZoneOffset
@@ -69,6 +70,7 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
     private val dockerGID: Int = config.readConfigValue(null, "SPO_DOCKER_GID") { it.toInt() }
     private val dockerSocket: String = config.readConfigValue("/var/run/docker.sock", "SPO_DOCKER_SOCKET") { it }
     private val disableICC: Boolean = config.readConfigValue(false, "SPO_DISABLE_ICC") { it.toBoolean() }
+    private var dataDirUid: Int
     private val state = mutableMapOf<String, ShinyProxyStatus>()
 
     private val logger = KotlinLogging.logger { }
@@ -98,12 +100,13 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
             .uri("unix://" + dockerSocket)
             .readTimeoutMillis(0) // no timeout, needed for startContainer and logs, #32606
             .build()
+        dataDirUid = getDatadirUId()
         caddyConfig = CaddyConfig(dockerClient, dataDir, config)
         dockerActions = DockerActions(dockerClient)
         shinyProxyReadyChecker = ShinyProxyReadyChecker(channel, dockerActions, dockerClient, dataDir)
-        redisConfig = RedisConfig(dockerClient, dockerActions, persistentState, dataDir, config)
-        craneConfig = CraneConfig(dockerClient, dockerActions, dataDir, inputDir, redisConfig, caddyConfig, persistentState)
-        monitoringConfig = MonitoringConfig(dockerClient, dockerActions, dataDir, caddyConfig, config, dockerSocket)
+        redisConfig = RedisConfig(dockerClient, dockerActions, persistentState, dataDir, dataDirUid, config)
+        craneConfig = CraneConfig(dockerClient, dockerActions, dataDir, inputDir, redisConfig, caddyConfig, persistentState, dataDirUid)
+        monitoringConfig = MonitoringConfig(dockerClient, dockerActions, dataDir, dataDirUid, caddyConfig, config, dockerSocket)
         logFilesCleaner = LogFilesCleaner(dataDir.resolve("logs"), fileManager, dockerActions)
         fileManager.createDirectories(dataDir)
         eventWriter = FileWriter(dataDir.resolve("events.json").toFile())
@@ -278,6 +281,7 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
                     .hostConfig(hostConfigBuilder.build())
                     .labels(shinyProxy.labels + LabelFactory.labelsForShinyProxyInstance(shinyProxyInstance, version))
                     .env("PROXY_VERSION=${version}", "PROXY_REALM_ID=${shinyProxy.realmId}", "SPRING_CONFIG_IMPORT=/opt/shinyproxy/generated.yml")
+                    .user(dataDirUid.toString())
                     .build()
 
                 logger.info { "${logPrefix(shinyProxyInstance)} [Docker] Creating new container" }
@@ -515,4 +519,15 @@ class DockerOrchestrator(channel: Channel<ShinyProxyEvent>,
         return (cpuPeriod.toDouble() * converted).toLong()
     }
 
+    private fun getDatadirUId(): Int {
+        try {
+            val owner = Integer.parseInt(Files.getAttribute(dataDir, "unix:uid", LinkOption.NOFOLLOW_LINKS).toString())
+            logger.info { "Owner of data dir is '$owner'" }
+            return owner
+        } catch (e: Exception) {
+            logger.warn(e) { "Failed to determine owner of data dir - failling back to user 1000" }
+            return 1000
+        }
+    }
+
 }

src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/RedisConfig.kt

@@ -37,6 +37,7 @@ class RedisConfig(private val dockerClient: DockerClient,
                   private val dockerActions: DockerActions,
                   private val persistentState: PersistentState,
                   mainDataDir: Path,
+                  private val dataDirUid: Int,
                   config: Config) {
 
     private val containerName = "sp-redis"
@@ -104,7 +105,7 @@ class RedisConfig(private val dockerClient: DockerClient,
                 .hostConfig(hostConfig)
                 .labels(mapOf("app" to "redis"))
                 .cmd(listOf("redis-server", "/etc/redis.conf"))
-                .user("1000")
+                .user(dataDirUid.toString())
                 .build()
 
             logger.info { "[Redis] Creating new container" }

src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/monitoring/GrafanaLokiConfig.kt

@@ -31,7 +31,11 @@ import org.mandas.docker.client.messages.HostConfig
 import org.mandas.docker.client.messages.PortBinding
 import java.nio.file.Path
 
