New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[FIX] Sqlite3 Should create db for missing parent directories as well #51628
Merged
byroot
merged 1 commit into
rails:main
from
maniSHarma7575:51623-sqlite3-should-create-db-for-missing-parent-directories
May 6, 2024
+9
−11
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Jump to
Jump to file
Failed to load files.
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This test shouldn't be deleted but updated so it still simulate a failure. Of course it's trickier now that
mkdir_p
is used.One way could be to create a temporary directory and change its permissions. e.g.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@byroot, observe the alterations made:
Before:
Now:
The removal of the rescue block is notable. Why?
Errno::ENOENT
exception diminishes since the file or directory will now be created.Errno::EACCES
exception will be raised instead.Incorporating a failure test, I've implemented a test here
activerecord/test/cases/adapters/sqlite3/sqlite3_adapter_test.rb:16
This test is green on my local machine. And it's strange that in
buildkite/rails
CI it's failing. Could you please check here what I am doing wrong?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure, try
File.chmod(0x000, dir)
(notFileUtils
).Also the bubbled exception shouldn't be an errno, we should handle all
SyscallError
and wrap them inActiveRecord::NoDatabaseError
.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks, @byroot! I also attempted to use
File.chmod(0x000, dir)
.https://github.com/rails/rails/pull/51628/files#diff-91ca39a63c4ff81c0580c12472a0a709c1d9c428a3ace4970ff3076d90ba6b13
But that doesn't seems to work.
Interestingly, the same test runs fine on my local machine.
I debugged and discovered something unexpected in CI.
https://buildkite.com/rails/rails/builds/106656#018f1f16-c702-468a-9f0b-d14d5eeba392
That parent directory permission mode is:
/tmp/d20240427-17-857wvl: 40000
And this parent directory is still able to make the child directory
db
with/tmp/d20240427-17-857wvl/db: 40755
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@byroot , I've identified the issue above and why it's exhibiting this unusual behavior.
To replicate the behavior, I conducted independent experiments with the FileUtils.mkdir_p method. Consequently, I crafted a script to test the method:
When I executed the above script on my local machine with Ruby installed (
ruby 3.2.2 (2023-03-30 revision e51014f9c0) [arm64-darwin22]
), it ran without issues:Since Builtkite Rails CI runs on Docker, I decided to run the same script within a Docker container. For this purpose, I created the following Dockerfile:
The
reproduce.rb
script remains unchanged.Here's the output from running and building the image:
The question arises: Why does the Docker environment not raise an exception?
Upon inspecting the Docker container, I discovered that
chmod
sets the correct permissions for the directory:Creating another directory inside
d20240427-24-sa4xz6
occurs without errors because both the owner and group have root privileges:In summary, the root user can create files in a directory marked as Read Only.
Confirmed the user in Builkite Rails CI pipeline as well it's a root user:
https://buildkite.com/rails/rails/builds/106668#018f2402-28f6-4a89-a27d-04b675b70ed6
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@byroot , did you have a chance to look at it?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tried solution:
with chattr command it gives an error:
https://buildkite.com/rails/rails/builds/106846#018f48ea-55a2-4af2-9f8d-acf4c38f1a57
Outcome: Docker Deny access to some filesystem operations, like creating new device nodes, changing the owner of files, or altering attributes (including the immutable flag).
It's mentioned here: https://docs.docker.com/engine/security/#linux-kernel-capabilities
Solution to solve this is: This is related to capabilities thing: chattr requires CAPLINUX IMMUTABLE which is disabled in docker by default. Just add -- cap-add
LINUX_ IMMUTABLE to docker container start options to enable it.
That's itself another issue on. I don't know whether to proceed with this or not as we have to do modification in CI.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sorry, got side tracked, looking at it now.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Alright, I think that the issue is CI runs as root, so it's hard to simulate any problem into creating a directory or file.
So while I don't like not covering this sort of things with a test, I don't quite see what we could do, and anyway it could likely fail in dozens of different ways, so coverage here will never be that good.
I'll remove the test, sorry for sending you on a goose chase.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! @byroot. Goose chase helped me go dig deep into docker and linux.