From 4a15ca7a4a09a652ec14a8d5ade88a54299cc7c3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20=C5=BBebrak?= <mzebrak@syncad.com>
Date: Tue, 26 Aug 2025 14:45:35 +0200
Subject: [PATCH 1/4] Bump common-ci-configuration to get changes in
 python_runtime image

---
 .gitlab-ci.yml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index cf477cfb16..80738bd652 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -46,8 +46,8 @@ variables:
   # uses registry.gitlab.syncad.com/hive/common-ci-configuration/python_development:3.12-u24.04
   CLIVE_TESTNET_BASE_IMAGE_TAG: "@sha256:e4797f961fd6c6a843d100b1838422f3b674430af408664286c1b6a6b23baafa"
   CLIVE_TESTNET_BASE_IMAGE: "registry.gitlab.syncad.com/hive/common-ci-configuration/python_development${CLIVE_TESTNET_BASE_IMAGE_TAG}"
-  # uses registry.gitlab.syncad.com/hive/common-ci-configuration/python_runtime:3.12-u24.04
-  CLIVE_BASE_IMAGE_TAG: "@sha256:e751423e7019033d0b70fd0cbd15d05a11fbc5a4756c7e547df63f7029c0f2aa"
+  # uses registry.gitlab.syncad.com/hive/common-ci-configuration/python_runtime:3.12-u24.04-1
+  CLIVE_BASE_IMAGE_TAG: "@sha256:28f515d0cda87b9372b48f70b9d48468bc074ad9b54940827f2eebf49fd8521f"
   CLIVE_BASE_IMAGE: "registry.gitlab.syncad.com/hive/common-ci-configuration/python_runtime${CLIVE_BASE_IMAGE_TAG}"
   # other:
   AFTER_SCRIPT_IGNORE_ERRORS: 'false'  # without this errors in after_script will be ignored and just "WARNING: after_script failed, but job will continue unaffected: exit code 1" will be shown
-- 
GitLab


From da23436aa413dba3ce523756888611a6859a9b59 Mon Sep 17 00:00:00 2001
From: Marcin Sobczyk <msobczyk@syncad.com>
Date: Thu, 21 Aug 2025 14:41:08 +0000
Subject: [PATCH 2/4] Add access to group `users` for /clive and
 ${PYTHON_VENV_PATH}

---
 docker/Dockerfile | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 7322f77057..e4304a5f92 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -24,7 +24,11 @@ ENV PATH="${PYTHON_VENV_PATH}/bin:$PATH" VIRTUAL_ENV=${PYTHON_VENV_PATH}
 
 RUN --mount=type=cache,mode=0777,sharing=locked,target=${APT_CACHE_DIR} \
     useradd -o -d /clive -ms /bin/bash -u ${CLIVE_UID} -g users -c "clive application account" "clive" && \
-    mkdir -p /clive && chown -R clive /clive && mkdir -vp "${PYTHON_VENV_PATH}" && chown -R clive "${PYTHON_VENV_PATH}" && \
+    mkdir -p /clive && mkdir -vp "${PYTHON_VENV_PATH}" && \
+    chown -R clive:users /clive && \
+    chmod -R g+ws /clive && \
+    chown -R clive:users "${PYTHON_VENV_PATH}" && \
+    chmod -R g+ws "${PYTHON_VENV_PATH}" && \
     chown -R clive:users /var/cache/ && \
     chmod -R 777 /var/cache/
 
@@ -62,7 +66,11 @@ ENV PATH="${PYTHON_VENV_PATH}/bin:$PATH" VIRTUAL_ENV=${PYTHON_VENV_PATH}
 
 RUN --mount=type=cache,mode=0777,sharing=locked,target=${APT_CACHE_DIR} \
     useradd -o -d /clive -ms /bin/bash -u ${CLIVE_UID} -g users -c "clive application account" "clive" && \
-    mkdir -p /clive && chown -R clive /clive && mkdir -vp "${PYTHON_VENV_PATH}" && chown -R clive "${PYTHON_VENV_PATH}" && \
+    mkdir -p /clive && mkdir -vp "${PYTHON_VENV_PATH}" && \
+    chown -R clive:users /clive && \
+    chmod -R g+ws /clive && \
+    chown -R clive:users "${PYTHON_VENV_PATH}" && \
+    chmod -R g+ws "${PYTHON_VENV_PATH}" && \
     chown -R clive:users /var/cache/ && \
     chmod -R 777 /var/cache/
 
