Optimize required unix file modes (#7781)

Author: sebastienros

playground/PostgresEndToEnd/PostgresEndToEnd.AppHost/PostgresEndToEnd.AppHost.csproj

@@ -6,6 +6,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <IsAspireHost>true</IsAspireHost>
+    <UserSecretsId>f8cd0caa-3990-4f6f-889f-3cf66ac52de9</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>

playground/mysql/MySqlDb.AppHost/MySqlDb.AppHost.csproj

@@ -6,6 +6,7 @@
     <ImplicitUsings>enable</ImplicitUsings>
     <Nullable>enable</Nullable>
     <IsAspireHost>true</IsAspireHost>
+    <UserSecretsId>7359b387-0386-4cd0-9f26-7b40bdb8348d</UserSecretsId>
   </PropertyGroup>
 
   <ItemGroup>

src/Aspire.Hosting.Azure.EventHubs/AzureEventHubsExtensions.cs

@@ -19,6 +19,8 @@ namespace Aspire.Hosting;
 /// </summary>
 public static class AzureEventHubsExtensions
 {
+    private const UnixFileMode FileMode644 = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.GroupRead | UnixFileMode.OtherRead;
+
     /// <summary>
     /// Adds an Azure Event Hubs Namespace resource to the application model. This resource can be used to create Event Hub resources.
     /// </summary>
@@ -325,10 +327,7 @@ public static IResourceBuilder<AzureEventHubsResource> RunAsEmulator(this IResou
                 // The docker container runs as a non-root user, so we need to grant other user's read/write permission
                 if (!OperatingSystem.IsWindows())
                 {
-                    var mode = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.UserExecute |
-                               UnixFileMode.OtherRead | UnixFileMode.OtherWrite | UnixFileMode.OtherExecute;
-
-                    File.SetUnixFileMode(configJsonPath, mode);
+                    File.SetUnixFileMode(configJsonPath, FileMode644);
                 }
 
                 builder.WithAnnotation(new ContainerMountAnnotation(
@@ -434,6 +433,7 @@ public static IResourceBuilder<AzureEventHubsEmulatorResource> WithConfiguration
 
     private static string WriteEmulatorConfigJson(AzureEventHubsResource emulatorResource)
     {
+        // This temporary file is not used by the container, it will be copied and then deleted
         var filePath = Path.GetTempFileName();
 
         using var stream = new FileStream(filePath, FileMode.Open, FileAccess.Write);

src/Aspire.Hosting.Azure.ServiceBus/AzureServiceBusExtensions.cs

@@ -20,6 +20,8 @@ namespace Aspire.Hosting;
 /// </summary>
 public static class AzureServiceBusExtensions
 {
+    private const UnixFileMode FileMode644 = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.GroupRead | UnixFileMode.OtherRead;
+
     /// <summary>
     /// Adds an Azure Service Bus Namespace resource to the application model. This resource can be used to create queue, topic, and subscription resources.
     /// </summary>
@@ -426,10 +428,7 @@ public static IResourceBuilder<AzureServiceBusResource> RunAsEmulator(this IReso
                 // The docker container runs as a non-root user, so we need to grant other user's read/write permission
                 if (!OperatingSystem.IsWindows())
                 {
-                    var mode = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.UserExecute |
-                               UnixFileMode.OtherRead | UnixFileMode.OtherWrite | UnixFileMode.OtherExecute;
-
-                    File.SetUnixFileMode(configJsonPath, mode);
+                    File.SetUnixFileMode(configJsonPath, FileMode644);
                 }
 
                 builder.WithAnnotation(new ContainerMountAnnotation(
@@ -559,6 +558,7 @@ public static IResourceBuilder<AzureServiceBusEmulatorResource> WithHostPort(thi
 
     private static string WriteEmulatorConfigJson(AzureServiceBusResource emulatorResource)
     {
+        // This temporary file is not used by the container, it will be copied and then deleted
         var filePath = Path.GetTempFileName();
 
         using var stream = new FileStream(filePath, FileMode.Open, FileAccess.Write);

src/Aspire.Hosting.MySql/MySqlBuilderExtensions.cs

@@ -14,6 +14,7 @@ namespace Aspire.Hosting;
 public static class MySqlBuilderExtensions
 {
     private const string PasswordEnvVarName = "MYSQL_ROOT_PASSWORD";
+    private const UnixFileMode FileMode644 = UnixFileMode.UserRead | UnixFileMode.UserWrite | UnixFileMode.GroupRead | UnixFileMode.OtherRead;
 
     /// <summary>
     /// Adds a MySQL server resource to the application model. For local development a container is used.
@@ -102,14 +103,11 @@ public static IResourceBuilder<T> WithPhpMyAdmin<T>(this IResourceBuilder<T> bui
 
         containerName ??= $"{builder.Resource.Name}-phpmyadmin";
 
