[supervisor] Force gitpod user during Git init

Author: csweichel

components/content-service/pkg/executor/executor.go

@@ -44,7 +44,7 @@ func Prepare(req *csapi.WorkspaceInitializer, urls map[string]string) ([]byte, e
 
 // Execute runs an initializer to place content in destination based on the configuration read
 // from the cfgin stream.
-func Execute(ctx context.Context, destination string, cfgin io.Reader, opts ...initializer.InitializeOpt) (src csapi.WorkspaceInitSource, err error) {
+func Execute(ctx context.Context, destination string, cfgin io.Reader, forceGitUser bool, opts ...initializer.InitializeOpt) (src csapi.WorkspaceInitSource, err error) {
 	var cfg config
 	err = json.NewDecoder(cfgin).Decode(&cfg)
 	if err != nil {
@@ -63,7 +63,9 @@ func Execute(ctx context.Context, destination string, cfgin io.Reader, opts ...i
 		}
 
 		rs = &storage.NamedURLDownloader{URLs: cfg.URLs}
-		ilr, err = initializer.NewFromRequest(ctx, destination, rs, &req)
+		ilr, err = initializer.NewFromRequest(ctx, destination, rs, &req, initializer.NewFromRequestOpts{
+			ForceGitpodUserForGit: forceGitUser,
+		})
 		if err != nil {
 			return "", err
 		}

components/content-service/pkg/git/git.go

@@ -275,23 +275,6 @@ func (c *Client) Clone(ctx context.Context) (err error) {
 		return err
 	}
 
-	// TODO (aledbf): refactor to remove the need of manual chown
-	args = []string{"-R", "-L", "gitpod", c.Location}
-	cmd := exec.Command("chown", args...)
-	res, err := cmd.CombinedOutput()
-	if err != nil {
-		if err.Error() == "wait: no child processes" || err.Error() == "waitid: no child processes" {
-			return nil
-		}
-
-		return OpFailedError{
-			Args:       args,
-			ExecErr:    err,
-			Output:     string(res),
-			Subcommand: "chown",
-		}
-	}
-
 	return nil
 }
 

components/content-service/pkg/initializer/git.go

@@ -7,6 +7,7 @@ package initializer
 import (
 	"context"
 	"os"
+	"os/exec"
 
 	"github.com/opentracing/opentracing-go"
 	"golang.org/x/xerrors"
@@ -44,6 +45,9 @@ type GitInitializer struct {
 
 	// The value for the clone target mode - use depends on the target mode
 	CloneTarget string
+
+	// If true, the Git initializer will chown(gitpod) after the clone
+	Chown bool
 }
 
 // Run initializes the workspace using Git
@@ -68,6 +72,21 @@ func (ws *GitInitializer) Run(ctx context.Context, mappings []archive.IDMapping)
 	if err := ws.Clone(ctx); err != nil {
 		return src, xerrors.Errorf("git initializer: %w", err)
 	}
+	if ws.Chown {
+		// TODO (aledbf): refactor to remove the need of manual chown
+		args := []string{"-R", "-L", "gitpod", ws.Location}
+		cmd := exec.Command("chown", args...)
+		res, cerr := cmd.CombinedOutput()
+		if cerr != nil && !(cerr.Error() == "wait: no child processes" || cerr.Error() == "waitid: no child processes") {
+			err = git.OpFailedError{
+				Args:       args,
+				ExecErr:    cerr,
+				Output:     string(res),
+				Subcommand: "chown",
+			}
+			return
+		}
+	}
 	if err := ws.realizeCloneTarget(ctx); err != nil {
 		return src, xerrors.Errorf("git initializer: %w", err)
 	}

components/content-service/pkg/initializer/initializer.go

@@ -55,12 +55,22 @@ func (e *EmptyInitializer) Run(ctx context.Context, mappings []archive.IDMapping
 	return csapi.WorkspaceInitFromOther, nil
 }
 