-- 
GitLab


From 303da54b4440cdeabf6d642acf930a5d1b3ed4a2 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20=C5=BBebrak?= <mzebrak@syncad.com>
Date: Wed, 27 Aug 2025 07:26:08 +0200
Subject: [PATCH 3/4] Add write permissions for group in /python_venv after
 installation

Because there is no permission inheritance, newly created directories
wouldn't have rights to write for a group. This would cause a situation
where __pycache__ couldn't be recreated by clive user.
---
 docker/Dockerfile | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index e4304a5f92..28db987a9e 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -93,7 +93,10 @@ RUN --mount=type=cache,mode=0777,uid=${CLIVE_UID},target=${PIP_CACHE_DIR} \
     --extra-index-url https://gitlab.syncad.com/api/v4/projects/393/packages/pypi/simple \
     --extra-index-url https://gitlab.syncad.com/api/v4/projects/419/packages/pypi/simple \
     --extra-index-url https://gitlab.syncad.com/api/v4/projects/434/packages/pypi/simple && \
-    find "${PYTHON_VENV_PATH}" -name __pycache__ -exec rm -rf {} +
+    # Remove the cache so it is not included in the image to save space, but grant group write access so the clive user can generate it itself.
+    find "${PYTHON_VENV_PATH}" -name __pycache__ -exec rm -rf {} + && \
+    chmod -R g+ws "${PYTHON_VENV_PATH}"
+
 
 FROM preconfigured_base_image AS instance
 
-- 
GitLab


From c3cecc715538c82d666c0ce0e77b2b3d7d3a92ca Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Mateusz=20=C5=BBebrak?= <mzebrak@syncad.com>
Date: Wed, 27 Aug 2025 09:06:07 +0200
Subject: [PATCH 4/4] Dont set unrequired GUID bit

---
 docker/Dockerfile | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 28db987a9e..f1875e941d 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -26,9 +26,9 @@ RUN --mount=type=cache,mode=0777,sharing=locked,target=${APT_CACHE_DIR} \
     useradd -o -d /clive -ms /bin/bash -u ${CLIVE_UID} -g users -c "clive application account" "clive" && \
     mkdir -p /clive && mkdir -vp "${PYTHON_VENV_PATH}" && \
     chown -R clive:users /clive && \
-    chmod -R g+ws /clive && \
+    chmod -R g+w /clive && \
     chown -R clive:users "${PYTHON_VENV_PATH}" && \
-    chmod -R g+ws "${PYTHON_VENV_PATH}" && \
+    chmod -R g+w "${PYTHON_VENV_PATH}" && \
     chown -R clive:users /var/cache/ && \
     chmod -R 777 /var/cache/
 
@@ -68,9 +68,9 @@ RUN --mount=type=cache,mode=0777,sharing=locked,target=${APT_CACHE_DIR} \
     useradd -o -d /clive -ms /bin/bash -u ${CLIVE_UID} -g users -c "clive application account" "clive" && \
     mkdir -p /clive && mkdir -vp "${PYTHON_VENV_PATH}" && \
     chown -R clive:users /clive && \
-    chmod -R g+ws /clive && \
+    chmod -R g+w /clive && \
     chown -R clive:users "${PYTHON_VENV_PATH}" && \
-    chmod -R g+ws "${PYTHON_VENV_PATH}" && \
+    chmod -R g+w "${PYTHON_VENV_PATH}" && \
     chown -R clive:users /var/cache/ && \
     chmod -R 777 /var/cache/
 
@@ -95,7 +95,7 @@ RUN --mount=type=cache,mode=0777,uid=${CLIVE_UID},target=${PIP_CACHE_DIR} \
     --extra-index-url https://gitlab.syncad.com/api/v4/projects/434/packages/pypi/simple && \
     # Remove the cache so it is not included in the image to save space, but grant group write access so the clive user can generate it itself.
     find "${PYTHON_VENV_PATH}" -name __pycache__ -exec rm -rf {} + && \
-    chmod -R g+ws "${PYTHON_VENV_PATH}"
+    chmod -R g+w "${PYTHON_VENV_PATH}"
 
 
 FROM preconfigured_base_image AS instance
-- 
GitLab