[bug] when started as a nonroot user, Pebble doesn't run services with the user's own UID #166
Comments
|
Yeah, I've noticed this too: if you set uid/user-id/gid/group-id, Pebble must be running as root. Is this an issue in practice, though? If Pebble is running as "ben" and you wanted to run the service as "ben", you could just leave out the user/group fields, right? Can you give a bit more of a use case for needing this? |
|
While it can be worked around and it does feel like a non-blocker, it is just a matter of coherence. Despite being a corner case, one can imagine a scenario where the Pebble layer has been written to be executed by a specific user, and only that user. In the context of ROCKs, the explicit user attributes in the Pebble service will hint towards the definition of the default OCI user when building the ROCK and derivative images. |
This goes for services, exec, and health checks of type "exec". This also fixes a long-standing bug in the user/group parameters for "exec" health checks not working at all. This was due to not setting cmd.SysProcAttr, so the "cmd.SysProcAttr.Credential =" line would panic with a nil pointer error. Also a drive-by fix to the README to update to the new terminology. See also canonical/operator#950 Fixes canonical#166
When user and group (or user ID and group ID) options are given when running services and they're equal to the current user and group, avoid setting os/exec's syscall.Credential Uid and Gid, because they require root. In the case when they're explicitly asking to run the command as the current user, we can just run it directly, without requiring root. This goes for services, exec (one-shot commands), and health checks of type "exec". This PR also fixes a long-standing bug in the user/group options for "exec" health checks not working at all. This was due to not setting cmd.SysProcAttr, so the cmd.SysProcAttr.Credential = ... line would panic with a nil pointer error. Also a drive-by fix to the README to update to the new terminology. See also canonical/operator#950. Fixes #166.
Let's assume the nonroot user:group "ubuntu:ubuntu" with UID:GID "1000:1000".
SOTA
At the moment, it is possible to run Pebble as a nonroot user. So, given the following layer:
pebble runwould work just fine:# ps -u ubuntu PID TTY TIME CMD 75 pts/1 00:00:00 bash 102 pts/1 00:00:00 pebble 149 pts/1 00:00:00 python3 (...)Problem
However, if a user*/group* attribute is specified in the layer, then we would expect:
useris not "me" (i.e. the user running Pebble), then failuseris "me", then continueE.g.:
and the
pebble run, will not start thesvc1. And we I try to force start it, I get:Conclusion
I believe this is being caused by https://github.com/canonical/pebble/blob/master/internal/overlord/servstate/handlers.go#L342, where Pebble is trying to set the Credentials attribute for the
cmd, wheneveruidandgidare defined (no matter what they are). I'd expect instead, that if the give UID and GID match the Pebble user, then the SysProcAttr->Credential can be ignored.The text was updated successfully, but these errors were encountered: