-
Notifications
You must be signed in to change notification settings - Fork 1.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add occ
and occ-cron
scripts
#2126
base: master
Are you sure you want to change the base?
Conversation
512dcf2
to
7b0ffec
Compare
Looks like CI is broken due to some runtime issues with the CI env right now. Will try again later... |
CI is back up again and all tests are passing (even though not fully stable, still requiring re-runs... 😒). Ready for review and merge. 👍 |
I'm not clear on the purpose/intent. Are you exec'ing into the container often (I don't)? Or is this really just to shorten TBH, I don't see any end-user benefit, and I'm not sure there's a benefit to code maintenance. Do we want this change? FWIW, I just use a script like this on the host: #!/bin/bash
set -o errexit
set -o nounset
set -o pipefail
if [[ -t 1 ]]; then
ttyargs='--interactive --tty'
else
ttyargs=''
fi
sudo docker exec $ttyargs --user www-data nextcloud_app_1 php occ "$@" Then as a user with |
Depends on what you consider "often". I do exec into Nextcloud containers from time to time to use
It's a side-effect.
The end-user benefit is to make using To be honest, I'm a bit baffled that you claim that there's no end-user benefit. There certainly is one. You might argue that the benefit is tiny, because you assume that the majority of users (maybe even everyone except me) uses The question isn't whether there's a benefit, there is. The question is whether there are negative consequences that would counteract this benefit. A common negative consequence could be increased code maintenance. However, since having hard-coded paths in multiple places is an anti-pattern, I'd argue that it actually decreases code maintenance. Is it decreasing code maintenance by a lot? Certainly not. But still. So, if you see any negative consequences, please go ahead. I'm very open for any discussion to find the best solution.
So, you acknowledge that using I don't run a single Nextcloud container, but multiple. I don't even use Docker, but Podman and run all my containers as different unprivileged users. I even switch Nextcloud containers from one server to the other from time to time. Adding a host script would require me to replicate my container orchestration in a static script on the host. That's not practical. The whole idea of containerization is that it doesn't matter on which host the container runs. Expecting changes on the host is an anti-pattern. |
No debate there... I was trying to better understand the intent of your patch, not
Agreed. Maybe we should poll users or continue to workshop this a bit? Or at least see what other maintainers/contributors/users think about it? Or just press on... I don't have a strong opinion. It sounds like you do though, and that's cool. Go for it. With your last and most helpful paragraph I think I'm hearing a very different use case than mine. I manage only one Nextcloud server instance, I use Docker, and I rarely run
I don't see any negative consequences. Or positive ones (for me), honestly. Please understand I'm acting in good faith, driven by curiosity, and I'm just speaking to my own use case. It is entirely possible I'm just failing to get the point, so don't mind me, really. I'm not an official maintainer or anything. Anyway, I'll try add some detail about my use case. Let's see if we can make some progress. I rarely if ever exec into any containers. I'm just one user/admin speaking for myself, but I'd say it's best to stay out of containers (avoid manual interaction) as much as possible. Would you agree? I get that you're making it possible to run This I also don't need to run And--perhaps I'm being super controversial here--I'm not sure shorter/relative paths are categorically better. Absolute paths are more specific, arguably more secure, and often higher maintenance. Yet, just about as easy to search and replace with a regex. Heck, maybe the path to
Cool. Same here, I always appreciate collaboration! I hope this is helpful.
Hmm. Well, maybe I missed something, but it looks to me like your changes are entirely in-container, so my kludgy host-side workaround serves a different purpose: simplification outside the container. With your patch I'd still have to I use Docker (for now). Maybe with Podman your patch brings other benefits?
Agreed, I don't like it either. This is helpful info, thanks. Again, our use cases our likely different. How do you |
I got nothing to add here:
Many requirements that make using
Please check
Just a plain simple
I'm not using the |
587d6d5
to
6adb6ea
Compare
Thanks for your suggestion, however I think it's out-of-scope to add another wrapper here. For your own use-case, you can easily adopt the script and prefix it with |
As explained earlier, requiring changes on the host defies the purpose of containerization. Stating that one could mount the script into the container is a dead-end argument; it's the same as stating that one could also fork the project. It's true, but not how we want to discuss things in Nextcloud. Let's put the advantages and disadvantages on the table and weigh them. It's a trade-off, and if everyone else ends up concluding that the advantages don't outweigh the disadvantages, I'll happily agree. However, I'd like to understand where you see disadvantages and/or why you weigh the advantages differently.
