When to create system user: at image build or at container startup?

[yakutovicha]

• [x] Choose the way we want to create a system user

• [x] Implement it

• [x] Add a test that involves mounting folder, modifying it from the container, restarting container, checking that things are still there. (done in #9)

Probably solution, that works for everyone, does not exist, but we should be clear about why we made such a decision and how it may affect the usage of the image/container.

First, let me try to summarize the pros and cons of each approach:

Creating user at image build: It basically means that user creation is done inside the Docker file. So it will be done for image and all containers

Pros:

1. The home folder already exists, so server folders can be mounted to it.
2. Heavy things, like installing a large amount of packages happens at image build, and not at container startup.

Cons:

1. The inherited images will be kind of obliged to use the same user for their purposes.
2. Since, most probably, the aiida-prerequisites image won't be used directly, but as a base image - it will be impossible to modify the default user for the inherited images.

Creating user at container startup:

Pros:

1. Username/id can be decided at container startup.
2. Different services can use the same image directly from Docker Hub

Cons:

1. The home folder does not yet exist at container startup, so server folder can be only mounted to it using -v option which will actually create the folder.
2. Container startup can take a while.

[yakutovicha]

Possible solution 1.

Provide an environment variable (something like, MOUNT_HOME_USER_FOLDER). If its value is false - do not mount anything. Otherwise, mount ${MOUNT_HOME_USER_FOLDER} to /home/${SYSTEM_USER} folder.

One needs to figure out, though, if JupyterHub allows providing variables to the docker container startup. It probably should.

This way we can potentially overcome the cons of user creation at container startup.

UPDATE1:

the line

c.DockerSpawner.volumes = {'/var/jupyterhub/volumes/{username}' : '/home/aiida/'}

put in jupyterhub_config.py will create the folder /home/aiida, so one does not need to create it.

UPDATE2:

This is how to set environment variables using jupyterhub_config.py: c.DockerSpawner.environment = {"SYSTEM_USER_UID":"1234"}

[yakutovicha]

Conclusion

After some thoughts and testing, I came up to the conclusion that creating user at startup is the best option. I think the advantages that are brought by the flexibility of this approach outweigh the drawbacks. Advantages, in that case, are: not fixing the user name, and, what follows directly from this is that containers that depend on aiida-prerequisites can choose username they want. The disadvantages that I found are technical and can be overcome by using -v option for mounting (which will create the non-existent user's home folder) and by careful selection of what to run at startup (long startup time).

I close the issue for the moment until someone has more questions/suggestions.