+// NewFromRequestOpts configures the initializer produced from a content init request
+type NewFromRequestOpts struct {
+	// ForceGitpodUserForGit forces gitpod:gitpod ownership on all files produced by the Git initializer.
+	// For FWB workspaces the content init is run from supervisor which runs as UID 0. Using this flag, the
+	// Git content is forced to the Gitpod user. All other content (backup, prebuild, snapshot) will already
+	// have the correct user.
+	ForceGitpodUserForGit bool
+}
+
 // NewFromRequest picks the initializer from the request but does not execute it.
 // Returns gRPC errors.
-func NewFromRequest(ctx context.Context, loc string, rs storage.DirectDownloader, req *csapi.WorkspaceInitializer) (i Initializer, err error) {
+func NewFromRequest(ctx context.Context, loc string, rs storage.DirectDownloader, req *csapi.WorkspaceInitializer, opts NewFromRequestOpts) (i Initializer, err error) {
 	//nolint:ineffassign,staticcheck
 	span, ctx := opentracing.StartSpanFromContext(ctx, "NewFromRequest")
 	defer tracing.FinishSpan(span, &err)
+	span.LogKV("opts", opts)
 
 	spec := req.Spec
 	var initializer Initializer
@@ -71,7 +81,7 @@ func NewFromRequest(ctx context.Context, loc string, rs storage.DirectDownloader
 			return nil, status.Error(codes.InvalidArgument, "missing Git initializer spec")
 		}
 
-		initializer, err = newGitInitializer(ctx, loc, ir.Git)
+		initializer, err = newGitInitializer(ctx, loc, ir.Git, opts.ForceGitpodUserForGit)
 	} else if ir, ok := spec.(*csapi.WorkspaceInitializer_Prebuild); ok {
 		if ir.Prebuild == nil {
 			return nil, status.Error(codes.InvalidArgument, "missing prebuild initializer spec")
@@ -80,7 +90,7 @@ func NewFromRequest(ctx context.Context, loc string, rs storage.DirectDownloader
 			return nil, status.Error(codes.InvalidArgument, "missing prebuild Git initializer spec")
 		}
 
-		gitinit, err := newGitInitializer(ctx, loc, ir.Prebuild.Git)
+		gitinit, err := newGitInitializer(ctx, loc, ir.Prebuild.Git, opts.ForceGitpodUserForGit)
 		if err != nil {
 			return nil, err
 		}
@@ -110,7 +120,7 @@ func NewFromRequest(ctx context.Context, loc string, rs storage.DirectDownloader
 
 // newGitInitializer creates a Git initializer based on the request.
 // Returns gRPC errors.
-func newGitInitializer(ctx context.Context, loc string, req *csapi.GitInitializer) (*GitInitializer, error) {
+func newGitInitializer(ctx context.Context, loc string, req *csapi.GitInitializer, forceGitpodUser bool) (*GitInitializer, error) {
 	if req.Config == nil {
 		return nil, status.Error(codes.InvalidArgument, "Git initializer misses config")
 	}
@@ -167,6 +177,7 @@ func newGitInitializer(ctx context.Context, loc string, req *csapi.GitInitialize
 		},
 		TargetMode:  targetMode,
 		CloneTarget: req.CloneTaget,
+		Chown:       forceGitpodUser,
 	}, nil
 }
 

components/image-builder/cmd/bob-init-base.go

@@ -48,7 +48,7 @@ var bobInitBase = &cobra.Command{
 
 		ctx := context.Background()
 		rms := &storage.DirectNoopStorage{}
-		ilr, err := initializer.NewFromRequest(ctx, initwd, rms, src.Source)
+		ilr, err := initializer.NewFromRequest(ctx, initwd, rms, src.Source, initializer.NewFromRequestOpts{ForceGitpodUserForGit: false})
 		if err != nil {
 			log.Fatalf("cannot create initializer: %v", err)
 		}

components/supervisor/pkg/supervisor/supervisor.go

@@ -870,7 +870,7 @@ func startContentInit(ctx context.Context, cfg *Config, wg *sync.WaitGroup, cst
 		return
 	}
 
-	src, err := executor.Execute(ctx, "/workspace", f)
+	src, err := executor.Execute(ctx, "/workspace", f, true)
 	if err != nil {
 		return
 	}

components/ws-daemon/pkg/content/initializer.go

@@ -278,7 +278,7 @@ func RunInitializerChild() (err error) {
 
 	rs := &remoteContentStorage{RemoteContent: initmsg.RemoteContent}
 
-	initializer, err := wsinit.NewFromRequest(ctx, "/dst", rs, &req)
+	initializer, err := wsinit.NewFromRequest(ctx, "/dst", rs, &req, wsinit.NewFromRequestOpts{ForceGitpodUserForGit: false})
 	if err != nil {
 		return err
 	}