feat(init): create /var/lib/decnet/artifacts with setgid + group-write
DEBT-035 step 2. Today the artifacts subtree is auto-created by Docker as root when a decoy container's bind-mount fires for the first time. The resulting permissions are root:root 0o755 — the API process (running as the decnet user) hits PermissionError trying to read transcripts written by the container, and the soft-fail 404 path gets exercised on every fresh deploy. Add `/var/lib/decnet/artifacts` to init's dirs list with mode 0o2775: * 0o2000 — setgid bit. New files inherit the directory's group (decnet), regardless of which uid created them. This is the load- bearing bit for cross-container reads. * 0o0775 — owner+group rwx, world rx. Group-write lets the API process and the local TTP worker read each other's outputs without a manual chown. `_ensure_dir` already respects the full mode word via `os.chmod`, no helper change needed. Test asserts the resulting directory carries exactly 0o2775 after a fresh `decnet init --prefix`. Defence-in-depth: this works even if the per-decoy compose `user:` directive (next commit) misses a template — files still land in the decnet group.
This commit is contained in:
@@ -764,6 +764,13 @@ def register(app: typer.Typer) -> None:
|
||||
(pfx / _install_rel, 0o755, user, group),
|
||||
(pfx / "var/lib/decnet", 0o750, user, group),
|
||||
(pfx / "var/lib/decnet/geoip", 0o755, user, group),
|
||||
# DEBT-035 / DEBT-047: artifact root carries setgid (the
|
||||
# 0o2... bit) so every file written under it inherits the
|
||||
# decnet group regardless of which container's uid created
|
||||
# it. Group-write (0o2775) lets the API process and the
|
||||
# local TTP worker read each other's outputs without a
|
||||
# manual chown after every fresh deploy.
|
||||
(pfx / "var/lib/decnet/artifacts", 0o2775, user, group),
|
||||
(pfx / "var/log/decnet", 0o750, user, group),
|
||||
(etc_decnet, 0o755, "root", group),
|
||||
(pfx / "run/decnet", 0o755, "root", group),
|
||||
|
||||
Reference in New Issue
Block a user