-class GrafanaLokiConfig(private val dockerClient: DockerClient, private val dockerActions: DockerActions, mainDataDir: Path, config: Config) {
+class GrafanaLokiConfig(private val dockerClient: DockerClient,
+                        private val dockerActions: DockerActions,
+                        mainDataDir: Path,
+                        private val dataDirUid: Int,
+                        config: Config) {
 
     private val logger = KotlinLogging.logger {}
     private val lokiImage: String = config.readConfigValue("docker.io/grafana/loki:3.2.2", "SPO_GRAFANA_GRAFANA_IMAGE") { it }
@@ -75,7 +79,7 @@ class GrafanaLokiConfig(private val dockerClient: DockerClient, private val dock
             .image(lokiImage)
             .hostConfig(hostConfig)
             .exposedPorts("3100")
-            .user("1000")
+            .user(dataDirUid.toString())
             .labels(mapOf("app" to "grafana-loki"))
             .build()
 

src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/monitoring/MonitoringConfig.kt

@@ -28,12 +28,12 @@ import io.github.oshai.kotlinlogging.KotlinLogging
 import org.mandas.docker.client.DockerClient
 import java.nio.file.Path
 
-class MonitoringConfig(dockerClient: DockerClient, dockerActions: DockerActions, mainDataDir: Path, caddyConfig: CaddyConfig, config: Config, dockerSocket: String) {
+class MonitoringConfig(dockerClient: DockerClient, dockerActions: DockerActions, mainDataDir: Path, dataDirUid: Int, caddyConfig: CaddyConfig, config: Config, dockerSocket: String) {
 
     private val logger = KotlinLogging.logger { }
     private val enableMonitoring: Boolean
-    internal val grafanaLokiConfig = GrafanaLokiConfig(dockerClient, dockerActions, mainDataDir, config)
-    private val prometheusConfig = PrometheusConfig(dockerClient, dockerActions, mainDataDir, config, dockerSocket)
+    internal val grafanaLokiConfig = GrafanaLokiConfig(dockerClient, dockerActions, mainDataDir, dataDirUid, config)
+    private val prometheusConfig = PrometheusConfig(dockerClient, dockerActions, mainDataDir, dataDirUid, config, dockerSocket)
     private val cAdvisorConfig = CAdvisorConfig(dockerClient, dockerActions, config, dockerSocket)
     internal val grafanaConfig = GrafanaConfig(dockerClient, dockerActions, mainDataDir, caddyConfig, config)
 

src/main/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/monitoring/PrometheusConfig.kt

@@ -30,7 +30,12 @@ import org.mandas.docker.client.messages.ContainerConfig
 import org.mandas.docker.client.messages.HostConfig
 import java.nio.file.Path
 
-class PrometheusConfig(private val dockerClient: DockerClient, private val dockerActions: DockerActions, mainDataDir: Path, config: Config, private val dockerSocket: String) {
+class PrometheusConfig(private val dockerClient: DockerClient,
+                       private val dockerActions: DockerActions,
+                       mainDataDir: Path,
+                       private val dataDirUid: Int,
+                       config: Config,
+                       private val dockerSocket: String) {
 
     private val logger = KotlinLogging.logger {}
     private val dockerGID = config.readConfigValue(null, "SPO_DOCKER_GID") { it.toInt() }
@@ -80,7 +85,7 @@ class PrometheusConfig(private val dockerClient: DockerClient, private val docke
             .image(prometheusImage)
             .hostConfig(hostConfig)
             .labels(mapOf("app" to "prometheus"))
-            .user("1000")
+            .user(dataDirUid.toString())
             .build()
 
         logger.info { "[Prometheus] Creating new container" }

src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/MainIntegrationTest.kt

@@ -28,12 +28,14 @@ import kotlinx.coroutines.delay
 import kotlinx.coroutines.launch
 import kotlinx.coroutines.withTimeout
 import org.junit.jupiter.api.Assertions.assertNull
+import org.junit.jupiter.api.Disabled
 import org.junit.jupiter.api.Test
 import org.junit.jupiter.params.ParameterizedTest
 import org.junit.jupiter.params.provider.ValueSource
 import kotlin.io.path.deleteIfExists
 import kotlin.io.path.readText
 import kotlin.io.path.writeText
+import kotlin.test.Ignore
 import kotlin.test.assertEquals
 import kotlin.test.assertNotNull
 

src/test/kotlin/eu/openanalytics/shinyproxyoperator/impl/docker/helpers/DockerAssertions.kt

@@ -53,7 +53,6 @@ class DockerAssertions(private val base: IntegrationTestBase,
         assertEquals("always", redisContainer.hostConfig().restartPolicy().name())
         assertEquals(listOf("redis-server", "/etc/redis.conf"), redisContainer.config().cmd())
         assertEquals("redis", redisContainer.config().labels()["app"])
-        assertEquals("1000", redisContainer.config().user())
 
         // remove generated password from file
         val redisConfig = dataDir.resolve("sp-redis").resolve("redis.conf").readText().dropLast(33)