Grant Write Permission for HZ_HOME [DEX-457]

[emreyigit]

The docker image fails to write diagnostics logs on default config. The default directory for logging output is HZ_HOME but it's missing the write permission. Apparently, the issue was there but it's catch during DEX-320 verifications.

Unfortunately, I couldn't find a way to put proper testing on Docker containers.

[JackPGreen]

Unfortunately, I couldn't find a put proper testing on Docker containers.

I would really like a test to cover this change - maybe on the hazelcast side?

[emreyigit]

Sure, @cheels is already started to test.

[nishaatr]

Not sure worth adding a test or enable logging or something so this gets tested during simple-smoke-test.sh

Surprised this wasn't fixed much earlier. I mean how did it work before!

[cheels]

'w' is not enough to allow files to be written into /opt/hazelcast directory
You have to add chmod -R a+rwX

[emreyigit]

fixed.

[JackPGreen]

Sure, @cheels is already started to test.

Thanks - I'll hold off approving until that if that's ok?

I think the change is fine but I wouldn't have spotted #1009 (comment) so good to be confident.

[emreyigit]

Another option we might override the user.dir property over ENV variables for container usage only and limit the permission for that folder.
We can't since it will change for whole system.

[ldziedziul]

This increases the risk of accidental or malicious changes to binaries, configs, or scripts, potentially compromising security and stability. Limiting permissions to read helps protect the integrity of the Hazelcast instance.

Why not use a custom hazelcast.diagnostics.directory?

I've tested it with:

docker run --rm -it -e HZ_LICENSEKEY -e HZ_INSTANCETRACKING_FILENAME=/dev/null -e JAVA_OPTS="-Dhazelcast.diagnostics.enabled=true -Dhazelcast.diagnostics.directory=/tmp" hazelcast/hazelcast-enterprise:latest-snapshot

[emreyigit]

@ldziedziul diagnostics has already a default path config but it points to user.dir which is the opt/hazelcast in docker. We can't change the default path since it's a breaking change. That's why we have updated docker file.

[ldziedziul]

@ldziedziul diagnostics has already a default path config but it points to user.dir which is the opt/hazelcast in docker. We can't change the default path since it's a breaking change. That's why we have updated docker file.

However, we can change the path specifically within the Docker images. Currently, diagnostics doesn't work in Docker at all, so it’s hardly a breaking change.

Side note: IMHO, compromising security and stability just to avoid a "breaking change" is a very questionable decision.

[devOpsHazelcast]

PR closed by Hazelcast automation as no activity (>3 months). Please reopen with comments, if necessary. Thank you for using Hazelcast and your valuable contributions