Prevent permission issues after ingesting compat layer update tarballs #144
Conversation
| @@ -182,7 +182,7 @@ function ingest_compat_tarball() { | |||
| echo_yellow "Removing the existing layer, and adding the new one from the tarball..." | |||
| cvmfs_server transaction "${repo}" | |||
| rm -rf "/cvmfs/${repo}/${basedir}/${version}/compat/${os}/${arch}/" | |||
There was a problem hiding this comment.
@bedroge We should probably check with CVMFS devs if there's a recommend approach for this type of "replace" operation...
Ideally we don't need to unpack the tarball at all, without having to publish the removal first
There was a problem hiding this comment.
As discussed during the monthly meeting, we could ingest the new tarball/layer to a directory with a revision number in its name (e.g. 2021.12-1), and then switch a (variant) symlink 2021.12 to that actual version. In case of issues, we can easily revert to the older version. And if things are okay, we could even remove the old (and possibly insecure) version after a while.
There was a problem hiding this comment.
That does require a change in the tarball itself, as we can't simply ingest it to the versions base dir. We would either need to modify the way the tarball is created, or somehow strip the first directory (2021.12) from every file/dir in the tarball and replace it by / ingest it to 2021.12-<n>.
There was a problem hiding this comment.
Since we strongly prefer using cmvfs_server ingest, we should change the way the tarball is created.
The ingest script could then also fail hard if the top-level directory isn't what's expected (2021.12.<n+1> if the current is 2021.12.<n>).
I would prefer using a versioning scheme like 2021.12-001, 2021.12-002 (since that sorts better)
|
This does solve the permission issues in case we already have an existing compat layer in place, but I just ran into similar permission issues with a tarball for a compat layer that didn't exist yet. The default behavior of |
|
@bedroge Is this still relevant? |
I think this is indeed still needed for replacing compat layer dirs (i.e. for cases where we cannot use |
Fixes / prevents #143.