This is only true in a very limited scenario: Regarding the path only and for direct invocations only, i.e.
@J0WI, can you please elaborate in which way it might confuse users and what edge cases you have in mind? I truly can't think of any right now. Can you please also elaborate in which way it adds another layer of complexity? Since it's just an additional and optional (it doesn't affect any existing usage) script, I really just don't understand how it might add another layer of complexity? Or are you solely referring to "it's more LoC"? |
Not really. This image is used in a bunch of heterogeneous environments. Some use it with docker, podman, k8s and probably more. Some use the image as-is, some install a bunch of additional extensions, scripts and other features on top of it. And some run it with limited user, capabilities, SELinux etc. We try to provide a generic base image with the option to customize it. We also try to keep it similar to other images from the official library. We expect that people look at Nextcloud documentation if they need to change something within their instance. The Nextcloud documentation refers to Nextcloud's own
It's a tool that is not maintained by Nextcloud itself. So we have to maintain it, check compatibility with each version, write documentation for it and if anything goes wrong Nextcloud will forward people complaining about it to this repo. I hope you can follow these doubts. |
6adb6ea
to
026307a
Compare
So, none? 🤷♂️ None of these apply that wouldn't also apply for any pre-existing procedure, which won't be affected in any way by adding such script. That means, if one had created an individual image with whatever limitation imaginable, the solution one came up with to still use
Adding such scripts is standard procedure in the official library. Check e.g. the PHP image.
First: In which way does it differ? Second:
I stumbled across "third party wrapper script" earlier, but what is "maintained by Nextcloud itself" supposed to mean? That it's no part of the Besides, we're at the same point as before: Can you please elaborate on what exact problems (towards maintenance and compatibility), documentation changes and user complaints you expect from this addition specifically? Towards user complaints I rather expect the opposite, since the current solution requires users to consider multiple non-default things when using |
This allows easier access to `occ` and `occ-cron` within the container. Signed-off-by: Daniel Rudolf <[email protected]>
Signed-off-by: Daniel Rudolf <[email protected]>
Signed-off-by: Daniel Rudolf <[email protected]>
Signed-off-by: Daniel Rudolf <[email protected]>
Please note that `run_as` included `sh -c`, which is in any practical sense identical to `eval`, therefore we simplify `occ maintenance:install` to use `eval` instead. I'm no fan of `eval` either, however, since we must construct `$install_options` at runtime there simply is no other way to achieve this with POSIX-alike shells like Debian's Bash POSIX mode, and Alpine's Ash. Signed-off-by: Daniel Rudolf <[email protected]>
Signed-off-by: Daniel Rudolf <[email protected]>
Signed-off-by: Daniel Rudolf <[email protected]>
Rebased and bumping this. @J0WI Thank you for the concerns you've raised. I believe that I've addressed all of them, but unfortunately you didn't follow up. So, can I assume that your concerns have been eliminated? If not, please explain what issues remain and name specific examples to give me a chance to address them. I'm absolutely fine with closing this PR if there are real life issues. I'd follow-up with another PR just incorporating the code cleanups in Also requesting a review from Josh (@joshtrichards) now since he seems to be more active since this PR has been opened. It's quite hard to find other people active in this repo to get more opinions… So, please feel free to ping others. |
Sounds like this is to to address the following situations:
And, to a lesser extent, to do the same for Is that about right? Couple quick thoughts:
For what it's worth, I'm routinely exec'd into my app containers and using
Then running Or, for a single
Or, when doing something as root (i.e. not
That's it I think.
P.S. Incidentally, this PR makes me wonder if we should switch to |
Yes, that's about right: Making these things easier and less prone to errors. The other advantage (improved code maintenance due to the removal of
Prefixing The other disadvantages of directly invoking However, I'd strongly vote against adding In both cases we introduce another way of doing things that's different from upstream tough - with the exception that using wrappers isn't new and already mentioned in the upstream docs.
What do you do if you need to call
Excellent point, thanks 👍 That's solved by using
Yeah, I'd be fine with that, running
|
occ
andocc-cron
are simple wrapper scripts allowing server admins (or are they called "container admins" then? 😄) to easily runocc
within the container.The
occ
script makes things just way easier: Right now an admin has to remember to switch to thewww-data
user first and then use clumsyphp -f /var/www/html/occ -- status
calls to get the job done. Just callingocc status
makes life significantly easier. The old way of doing things works as before, so it's fully backwards compatible.