Grant redmine write access on the db/ folder
Added by Quentin Aymard 4 months ago
Hi,
I am running a custom Docker image packaging a production-ready Redmine. It is designed to run in root-less, read-only mode, so I pay extra attention to required permissions on various folders.
Right now, the application is started with user redmine
, which have read access to the entire app, but write access only to three bind-mounted folders : files/
, log/
and plugins/
, as required by the installation documentation. I am now trying to integrate Redmine DB migrations and plugin migrations to this image. Several questions arose in this context, for which I can't find definitive answers in the available documentation :
User performing rake tasks¶
- Without any modification, running migrations with the
redmine
user fails, because rake cannot write in thedb/
folder. This is perfectly expected in the current state of this image. - Without any modification, running migrations with the
root
user succeeds, because rake is now able to write thedb/
folder. This is also perfectly fine.
The first question is the following : is it better to run migrations with the redmine
user, or the root
user ? Does this makes any difference at all ?
Migrations periodicity¶
Running rake migrations as redmine
would allow me to very easily run them each time the container starts (adding the commands to the entrypoint). This eliminate the risk of forgetting migrations on upgrade, but would require giving redmine
write access on the db/
folder.
On the other hand, running rake migrations as root
would allow me to NOT give redmine
write access to db/
, but consequently would require some adaptations to run migrations from the entrypoint. I don't really want the entrypoint to be able to run anything as root, to be honest, so I could also give up with the idea of auto-migrations on startup, and maintain this as a manual-only, root-only task the admin need to perform after upgrading.
The second question is consequently : is it relevant to run rake db:migrate
/ rake redmine:plugins:migrate
/ rake tmp:cache:clear
with each startup ? Or is it considered bad practice ?
Mount-bind the db/ folder¶
As of now, the db/
folder is pretty much empty. Calling rake migrations populate it with various .rb
files which, I guess, are used to update the database. I am still quite the beginner regarding Rails, Rake and overall the Ruby ecosystem, so the third and last question arise :
Should I keep the content of db/
persistent over container's reboots ?
I can easily add a bint-mount to this folder so the content is persisted, and I guess future rake calls will update it without problems. Is doing this useful ? I imagine keeping previous migration files can slightly improve startup time by somehow preventing the next migration to re-create everything from scratch (especially if I'm running migrations from the container's entrypoint), but I am not sure of how these migrations are computed. If rake have to reprocess everything each time, sparing only the disk-writing time, adding a bind-mount to this folder might not be very useful.
Let me know if any other bit of context is required to make myself clear