-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Launch cockpit-session via socket activation on /run/cockpit/session #16808
base: main
Are you sure you want to change the base?
Launch cockpit-session via socket activation on /run/cockpit/session #16808
Conversation
One thing that needs discussion: login failures are currently handled with a non-zero return code from |
aaefe97
to
7ebf9e6
Compare
@allisonkarlitskaya Sorry, this slipped off my review radar. It should be unblocked now (the depending PR landed), but now it's conflict-y and needs to be rebased first. It also breaks tons of tests. Moving to draft to clear the review list, please re-request my review once ready. Thanks! |
7ebf9e6
to
1330a6a
Compare
1330a6a
to
ca43353
Compare
The depending PR landed, moving to needs-rebase |
Failed to load packit config file:
For more info, please check out the documentation or contact the Packit team. |
ca43353
to
9ed95a5
Compare
9ed95a5
to
6778062
Compare
6778062
to
f1e5a6a
Compare
Added another commit to move the unit to cockpit-ws, so that we end up in the state as it was originally here. It also works in cockpit-tests, but let's not forget about it. Note: This is just for fun, I'd like to get some results and a feeling how much work this is to get to "good". |
Hmm, this is causing our bots to crash left and right. I'm going to force-push with |
f1e5a6a
to
6d81f17
Compare
So one big thing that's missing here, and is going to be non-trivial to implement is a replacement for the cgroup checking in the PAM module for client certificate authentication. The cgroup that cockpit-session gets spawned into is no longer the same cgroup as cockpit-ws was in... We could take advantage of the fact that this is a socket and ask who we're speaking to, but something like We could query the PID and look up their cgroup, but this is subject to the usual races... which are not insurmountable, but requires some pretty careful programming in order to get right. |
Apparent state of the art: https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/polkit/polkitunixprocess.c#L681 Yikes. Too bad there's no way to get a pidfd, at least... |
Yesterday's crashes were "HTTP Error 403: Forbidden" when writing to Linode/S3. Trying a single test here to check again. |
I added the most obvious missing things to the description as todo list. |
Unless it's otherwise specified in the configuration file, we now spawn cockpit-session by connecting to /run/cockpit/session. We leave the cockpit_ws_session_program variable in place to allow the tests to override things. Update the unit files for cockpit-ws to ensure that the socket is available when cockpit-ws is running.
systemd spawns this for us now, so we don't need the setuid bit anymore.
6d81f17
to
4295103
Compare
Since then, pidfs actually happened in polkit: https://gitlab.freedesktop.org/polkit/polkit/-/commit/7f0d792323cdca70b3d581cc9ed54df3d844a637 So that may be worth another look. For the fun of it I rebased this and will trigger a round of f40 tests. |
Going through the failures confirms the current laundry list -- the big items are cert auth and passing COCKPIT_REMOTE_PEER. |
This is a precondition for our goal of removing the static cockpit users.
A nice side effect of this is that we can now connect to unix sockets from cockpitauth, which is useful for https://github.com/allisonkarlitskaya/cockpit-cloud
pass memfd with login information from ws to sessionnot required. That information comes from cockpit-session to cockpit-bridge, which is unaffected by this change.$COCKPIT_REMOTE_PEER
from ws to sessionTestLogin.testSELinuxRestrictedUser
cockpit-session@<id>.service
fails with error 5 initially