Rebuild Container based on a new state flag

+++ b/core/lib/Drupal/Core/DrupalKernel.phpundefined
@@ -288,20 +289,33 @@ protected function initializeContainer() {
+        // Rebuild if container is dirty. Used by CLI scripts such as Drush.
+        $dirty = $this->container->get('state')->get('container.rebuild');
+        if ($dirty && $this->allowDumping) {
+          $this->container->get('state')->set('container.rebuild', FALSE);

I am not sure that the allowDumping is not only a flag that is set.

I would directly check the filesystem service like done in dumpContainer if things are writable. (as pasted in IRC - can't find the log atm.)

Does this mean one extra SQL query per page or did I misread the issue?

State API might be useful but for a so low level stuff it seems dangerous (framework not fully bootstrapped, how am I sure the k/v store is fully init yet?) and overkill.(once again one more SQL query, and there's already a lot of gratuitous k/v access during normal runtime).

No, sadly I can't, I just wanted to point out that out. Using a service for rebuilding the service container seemed a bit wonky to me.

Running command line tools under a different user then the web server is asking for trouble sooner rather then later.

I don't see how this is different then any other permission issues you are going to bump into in that case. It feels like we are trying to workaround a server/environment configuration issue here.

I fully agree with #6, it's not really Drupal's code's cross to bear.

I always thought we will cache some of state... maybe.

@#9 This would be a great thing to do indeed.

It would be an even better thing if you'd all review my patch #1786490: Add caching to the state system :)

The original issue:

Drush cc all and other non-web tools can't clear MTimeProtected directories because of file perms.

Is no longer an issue with using the cache subsystem for the container.

On top of that, I thought its always recommended to run drush with the webserver user.