-        var configurationTempFileName = Path.GetTempFileName();
-
         var phpMyAdminContainer = new PhpMyAdminContainerResource(containerName);
         var phpMyAdminContainerBuilder = builder.ApplicationBuilder.AddResource(phpMyAdminContainer)
                                                 .WithImage(MySqlContainerImageTags.PhpMyAdminImage, MySqlContainerImageTags.PhpMyAdminTag)
                                                 .WithImageRegistry(MySqlContainerImageTags.Registry)
                                                 .WithHttpEndpoint(targetPort: 80, name: "http")
-                                                .WithBindMount(configurationTempFileName, "/etc/phpmyadmin/config.user.inc.php")
                                                 .ExcludeFromManifest();
 
         builder.ApplicationBuilder.Eventing.Subscribe<AfterEndpointsAllocatedEvent>((e, ct) =>
@@ -140,32 +138,33 @@ public static IResourceBuilder<T> WithPhpMyAdmin<T>(this IResourceBuilder<T> bui
             }
             else
             {
-                using var stream = new FileStream(configurationTempFileName, FileMode.Create);
-                using var writer = new StreamWriter(stream);
+                var tempConfigFile = WritePhpMyAdminConfiguration(mySqlInstances);
 
-                writer.WriteLine("<?php");
-                writer.WriteLine();
-                writer.WriteLine("$i = 0;");
-                writer.WriteLine();
-                foreach (var mySqlInstance in mySqlInstances)
+                try
                 {
-                    if (mySqlInstance.PrimaryEndpoint.IsAllocated)
+                    var aspireStore = e.Services.GetRequiredService<IAspireStore>();
+
+                    // Deterministic file path for the configuration file based on its content
+                    var configStoreFilename = aspireStore.GetFileNameWithContent($"{builder.Resource.Name}-config.user.inc.php", tempConfigFile);
+
+                    // Need to grant read access to the config file on unix like systems.
+                    if (!OperatingSystem.IsWindows())
+                    {
+                        File.SetUnixFileMode(configStoreFilename, FileMode644);
+                    }
+
+                    phpMyAdminContainerBuilder.WithBindMount(configStoreFilename, "/etc/phpmyadmin/config.user.inc.php");
+                }
+                finally
+                {
+                    try
+                    {
+                        File.Delete(tempConfigFile);
+                    }
+                    catch
                     {
-                        var endpoint = mySqlInstance.PrimaryEndpoint;
-                        writer.WriteLine("$i++;");
-                        // PhpMyAdmin assumes MySql is being accessed over a default Aspire container network and hardcodes the resource address
-                        // This will need to be refactored once updated service discovery APIs are available
-                        writer.WriteLine($"$cfg['Servers'][$i]['host'] = '{endpoint.Resource.Name}:{endpoint.TargetPort}';");
-                        writer.WriteLine($"$cfg['Servers'][$i]['verbose'] = '{mySqlInstance.Name}';");
-                        writer.WriteLine($"$cfg['Servers'][$i]['auth_type'] = 'cookie';");
-                        writer.WriteLine($"$cfg['Servers'][$i]['user'] = 'root';");
-                        writer.WriteLine($"$cfg['Servers'][$i]['password'] = '{mySqlInstance.PasswordParameter.Value}';");
-                        writer.WriteLine($"$cfg['Servers'][$i]['AllowNoPassword'] = true;");
-                        writer.WriteLine();
                     }
                 }
-                writer.WriteLine("$cfg['DefaultServer'] = 1;");
-                writer.WriteLine("?>");
             }
 
             return Task.CompletedTask;
@@ -235,4 +234,38 @@ public static IResourceBuilder<MySqlServerResource> WithInitBindMount(this IReso
 
         return builder.WithBindMount(source, "/docker-entrypoint-initdb.d", isReadOnly);
     }
+
+    private static string WritePhpMyAdminConfiguration(IEnumerable<MySqlServerResource> mySqlInstances)
+    {
+        // This temporary file is not used by the container, it will be copied and then deleted
+        var filePath = Path.GetTempFileName();
+
+        using var writer = new StreamWriter(filePath);
+
+        writer.WriteLine("<?php");
+        writer.WriteLine();
+        writer.WriteLine("$i = 0;");
+        writer.WriteLine();
+        foreach (var mySqlInstance in mySqlInstances)
+        {
+            if (mySqlInstance.PrimaryEndpoint.IsAllocated)
+            {
+                var endpoint = mySqlInstance.PrimaryEndpoint;
+                writer.WriteLine("$i++;");
+                // PhpMyAdmin assumes MySql is being accessed over a default Aspire container network and hardcodes the resource address
+                // This will need to be refactored once updated service discovery APIs are available
+                writer.WriteLine($"$cfg['Servers'][$i]['host'] = '{endpoint.Resource.Name}:{endpoint.TargetPort}';");
+                writer.WriteLine($"$cfg['Servers'][$i]['verbose'] = '{mySqlInstance.Name}';");
+                writer.WriteLine($"$cfg['Servers'][$i]['auth_type'] = 'cookie';");
+                writer.WriteLine($"$cfg['Servers'][$i]['user'] = 'root';");
+                writer.WriteLine($"$cfg['Servers'][$i]['password'] = '{mySqlInstance.PasswordParameter.Value}';");
+                writer.WriteLine($"$cfg['Servers'][$i]['AllowNoPassword'] = true;");
+                writer.WriteLine();
+            }
+        }
+        writer.WriteLine("$cfg['DefaultServer'] = 1;");
+        writer.WriteLine("?>");
+
+        return filePath;
+    }
 }