Liqun/container permission (#296)

1. change docker file to use root for env preparations 2. add entrypoint.sh to dynamically create the user to run the kernel
microsoft · Apr 11, 2024 · ce9e433 · ce9e433
2 parents 894db47 + d021dca
commit ce9e433
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 26 deletions.
diff --git a/docker/ces_container/Dockerfile b/docker/ces_container/Dockerfile
@@ -3,27 +3,22 @@ FROM python:3.10-slim
 
 WORKDIR /app
 
-RUN useradd -m taskweaver
-
-# Set the working directory to /app
-RUN chown taskweaver:taskweaver /app
-
-USER taskweaver
-
 # Copy the requrements file
-COPY --chown=taskweaver:taskweaver requirements.txt .
-RUN pip install --no-cache-dir --no-warn-script-location --user -r requirements.txt
+COPY requirements.txt .
+RUN pip install --no-cache-dir --no-warn-script-location -r requirements.txt
 
 # TODO: Install additional packages for plugins
 
 # Copy the project code
-COPY --chown=taskweaver:taskweaver taskweaver/ces /app/taskweaver/ces
-COPY --chown=taskweaver:taskweaver taskweaver/plugin /app/taskweaver/plugin
-COPY --chown=taskweaver:taskweaver taskweaver/module /app/taskweaver/module
-COPY --chown=taskweaver:taskweaver taskweaver/__init__.py /app/taskweaver/__init__.py
+COPY taskweaver/ces /app/taskweaver/ces
+COPY taskweaver/plugin /app/taskweaver/plugin
+COPY taskweaver/module /app/taskweaver/module
+COPY taskweaver/__init__.py /app/taskweaver/__init__.py
+COPY docker/ces_container/entrypoint.sh /app/entrypoint.sh
+RUN chmod +x /app/entrypoint.sh
 
 ENV PYTHONPATH "${PYTHONPATH}:/app"
 
-CMD ["python", "-m", "taskweaver.ces.kernel.launcher"]
+ENTRYPOINT ["/app/entrypoint.sh"]
 
 
diff --git a/docker/ces_container/entrypoint.sh b/docker/ces_container/entrypoint.sh
@@ -0,0 +1,13 @@
+#!/bin/bash
+
+USER_ID=${TASKWEAVER_UID:-10002}
+GROUP_ID=${TASKWEAVER_GID:-10002}
+
+echo "Starting with UID: $USER_ID, GID: $GROUP_ID"
+useradd -u $USER_ID -o -m taskweaver
+groupmod -g $GROUP_ID taskweaver
+
+chown -R taskweaver:taskweaver /app
+
+su taskweaver -c "python -m taskweaver.ces.kernel.launcher"
+
diff --git a/scripts/build_executor.ps1 b/scripts/build_executor.ps1
@@ -1,7 +1,7 @@
 $scriptDirectory = $PSScriptRoot
 Write-Host "The script directory is: $scriptDirectory"
 
-$version = "0.1"
+$version = "0.2"
 $imageName = "taskweavercontainers/taskweaver-executor"
 $imageFullName = "${imageName}:${version}"
 
@@ -23,8 +23,5 @@ docker build -t $imageFullName -f $dockerfilePath $contextPath
 
 # Tag the image
 docker tag $imageFullName "${imageName}:latest"
-```
 
-# Tag the image
-docker tag $imageName taskweavercontainers/taskweaver-executor:latest
 
diff --git a/taskweaver/ces/environment.py b/taskweaver/ces/environment.py
@@ -144,9 +144,13 @@ def __init__(
             except docker.errors.DockerException as e:
                 raise docker.errors.DockerException(f"Failed to connect to Docker daemon: {e}. ")
 
-            self.image_name = "taskweavercontainers/taskweaver-executor"
+            self.image_name = "taskweavercontainers/taskweaver-executor:latest"
             try:
-                self.docker_client.images.get(self.image_name)
+                local_image = self.docker_client.images.get(self.image_name)
+                registry_image = self.docker_client.images.get_registry_data(self.image_name)
+                if local_image.id != registry_image.id:
+                    logger.info(f"Local image {local_image.id} does not match registry image {registry_image.id}.")
+                    raise docker.errors.ImageNotFound("Local image is outdated.")
             except docker.errors.ImageNotFound:
                 logger.info("Pulling image from docker.io.")
                 try:
@@ -219,11 +223,6 @@ def start_session(
             self._cmd_session_init(session)
             session.kernel_status = "ready"
         elif self.mode == EnvMode.Container:
-            if platform.system() != "Windows":
-                # change the permission of the ces and cwd directories
-                os.chmod(ces_session_dir, 0o755)
-                os.chmod(cwd, 0o755)
-
             connection_file = self._get_connection_file(session_id, new_kernel_id)
             new_port_start = self.port_start_inside_container
             kernel_env = {
@@ -235,6 +234,12 @@ def start_session(
                 "TASKWEAVER_PORT_START": str(new_port_start),
                 "TASKWEAVER_LOGGING_FILE_PATH": "/app/ces/kernel_logging.log",
             }
+
+            if platform.system() != "Windows":
+                # change the permission of the ces and cwd directories
+                kernel_env["TASKWEAVER_UID"] = str(os.getuid())
+                kernel_env["TASKWEAVER_GID"] = str(os.getgid())
+
             # ports will be assigned automatically at the host
             container = self.docker_client.containers.run(
                 image=self.image_name,
@@ -251,7 +256,6 @@ def start_session(
                     f"{new_port_start + 3}/tcp": None,
                     f"{new_port_start + 4}/tcp": None,
                 },
-                user="taskweaver",
             )
 
             tick = 0