forked from bird-house/birdhouse-deploy
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request bird-house#248 from bird-house/avoid-running-cronj…
…obs-as-root deploy-data: new env var DEPLOY_DATA_RSYNC_USER_GRP to avoid running cronjobs as root When `deploy-data` is used by the `scheduler` component, it is run as `root`. This new env var will force the rsync process to run as a regular user to follow security best practice to avoid running as root when not needed. Note that the `git checkout` step done by `deploy-data` is still run as root. This is because `deploy-data` is currently still run as root so it can execute `docker` commands (ex: spawning the `rsync` command above in its own docker container). To fix this limitation, the regular user inside the `deploy-data` container need to have docker access inside the container and outside on the host at the same time. If we make that regular user configurable so the script `deploy-data` is generic and can work for any organisations, this is tricky for the moment so will have to be handle in another PR. So for the moment we have not achieved full non-root user in cronjobs launched by the `scheduler` compoment but the most important part, the part that perform the actual job (rsync or execute custom command using an external docker container) is running as non-root. See PR bird-house/birdhouse-deploy-ouranos#18 that make use of this new env var. When `deploy-data` is invoking an external script that itself spawn a new `docker run`, then it is up to this external script to ensure the proper non-root user is used by `docker run`. See PR Ouranosinc/pavics-vdb#50 that handle that case.
- Loading branch information
Showing
4 changed files
with
51 additions
and
6 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters