Closed Bug 1321304 Opened 8 years ago Closed 7 years ago

ATMO V2: Fix docker/docker-compose setup to follow dockerflow, and/or fix dockerflow?

Categories

(Cloud Services Graveyard :: Metrics: Pipeline, defect, P1)

Product:
Cloud Services Graveyard
Component:
Metrics: Pipeline
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: jezdez, Assigned: robotblake)

References

Details

(Whiteboard: [SvcOps])

Attachments

(1 file)

[telemetry-analysis-service] mozilla:bug1321304 > mozilla:master
62 bytes, text/x-github-pull-request
Details | Review 
While working on bug 1311634 I noticed that I wasn't able to follow the dockerflow patterns for using an unprivileged user account.

Previously ATMO has used a Dockerfile (co-authored by cloudops) that used the user/group ID 1000 (which matches the default "ubuntu" user account in the used image).

When changing the user/group ID to 10001 as required by dockerflow the step in our continuous integration setup to collect static files stopped working with a generic Python error "OSError [Errno 13]: Permission denied".

To facilitate dev/prod parity we're using docker-compose to spin up a set of docker containers both in the development environment as well as on CI services Travis and Circle CI.

During that step the Django collectstatic management command tries to copy files to a directory called /app/static. That directory was not able to be written to.

I've done extensive research to find the cause of this issue, e.g. https://github.com/docker/docker/issues/1295, https://github.com/docker/docker/issues/7511#issuecomment-69261847 and was not able to fix the issue.

To reproduce the issue do the following using the bug1311634 git branch:

make test

That will run:

docker-compose run web python manage.py collectstatic --noinput
docker-compose run web pytest

On the first command it fails with the error described above.

What I noted is that building the "web" container with docker instead of docker-compose allowed me to run collectstatic without problems. So my current theory is that it has something to do with how docker-compose mounts the curren working directory as a volume in the docker container, which for some reason overwrites the permissions set in the image before.

I'd appreciate if someone would look at this since this is a blocker and frankly a pretty glaring omission in the dockerflow practices. I did check many other Mozilla Dockerfiles and was astounded how many were actually running the apps with root permissions.
BTW, https://github.com/mozilla/telemetry-analysis-service/pull/86 tries to do that more
Assignee: nobody → bimsland
Blocks: 1311634
Severity: normal → blocker
Summary: ATMO V2: Fix docker/docker-compose setup to follow dockerflow → ATMO V2: Fix docker/docker-compose setup to follow dockerflow, and/or fix dockerflow?
Whiteboard: [SvcOps]
Priority: -- → P1
Closing as this has been deployed and we're actively working on python-dockerflow to fill in the gabs for Python projects that dockerflow isn't specific enough.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Product: Cloud Services → Cloud Services Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: