Fixed DO group permissions to allow for writing the connection string #61
Conversation
packages/debian/postinst
Outdated
| # Restart deliveryoptimization-agent service to ensure that the new 'do' user's permissions take effect. | ||
| echo "Restart $ms_doclient_lite_service" | ||
| systemctl restart "$ms_doclient_lite_service" | ||
| fi |
There was a problem hiding this comment.
Can you combine the 2 blocks and restart do-agent only once please?
(Or, just set a boolean, and only restart do-agent is needed) #Pending
packages/debian/postinst
Outdated
| # Restart deliveryoptimization-agent service to ensure that the new 'do' user's permissions take effect. | ||
| echo "Restart $ms_doclient_lite_service" | ||
| systemctl restart "$ms_doclient_lite_service" | ||
| fi |
There was a problem hiding this comment.
what happens if someone builds a client that doesn't use DO? Do they not use / modify this postinst file? Is this documented?
Can we call another script from postinst and move do related stuff there? #Pending
There was a problem hiding this comment.
We're tying DO configuration into this postinst file, which might be okay if this is all just for our reference package.
There was a problem hiding this comment.
Our postinst script is expressly for our debian package which already lists DO as a dependency. You cannot install our package produced by our scripts without the DO dependency.
If we moved to the model you're suggesting we would have to remove that DO dependency which I don't think makes sense.
To me it is fine that we keep it here as long as we are building our package based agent to run as such. If we want to make our package downloader configurable I think we would have to change a large amount of the setup.
In fact the way these are written if DO wasn't installed it would still pass we just wouldn't setup the relationships posted here.
There was a problem hiding this comment.
I'm not thrilled with this whole comment:
# Note: DO user and group are created by deliveryoptimization-agent Debian package,
# which is one of the dependencies declared in adu-agent control file.
# We are assuming that both DO user and group currently exist at this point.
seems hacky to me. Not blocking, but consider tracking for future
| @@ -143,9 +143,11 @@ case "$1" in | |||
| # which is one of the dependencies declared in adu-agent control file. | |||
| # We are assuming that both DO user and group currently exist at this point. | |||
| # Add 'do' user to 'adu' group to allow DO to write to ADU download sandbox. | |||
| echo "Add the 'do' user to the 'adu' group." | |||
| echo "Add the 'do' user to the 'adu' group and 'adu' to the 'do' group" | |||
| if getent passwd 'do' > /dev/null; then | |||
| usermod -aG 'adu' 'do' | |||
| if getent passwd 'do' > /dev/null; then | ||
| usermod -aG 'adu' 'do' | ||
| # Note: We must add the 'adu' user to the 'do' group so that we can set the connection_string for DO | ||
| usermod -aG 'do' 'adu' |
|
approved with comments |
Added the code in our postisnt script to add adu to the do group so we have permissions to write the connection_string to DO in order to fix an issue with the Nested Edge scenario.