Comments (3)
Thanks for submitting an issue.
Please make sure to provide enough details for us to be able to replicate your issue or understand your question.
from birdhouse-deploy.
This is slightly more tricky (or has more implications) than it looks.
In order to manage different user-workspaces and file access permissions by various services using different interfaces, some file/dir hardlink special logic is being developed by @ChaamC to be used with https://github.com/ouranosinc/cowbird that much sync corresponding resources shared between those services. Because of these hard-links, the directories must reside on the same mount drive location to support resolution within docker services. Allowing custom location overrides by users that are not accustomed to the full stack could suddenly grant access to all user-workspace private files without realizing.
Similarly, because multiple services with different APIs can share access to those files (notably items under wps_outputs
and under THREDDS data stores), the specific path under which they are mounted can impact the operability of those services, not to mention that some services can have a tendency to take ownership of change permissions of some of these files. In the case of THREDDS, the path is critical, as it must be replicated inside its own configuration to properly resolve and construct the URLs of the nested file hierarchy and their various data-conversion handlers.
In the case of Weaver, the mount location must match exactly between the host side and the mounted path inside the docker image. This is because Weaver CWL execution commands are published within its docker image, but the docker referenced in the Application Package that is executed by a subscribed weaver-worker is started as a sibling container on the host. This is done to allow minimal scaling and avoid docker-in-docker issues (security access elevation and such). However, this current restriction makes it such that these containers must use ${WEAVER_WPS_OUTPUTS_DIR}:${WEAVER_WPS_OUTPUTS_DIR}
mappings explicitly, and allowing more versatile customization of WEAVER_WPS_OUTPUTS_DIR
(although technically still possible/override-able), could lead to security concerns or simply break entirely Weaver's processes if done by users unaware of this logic.
For cases such as ${DATA_PERSIST_ROOT}/magpie_persist
, this is less critical because the directory is intended to be used only by Magpie's PostgreSQL service. However, this is already customizable using MAGPIE_PERSIST_DIR
override, so it could already be stored anywhere outside DATA_PERSIST_ROOT
(or even another mount point).
from birdhouse-deploy.
Thanks for the insight into the details of this:
some file/dir hardlink special logic is being developed by @ChaamC to be used with https://github.com/ouranosinc/cowbird
Ok good to know, let me look into this a bit more to make sure I understand what is happening before I do anything else
In the case of Weaver, the mount location must match exactly between the host side and the mounted path inside the docker image
This bit I was aware of, and I believe its the same for the jupyter user data directories that get mounted to the jupyter containers in a similar way. I'll make sure not to affect those.
from birdhouse-deploy.
Related Issues (20)
- :books: [Documentation]: Improve descriptions of all components (including those that are/were in config/) HOT 2
- STAC specific configurations for Nginx data access
- :bulb: [Feature] Twitcher: Log WARN/ERROR level of gunicor/pyramid in `docker logs twitcher` HOT 1
- :question: [Question]: Can we change PAVICS to Birdhouse everywhere HOT 8
- :bug: [BUG]: [PAVICS] Password UI issues HOT 2
- Security-related variables using hardcoded defaults HOT 1
- :bug: [BUG]: Cowbird is not backward compatible with existing Jupyter users HOT 14
- :bug: [BUG]: Broken CanarieAPI monitoring configurations HOT 1
- :bug: [BUG]: Resolve GeoServer vs GeoServer-Secured access
- :bulb: [Feature] Add postgres username values to default security checks
- :bug: [BUG]: PAVICS_FQDN_PUBLIC should be used in many places instead of PAVICS_FQDN
- :books: [Documentation]: optional-components/README.rst still refers to ports
- :books: [Documentation]: Are we missing files in `html_extra_path` when building docs?
- :bulb: [Feature] Automate GitHub releases
- :bulb: [Feature] Provide component service version HOT 8
- :bug: [BUG]: Unable to disable JupyterHub behind Twitcher HOT 8
- :bulb: [Feature] Log download stats from THREDDS server HOT 3
- :bulb: [Feature] Add recording rules to Prometheus configuration to store hourly/daily metrics HOT 3
- :bulb: [Feature] Include rook server in optional components HOT 6
- :bulb: [Feature] Test platform upgrade path instead of fresh install HOT 7
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from birdhouse-deploy.