Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Launch cockpit-session via socket activation on /run/cockpit/session #16808

Draft
wants to merge 3 commits into
base: main
Choose a base branch
from
Draft

Launch cockpit-session via socket activation on /run/cockpit/session #16808

wants to merge 3 commits into from

Conversation

allisonkarlitskaya
Copy link
Member

@allisonkarlitskaya allisonkarlitskaya commented Jan 10, 2022
edited by martinpitt

This is a precondition for our goal of removing the static cockpit users.

A nice side effect of this is that we can now connect to unix sockets from cockpitauth, which is useful for https://github.com/allisonkarlitskaya/cockpit-cloud

@allisonkarlitskaya
Copy link
Member Author

One thing that needs discussion: login failures are currently handled with a non-zero return code from cockpit-session which systemd logs as a failure of the unit. We probably want to change that...

@allisonkarlitskaya allisonkarlitskaya temporarily deployed to cockpit-dist January 10, 2022 18:12 Inactive
@allisonkarlitskaya allisonkarlitskaya mentioned this pull request Jan 11, 2022
Draft
1 task
@allisonkarlitskaya allisonkarlitskaya temporarily deployed to cockpit-dist January 11, 2022 08:03 Inactive
@allisonkarlitskaya allisonkarlitskaya mentioned this pull request Jan 11, 2022
Merged
@martinpitt martinpitt removed their request for review February 2, 2022 06:41
@martinpitt martinpitt removed the blocked label Feb 2, 2022
@martinpitt martinpitt marked this pull request as draft February 2, 2022 06:41
@martinpitt
Copy link
Member

@allisonkarlitskaya Sorry, this slipped off my review radar. It should be unblocked now (the depending PR landed), but now it's conflict-y and needs to be rebased first. It also breaks tons of tests.

Moving to draft to clear the review list, please re-request my review once ready. Thanks!

@allisonkarlitskaya allisonkarlitskaya temporarily deployed to cockpit-dist February 10, 2022 14:40 Inactive
@allisonkarlitskaya allisonkarlitskaya temporarily deployed to cockpit-dist February 10, 2022 15:11 Inactive
@martinpitt martinpitt mentioned this pull request Jan 4, 2023
Closed
1 task
@martinpitt
Copy link
Member

The depending PR landed, moving to needs-rebase

@packit-as-a-service
Copy link

Failed to load packit config file:

Cannot parse package config: ValidationError({'jobs': {0: {'cockpit': ["'specfile_path' is not specified or no specfile was found in the repo"]}, 1: {'cockpit': ["'specfile_path' is not specified or no specfile was found in the repo"]}}}).

For more info, please check out the documentation or contact the Packit team.

@martinpitt martinpitt temporarily deployed to cockpit-dist January 4, 2023 18:07 — with GitHub Actions Inactive
@martinpitt
Copy link
Member

Added another commit to move the unit to cockpit-ws, so that we end up in the state as it was originally here. It also works in cockpit-tests, but let's not forget about it.

Note: This is just for fun, I'd like to get some results and a feeling how much work this is to get to "good".

@martinpitt martinpitt temporarily deployed to cockpit-dist January 4, 2023 18:17 — with GitHub Actions Inactive
@martinpitt
Copy link
Member

Hmm, this is causing our bots to crash left and right. I'm going to force-push with no-test to get them out of their misery, and investigate tomorrow.

@martinpitt martinpitt added the no-test For doc/workflow changes, or experiments which don't need a full CI run, label Jan 4, 2023
@martinpitt martinpitt temporarily deployed to cockpit-dist January 4, 2023 21:33 — with GitHub Actions Inactive
@allisonkarlitskaya
Copy link
Member Author

So one big thing that's missing here, and is going to be non-trivial to implement is a replacement for the cgroup checking in the PAM module for client certificate authentication.

The cgroup that cockpit-session gets spawned into is no longer the same cgroup as cockpit-ws was in...

We could take advantage of the fact that this is a socket and ask who we're speaking to, but something like SO_PEERCGROUP unfortunately doesn't exist: https://lwn.net/Articles/590928/

We could query the PID and look up their cgroup, but this is subject to the usual races... which are not insurmountable, but requires some pretty careful programming in order to get right.

@allisonkarlitskaya
Copy link
Member Author

We could query the PID and look up their cgroup, but this is subject to the usual races... which are not insurmountable, but requires some pretty careful programming in order to get right.

Apparent state of the art: https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/polkit/polkitunixprocess.c#L681

Yikes.

Too bad there's no way to get a pidfd, at least...

@martinpitt
Copy link
Member

Yesterday's crashes were "HTTP Error 403: Forbidden" when writing to Linode/S3. Trying a single test here to check again.

@martinpitt
Copy link
Member

I added the most obvious missing things to the description as todo list.

@martinpitt martinpitt mentioned this pull request Apr 24, 2024
Closed
4 tasks
martinpitt and others added 3 commits May 10, 2024 10:17
@martinpitt
tools: Move cockpit-session.socket to cockpit-ws package
cd58864
@allisonkarlitskaya @martinpitt
ws: connect to cockpit-session via socket
b1c06aa 
Unless it's otherwise specified in the configuration file, we now spawn
cockpit-session by connecting to /run/cockpit/session.

We leave the cockpit_ws_session_program variable in place to allow the
tests to override things.

Update the unit files for cockpit-ws to ensure that the socket is
available when cockpit-ws is running.
@allisonkarlitskaya @martinpitt
cockpit-session: stop installing setuid root
4295103 
systemd spawns this for us now, so we don't need the setuid bit anymore.
@martinpitt
Copy link
Member

We could query the PID and look up their cgroup, but this is subject to the usual races... which are not insurmountable, but requires some pretty careful programming in order to get right.

Apparent state of the art: https://gitlab.freedesktop.org/polkit/polkit/-/blob/master/src/polkit/polkitunixprocess.c#L681

Yikes.

Too bad there's no way to get a pidfd, at least...

Since then, pidfs actually happened in polkit: https://gitlab.freedesktop.org/polkit/polkit/-/commit/7f0d792323cdca70b3d581cc9ed54df3d844a637 So that may be worth another look.

For the fun of it I rebased this and will trigger a round of f40 tests.

@martinpitt
Copy link
Member

Going through the failures confirms the current laundry list -- the big items are cert auth and passing COCKPIT_REMOTE_PEER.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
no-test For doc/workflow changes, or experiments which don't need a full CI run,
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@allisonkarlitskaya @martinpitt @KKoukiou