The created volume's permissions are root:root/0755. This works fine for Docker caching, since the docker daemon runs as root -- but it fails in use cases where we want to use snapshots as a cache for other things which can be updated over time. For example, I want to use this as a terraform plugin cache shared across several related projects, which requires the ability to write and potentially update. :) To support those uses cases, the filesystem should probably either be owned by runner:runner or have more open permissions.
I don't know if I have a strong preference for just adding a flag to the action which changes the mount permissions for the (maybe rare) situation, or if this should be a default change. The root user should be able to write even with alternate ownership, so changing the default perms should not be a breaking change.
Meanwhile, for those looking for a workaround, I'm just adding this to my workflow, assuming CACHE_DIR is an env var which is also used in the snapshot action.
- name: Initialize cache directory
run: |
sudo chown -R "$(id -u)":"$(id -g)" "${CACHE_DIR}"That's really not ideal for a large directory, since it's going to have to stat() every entry. Theoretically, just doing a chown without the -R should work on a new snapshot directory, since files inside will subsequently get created with root or runner as appropriate. But I only have tens of files in mine and they're all hit later, so the impact really isn't significant in my specific situation; pre-caching the stat calls is basically free since a later action will do it again anyway. :D
The created volume's permissions are
root:root/0755. This works fine for Docker caching, since the docker daemon runs as root -- but it fails in use cases where we want to use snapshots as a cache for other things which can be updated over time. For example, I want to use this as a terraform plugin cache shared across several related projects, which requires the ability to write and potentially update. :) To support those uses cases, the filesystem should probably either be owned by runner:runner or have more open permissions.I don't know if I have a strong preference for just adding a flag to the action which changes the mount permissions for the (maybe rare) situation, or if this should be a default change. The root user should be able to write even with alternate ownership, so changing the default perms should not be a breaking change.
Meanwhile, for those looking for a workaround, I'm just adding this to my workflow, assuming CACHE_DIR is an env var which is also used in the snapshot action.
That's really not ideal for a large directory, since it's going to have to stat() every entry. Theoretically, just doing a
chownwithout the-Rshould work on a new snapshot directory, since files inside will subsequently get created with root or runner as appropriate. But I only have tens of files in mine and they're all hit later, so the impact really isn't significant in my specific situation; pre-caching the stat calls is basically free since a later action will do it again anyway. :D