Add Docker workaround to avoid user mapping reqirement #1704
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Not usually used, but since people (like me) *might* install and use Git inside the SILE container and/or use the legacy package manager this should clear up security restrictions.
…ches Allows Docker users to drop the user id mapping monkey business when running Docker while still getting their output files written by the expected user.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This comes out of recent experiences over on CaSILE with new Git and Docker security measures. The effective user ID stuff is perfect for CaSILE that operates primarily on repositories not files, so writing as the directory owner almost always will make sense. I'm not so sure it is a match for SILE, hence the draft status. It might be better to actually parse the arguments passed to SILE to find the input file(s), then check their ownership. This would necessitate some extra logic to handle cases without an input file but with
-ofor output. Also we can do some debugging and see if we have any ENV information available now that we didn't have before, but this should get the process started before I forget how it works.