set install dir as read-only after installation

[boegel]

(old internal ticket 74)

After (correctly) installing a software package, we should make the installation directory read-only, to avoid accidentally overwriting (part) of the installation.

When doing a forced reinstallation (with or without skip), we should make sure to make it writeable again.

[akesandgren]

@boegel Isn't this fixed already? There is a read-only-installdir config option.

[boegel]

@akesandgren I think we should consider doing this by default, starting in EasyBuild 4.0 (easybuilders/easybuild#447).

Leaving the install dir as writable now leave us vulnerable in a couple of ways: other installations messing about in other installation prefixes (e.g. installing Python bindings in the Python installation, we've seen that before), accidentally removing installations, etc.

[akesandgren]

There is a drawback to doing it for python packages, it won't be able to create the .pyo/.pyc files unless explicitly told to during installation. Or have i got that wrong?

[boegel]

@akesandgren That's a good point, but the installation directory is only writable for the installation user, not for anyone. So if the installation user only installs, and other users use those installed Python packages, this would already be a problem (and I'm unaware of issues like that)?

[akesandgren]

Yeah, forgot that since i run lots of stuff and that creation actually gets activated on the installed tree...

[boegel]

We should consider making this change for the upcoming EasyBuild v4.0, at least make it a default that can be disabled?

[akesandgren]

Probably a good idea yes...

[boegel]

I'm not comfortable with enabling --read-only-installdir by default in EasyBuild v4.0, since it's unclear what the impact will be.

We should start setting --read-only-installdir in our test environment, and see which problems pop up, and fix them.

Hence, I'm tagging this for the next major EasyBuild release (5.0).

[Flamefire]

I have a thought for a negative impact: If you are not the owner of the file/folder, you cannot change the permissions AFAIK.

At our site we have a group which is responsible for installing/maintaining sw. Hence if one users installs something with --read-only-installdir then the other admins can't change that installation anymore.

[boegel]

@Flamefire So read-only could only be done for other, not for group/owner (so chmod -R wx-go essentially)?

[Flamefire]

Not sure what chmod -R wx-go does, is that 775 (rwxgrxorx)? But isn't that the default already (or should be)?
We should still have a --read-only-installdir option to really make it read-only to avoid

other installations messing about in other installation prefixes (e.g. installing Python bindings in the Python installation, we've seen that before), accidentally removing installations, etc.

It might still be worth to have the (full) read-only-installdir the default as e.g. you can still use root to change the file perms when required or ask the user doing the initial install. Currently we have an automated setup, so a dedicated user/bot does the install, hence reinstalls aren't an issue.