Move dynamic user setting from Dockerfile to entrypoint.sh

[LuQQiu]

Prerequisite: Docker knowledge https://docs.alluxio.io/ee/user/stable/en/deploy/Running-Alluxio-On-Docker.html POSIX API knowledge https://docs.alluxio.io/os/user/stable/en/api/POSIX-API.html

Description: In our https://github.com/Alluxio/alluxio/blob/master/integration/docker/Dockerfile and https://github.com/Alluxio/alluxio/blob/master/integration/docker/Dockerfile.fuse, we have a special docker build parameter ENABLE_DYNAMIC_USER which is false by default.

By default, Alluxio Fuse mount point can only be accessed by the user mounting the Fuse. Other users or the root user may also want to access the Fuse mount point. In this case, they need to modify the Linux /etc/fuse.conf file to add user_allow_other and make other needed changes. Those changes are done by enabling ENABLE_DYNAMIC_USER in Alluxio docker images.

To ENABLE_DYNAMIC_USER, we need to run

$ cd /tmp/alluxio/integration/docker
$ docker b
uild -t alluxio/alluxio:2.6.0-SNAPSHOT-9c1c15fb66 --build-arg ENABLE_DYNAMIC_USER="true" --build-arg ALLUXIO_TARBALL=alluxio-2.6.0-SNAPSHOT-bin-master-9c1c15fb66.tar.gz .
$ docker b
uild -f Dockerfile.fuse -t alluxio/alluxio-fuse:2.6.0-SNAPSHOT-9c1c15fb66 --build-arg ENABLE_DYNAMIC_USER="true" --build-arg ALLUXIO_TARBALL=<tarball> .

to build docker images.

We don't want two sets of docker images, one with ENABLE_DYNAMIC_USER="true" and one without.

Instead of doing it in the docker files, it will be helpful if dynamic user can be enabled in the alluxio/integration/docker/entrypoint.sh as a parameter. Then if we want dynamic user enabled, we can launch containers like

docker run --rm \
    --net=host \
    --name=alluxio-fuse \
    -v /tmp/mnt:/mnt:rshared \
    -e "ALLUXIO_JAVA_OPTS=-Dalluxio.master.hostname=localhost" \
    --cap-add SYS_ADMIN \
    --device /dev/fuse \
    --security-opt apparmor:unconfined \
    alluxio/alluxio-fuse fuse --dynamic-user=true

No need to use two sets of docker images.

Step 1: Understand Alluxio docker and Alluxio POSIX API. Try deploying Alluxio cluster with POSIX API in Linux env. Step 2: Try building docker images without dynamic user enabled. Deploy Alluxio cluster with POSIX API with allow_other/allow_root option. See if the Fuse mount point can be accessed by other users or root users. Step 3: Try building docker images with dynamic user enabled and deploy the Alluxio cluster with POSIX API with allow_other/allow_root option. See if the Fuse mount point can be accessed by other users or root users. Step 4: Modify the entrypoint.sh script to take dynamic user as a parameter and do similar things as the docker file ENABLE_DYNAMIC_USER. Step 4: Test out your changes, make sure it doesn't break anything, make sure allow_other POSIX API option can be used when --dynamic-user=true.

Feel free to use another flag name as long as the functionality requirement fulfilled.

[LuQQiu]

@ssz1997 PTAL this issue, thanks!

[ssz1997]

The non-root user has to have permission to modify the access permission in entrypoint. This can be done by giving respect permissions in Dockerfile/Dockerfile.fuse, specifically, this command: https://github.com/Alluxio/alluxio/blob/5721e853b22df85cc06b4e8c7b6039160b8c6700/integration/docker/Dockerfile#L84. Two questions here:

1. Do we want to give such permissions to the user? Will this bring potential security issue?
2. It's hard to change the permission to 777 of the docker volume specified with the -v parameter during launch time. Since we are dealing with "Permission to access Fuse mount point", I suppose it is ok to bypass this docker volume? Is this correct or am I missing anything?

Thanks!