(core) add a GVISOR_USE_DEFAULT_USER flag to support different gvisor versions

Summary: This is just a convenience for myself. I happen to have a version of gvisor on my Linux dev machine that differs from what we use in our containers. There's a small difference in user setup that only manifests itself when importing files. Grist uses a directory readable only by the creating user, created outside the container, and then accessed within the container. For that to work, the user identities have to line up exactly. This adds a flag I can set in my environment to make things work. An alternative solution that doesn't require a flag would be to make the temporary directories readable by other users, but that seemed a bigger change than justified. Ideally we'd make a very robust and easy to run sandbox for Linux users, and I have ideas there for the future. Test Plan: manual Reviewers: dsagal Reviewed By: dsagal Differential Revision: https://phab.getgrist.com/D3742
2024-10-27 20:44:07 +00:00 · 2022-12-21 14:12:18 -05:00 · 2022-12-21 14:12:18 -05:00 · 6dce083484
commit 6dce083484
parent 5ef591434d
1 changed files with 12 additions and 9 deletions
--- a/sandbox/gvisor/run.py
+++ b/sandbox/gvisor/run.py
@ -81,15 +81,6 @@ settings = {
  "ociVersion": "1.0.0",
  "process": {
    "terminal": include_bash,
-    # Match current user id, for convenience with mounts. For some versions of
-    # gvisor, default behavior may be better - if you see "access denied" problems
-    # during imports, try commenting this section out. We could make imports work
-    # for any version of gvisor by setting mode when using tmp.dir to allow
-    # others to list directory contents.
-    "user": {
-      "uid": os.getuid(),
-      "gid": 0
-    },
    "args": cmd_args,
    "env": env,
    "cwd": "/"
@ -121,6 +112,18 @@ settings = {
    ]
  }
 }
+
+if not os.environ.get('GVISOR_USE_DEFAULT_USER'):
+  # Match current user id, for convenience with mounts. For some versions of
+  # gvisor, default behavior may be better - if you see "access denied" problems
+  # during imports, try setting GVISOR_USE_DEFAULT_USER. We could make imports work
+  # for any version of gvisor by setting mode when using tmp.dir to allow
+  # others to list directory contents.
+  settings['process']['user'] = {
+    "uid": os.getuid(),
+    "gid": 0
+  }
+
 memory_limit = os.environ.get('GVISOR_LIMIT_MEMORY')
 if memory_limit:
  settings['process']['rlimits'] = [