diff --git a/ic-os/guestos/rootfs/Dockerfile b/ic-os/guestos/rootfs/Dockerfile index 02a27cd964f..31c0b1d37c9 100644 --- a/ic-os/guestos/rootfs/Dockerfile +++ b/ic-os/guestos/rootfs/Dockerfile @@ -120,6 +120,14 @@ RUN addgroup ic-http-adapter && \ adduser --system --disabled-password --shell /usr/sbin/nologin -c "IC Canister HTTP Adapter" ic-http-adapter && \ adduser ic-http-adapter ic-http-adapter +# The "onchain-observability" account. Used to run `ic-onchain-observability-adapter` binary +# to send connectivity data to the observability canister. +RUN addgroup onchain-observability && \ + adduser --system --disabled-password --shell /usr/sbin/nologin -c "IC Onchain Observability Adapter" onchain-observability && \ + adduser onchain-observability onchain-observability && \ + adduser onchain-observability ic-csp-vault-socket && \ + adduser onchain-observability ic-registry-local-store + # User which will run the replica service. RUN adduser --system --disabled-password --home /var/lib/ic --group --no-create-home ic-replica && \ adduser ic-replica backup && \ @@ -127,6 +135,7 @@ RUN adduser --system --disabled-password --home /var/lib/ic --group --no-create- adduser ic-replica nonconfidential && \ adduser ic-replica ic-registry-local-store && \ adduser ic-replica ic-http-adapter && \ + adduser ic-replica onchain-observability && \ adduser ic-replica vsock # Accounts to allow remote access to state bits diff --git a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter-metrics.socket b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter-metrics.socket index 2425d644aef..8d7bb56117c 100644 --- a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter-metrics.socket +++ b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter-metrics.socket @@ -4,8 +4,8 @@ Description= Socket for metrics for the IC onchain observability adapter [Socket] ListenStream=/run/ic-node/onchain-observability-adapter/metrics Service=ic-onchain-observability-adapter.service -SocketUser=ic-replica -SocketGroup=ic-replica +SocketUser=onchain-observability +SocketGroup=onchain-observability SocketMode=0660 [Install] diff --git a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.service b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.service index e3c42749c5c..682441a4bdd 100644 --- a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.service +++ b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.service @@ -11,7 +11,7 @@ Requires=ic-onchain-observability-adapter-metrics.socket StartLimitIntervalSec=0 [Service] -User=ic-replica +User=onchain-observability Environment=RUST_BACKTRACE=1 # When starting this service, ideally --replica-config-file would directly point to # /run/ic-node/config/ic.json5, but this file may be not available yet as it is generated diff --git a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.socket b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.socket index bdf0eac5365..ddc71aff1f6 100644 --- a/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.socket +++ b/ic-os/guestos/rootfs/etc/systemd/system/ic-onchain-observability-adapter.socket @@ -4,8 +4,8 @@ Description= Replica socket to serve gRPC requests to the IC onchain observabili [Socket] ListenStream=/run/ic-node/onchain-observability-adapter/socket Service=ic-replica.service -SocketUser=ic-replica -SocketGroup=ic-replica +SocketUser=onchain-observability +SocketGroup=onchain-observability SocketMode=0660