(core) add a GVISOR_USE_DEFAULT_USER flag to support different gvisor versions

Summary:
This is just a convenience for myself. I happen to have a version of
gvisor on my Linux dev machine that differs from what we use in our
containers. There's a small difference in user setup that only manifests
itself when importing files. Grist uses a directory readable only by
the creating user, created outside the container, and then accessed
within the container. For that to work, the user identities have to
line up exactly. This adds a flag I can set in my environment to make
things work. An alternative solution that doesn't require a flag
would be to make the temporary directories readable by other users,
but that seemed a bigger change than justified.

Ideally we'd make a very robust and easy to run sandbox for Linux
users, and I have ideas there for the future.

Test Plan: manual

Reviewers: dsagal

Reviewed By: dsagal

Differential Revision: https://phab.getgrist.com/D3742
This commit is contained in:
Paul Fitzpatrick 2022-12-21 14:12:18 -05:00
parent 5ef591434d
commit 6dce083484

View File

@ -81,15 +81,6 @@ settings = {
"ociVersion": "1.0.0", "ociVersion": "1.0.0",
"process": { "process": {
"terminal": include_bash, "terminal": include_bash,
# Match current user id, for convenience with mounts. For some versions of
# gvisor, default behavior may be better - if you see "access denied" problems
# during imports, try commenting this section out. We could make imports work
# for any version of gvisor by setting mode when using tmp.dir to allow
# others to list directory contents.
"user": {
"uid": os.getuid(),
"gid": 0
},
"args": cmd_args, "args": cmd_args,
"env": env, "env": env,
"cwd": "/" "cwd": "/"
@ -121,6 +112,18 @@ settings = {
] ]
} }
} }
if not os.environ.get('GVISOR_USE_DEFAULT_USER'):
# Match current user id, for convenience with mounts. For some versions of
# gvisor, default behavior may be better - if you see "access denied" problems
# during imports, try setting GVISOR_USE_DEFAULT_USER. We could make imports work
# for any version of gvisor by setting mode when using tmp.dir to allow
# others to list directory contents.
settings['process']['user'] = {
"uid": os.getuid(),
"gid": 0
}
memory_limit = os.environ.get('GVISOR_LIMIT_MEMORY') memory_limit = os.environ.get('GVISOR_LIMIT_MEMORY')
if memory_limit: if memory_limit:
settings['process']['rlimits'] = [ settings['process']['rlimits'] = [