Merge branch 'mahir/linux-permissions' into 'master'

[Onchain Observability] Separate user group for adapter See merge request dfinity-lab/public/ic!11709
dfinity · Apr 4, 2023 · ad9ebeb · ad9ebeb
2 parents d4a5433 + a6891a6
commit ad9ebeb
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 5 deletions.
diff --git a/ic-os/guestos/rootfs/Dockerfile b/ic-os/guestos/rootfs/Dockerfile
@@ -120,13 +120,22 @@ RUN addgroup ic-http-adapter && \
     adduser --system --disabled-password --shell /usr/sbin/nologin -c "IC Canister HTTP Adapter" ic-http-adapter && \
     adduser ic-http-adapter ic-http-adapter
 
+# The "onchain-observability" account. Used to run `ic-onchain-observability-adapter` binary
+# to send connectivity data to the observability canister.
+RUN addgroup onchain-observability && \
+    adduser --system --disabled-password --shell /usr/sbin/nologin -c "IC Onchain Observability Adapter" onchain-observability && \
+    adduser onchain-observability onchain-observability && \ 
+    adduser onchain-observability ic-csp-vault-socket && \
+    adduser onchain-observability ic-registry-local-store
+
 # User which will run the replica service.
 RUN adduser --system --disabled-password --home /var/lib/ic --group --no-create-home ic-replica && \
     adduser ic-replica backup && \
     adduser ic-replica ic-csp-vault-socket && \
     adduser ic-replica nonconfidential && \
     adduser ic-replica ic-registry-local-store && \
     adduser ic-replica ic-http-adapter && \
+    adduser ic-replica onchain-observability && \
     adduser ic-replica vsock
 
 # Accounts to allow remote access to state bits

diff --git a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter-metrics.socket b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter-metrics.socket
@@ -4,8 +4,8 @@ Description= Socket for metrics for the IC onchain observability adapter
 [Socket]
 ListenStream=/run/ic-node/onchain-observability-adapter/metrics
 Service=ic-onchain-observability-adapter.service
-SocketUser=ic-replica
-SocketGroup=ic-replica
+SocketUser=onchain-observability
+SocketGroup=onchain-observability
 SocketMode=0660
 
 [Install]

diff --git a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.service b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.service
@@ -11,7 +11,7 @@ Requires=ic-onchain-observability-adapter-metrics.socket
 StartLimitIntervalSec=0
 
 [Service]
-User=ic-replica
+User=onchain-observability
 Environment=RUST_BACKTRACE=1
 # When starting this service, ideally --replica-config-file would directly point to
 # /run/ic-node/config/ic.json5, but this file may be not available yet as it is generated

diff --git a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.socket b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.socket
@@ -4,8 +4,8 @@ Description= Replica socket to serve gRPC requests to the IC onchain observabili
 [Socket]
 ListenStream=/run/ic-node/onchain-observability-adapter/socket
 Service=ic-replica.service
-SocketUser=ic-replica
-SocketGroup=ic-replica
+SocketUser=onchain-observability
+SocketGroup=onchain-observability
 SocketMode=0660