- # TASK_WORK is a plain docker data volume: it starts out empty,
- # is writable, and persists until no containers use it any
- # more. We don't use --volumes-from to share it with other
- # containers: it is only accessible to this task, and it goes
- # away when this task stops.
- $command .= "--volume=\Q$ENV{TASK_WORK}\E ";
-
- # JOB_WORK is also a plain docker data volume for now. TODO:
- # Share a single JOB_WORK volume across all task containers on a
- # given worker node, and delete it when the job ends (and, in
- # case that doesn't work, when the next job starts).
- $command .= "--volume=\Q$ENV{JOB_WORK}\E ";
+ # TASK_WORK is almost exactly like a docker data volume: it
+ # starts out empty, is writable, and persists until no
+ # containers use it any more. We don't use --volumes-from to
+ # share it with other containers: it is only accessible to this
+ # task, and it goes away when this task stops.
+ #
+ # However, a docker data volume is writable only by root unless
+ # the mount point already happens to exist in the container with
+ # different permissions. Therefore, we [1] assume /tmp already
+ # exists in the image and is writable by the crunch user; [2]
+ # avoid putting TASK_WORK inside CRUNCH_TMP (which won't be
+ # writable if they are created by docker while setting up the
+ # other --volumes); and [3] create $TASK_WORK inside the
+ # container using $build_script.
+ $command .= "--volume=/tmp ";
+ $ENV{"TASK_WORK"} = "/tmp/crunch-job-task-work/$childslotname";
+ $ENV{"HOME"} = $ENV{"TASK_WORK"};
+ $ENV{"TASK_TMPDIR"} = $ENV{"TASK_WORK"}; # deprecated
+
+ # TODO: Share a single JOB_WORK volume across all task
+ # containers on a given worker node, and delete it when the job
+ # ends (and, in case that doesn't work, when the next job
+ # starts).
+ #
+ # For now, use the same approach as TASK_WORK above.
+ $ENV{"JOB_WORK"} = "/tmp/crunch-job-work";