Pipeline local filesystem: x permission on folders #227
Conversation
- add the "execute" permission on folders so users can see what is inside.
| @@ -445,7 +445,7 @@ def move_rsync(self, source, destination, try_mv_local=False): | |||
|
|
|||
| # Rsync file over | |||
| # TODO Do this asyncronously, with restarting failed attempts | |||
| command = ['rsync', '-t', '-O', '--protect-args', '-vv', '--chmod=ugo+rw', '-r', source, destination] | |||
| command = ['rsync', '-t', '-O', '--protect-args', '-vv', '--chmod=ugo+rw,Da+x', '--perms', '-r', source, destination] | |||
There was a problem hiding this comment.
note that here, the x permission is added to folders only
There was a problem hiding this comment.
Thanks for the PR! I am not familiar with that chmod syntax, is 'Da+x' the same as 'a+X'?
I think this is a good change.
👍
There was a problem hiding this comment.
@remileduc, what's the purpose of adding --perms when combined with --chmod?
I'm also wondering if we should use --chmod=ug+rw,ug+x instead, we don't need to give permissions to others right? Perhaps easier to read in octal mode: --chmod=F660,D770.
There was a problem hiding this comment.
@jhsimpson you have an explanation of what the D stands for here: https://explainshell.com/explain?cmd=rsync+-p+--chmod%3D%2Brwx+-e+%22ssh+-i+userserver.pem%22+--copy-unsafe-links+-rz+user%40server%3A~%2F+%2Fdb_backups%2Fwww%2F
It does the same as (upper) X, but I wasn't aware of it ^^
@sevein you're right, --perms would only be useful for already existing files, which shouldn't be the case here.
| @@ -513,7 +513,7 @@ def create_rsync_directory(self, destination_path, user, host): | |||
| for directory in directories: | |||
| path = os.path.join(os.path.dirname(directory), '') | |||
| path = "{}@{}:{}".format(user, host, utils.coerce_str(path)) | |||
| cmd = ['rsync', '-vv', '--protect-args', '--chmod=ugo+rw', '--recursive', temp_dir, path] | |||
| cmd = ['rsync', '-vv', '--protect-args', '--chmod=ugo+rwx', '--recursive', temp_dir, path] | |||
There was a problem hiding this comment.
Here, we KNOW we write a folder, so we can put the x permission on it.
As far as I'm concerned, this whole function may be replaced by the following code (but maybe I missed some features here):
def create_rsync_directory(self, destination_path, user, host):
# we know we have a paswordless SSH connection
path = os.path.dirname(destination_path) # thus we keep the previous behavior where we need a trailing slash or the folder is not created
cmd = ['ssh', '{}@{}'.format(user, host), '"mkdir -p --mode=a+rwx " + path']
LOGGER.info("path creation command: %s", cmd)
try:
subprocess.check_call(cmd)
except subprocess.CalledProcessError as e:
LOGGER.warning("rsync path creation failed: %s", e)
raiseThere was a problem hiding this comment.
I don't think you missed anything the function you suggest looks good. Do you want to update your PR to include it?
There was a problem hiding this comment.
(updated the code so we give a path to mkdir ^^)
Here, I assume there's a passwordless SSH configuration between the storage and the dashboard, as required by your documentation. However, from what I saw, only RSYNC is used to communicate between these 2 servers. Thus, somebody could have setup RSYNC to use another protocol (rsh? rsyncd?). I'm not sure it is possible, but using directly SSH like this would break it.
However, your documentation states that it needs SSH to be configured, this may be enough. What do you think?
I wait for your answer before editing the PR...
There was a problem hiding this comment.
@remileduc I like the idea of using ssh and mkdir -p to create the rsync directory. However, the third line of the snippet above has an error and will include the string 'path' instead of the value of the path var. It should be something like cmd = ['ssh', '{}@{}'.format(user, host), '"mkdir -p --mode=a+rwx {}"'.format(path)].
Also, in the snippet above --mode=a+rwx is being used while different permissions (--chmod=ug=rwx,o=rx) are being used in the current state of the PR.
Finally, are you sure that you want to call path = os.path.dirname(destination_path)? If destination_path has no trailing slash, then this will return the parent directory, which is not what you want, I think. If we want to always have a trailing slash we should continue to join on the empty string:
>>> import os
>>> os.path.dirname('a/b/c/')
'a/b/c'
>>> os.path.dirname('a/b/c')
'a/b'
>>> os.path.join('a/b/c/', '')
'a/b/c/'
>>> os.path.join('a/b/c', '')
'a/b/c/'
There was a problem hiding this comment.
You're totally right! I did the snippet above very quickly to show the main idea...
Should I update the PR with the mkdir version?
There was a problem hiding this comment.
I think so. Your strategy is a lot cleaner than the current one which needlessly makes a separate rsync call for each ancestor directory.
|
I've updated the permissions with @sevein comments. |
|
Replaced by #281 |
closes #226