Allow running storage-proxy as root

[achimnol]

Since we allow sudo for specific customer sites, often users create files and directories in vfolder mounts as root. Though this is NOT a recommended behavior or intended usage as we provide sudo to customize the image filesystem, not vfolder mounts, still it will be useful to run storage-proxy as root to clean up vfolders containing potentially root-created files due to various reasons.

Currently, if we configure uid and gid fields in storage-proxy.toml and execute the storage proxy as root, it will self-downgrade its privilege to the given uid/gid after binding the service sockets upon startup.

Let's add a new boolean flag option run-as-root, so that the storage-proxy processes keep running as root while changing the ownership of any created files and directories inside vfolder mounts to the configured uid and gid.

Places to ensure the file ownership for API-created files and directories:

• ai.backend.common
  • files.AsyncFileWriter: add an optional kwarg to override the created file's ownership
• ai.backend.storage
  • api.client
    • prepare_tus_session_headers(): when creating .upload folder to store tus upload session data
    • tus_upload_part(): pass uid/gid to AsyncFileWriter, set uid/gid of any mkdir calls
  • vfs.BaseVolume
    • create_vfolder()
    • clone_vfolder(): set the target vfolder's ownership only, not the copied contents
    • mkdir()
    • add_file(): refactor to use AsyncFileWriter?
    • prepare_upload()
• Check if other places require update as well.

Note

If you change run-as-root setting of an existing storage-proxy, quota scopes created afterwards may be owned by root while existing ones is owned by a user account.