-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Avoid using sudo
in agent launchers when the current user is not a sudoer
#5835
Conversation
Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
Can one of the admins verify this patch? |
Can one of the admins verify this patch? |
# sh agents/che-core-api-agent/src/test/resources/run_launcher_bats_tests.sh | ||
# | ||
|
||
images=(bitnami/che-codeigniter:3.1.3-r6 bitnami/che-express:4.15.3-r2 bitnami/che-java-play:1.3.12-r3 bitnami/che-laravel:5.4.23-r1 bitnami/che-rails:5.1.2-r0 bitnami/che-swift:3.1.1-r0 bitnami/che-symfony:3.3.2-r0 eclipse/centos_jdk8 eclipse/centos_jdk8 eclipse/cpp_gcc eclipse/debian_jdk8 eclipse/debian_jre eclipse/dotnet_core eclipse/hadoop-dev eclipse/kotlin eclipse/node eclipse/php eclipse/php:5.6 eclipse/php:gae eclipse/selenium eclipse/ubuntu_android eclipse/ubuntu_go eclipse/ubuntu_jdk8 eclipse/ubuntu_jre eclipse/ubuntu_python:2.7 eclipse/ubuntu_python:gae_python2.7 eclipse/ubuntu_python:latest eclipse/ubuntu_rails kaloyanraev/che-zendserver registry.centos.org/che-stacks/centos-go registry.centos.org/che-stacks/centos-nodejs registry.centos.org/che-stacks/spring-boot registry.centos.org/che-stacks/vertx registry.centos.org/che-stacks/wildfly-swarm tomitribe/ubuntu_tomee_173_jdk8 registry.centos.org/che-stacks/centos-git) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way to grab list of images automatically by asking dockerhub or github repo ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Probably parsing stacks.json. That may be done in another PR.
|
||
is_current_user_sudoer() { | ||
sudo -n true >& /dev/null && return 0 || return 1 | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
& is bash
you should use
is_current_user_sudoer() {
sudo -n true > /dev/null 2>&1 && return 0 || return 1
}
and maybe it could be simplified to
is_current_user_sudoer() {
sudo -n true > /dev/null 2>&1
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes let me fix that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
is_current_user_root() { | ||
test "$(id -u)" = 0 && return 0 || return 1 | ||
} | ||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
maybe we could avoid the return operations ?
is_current_user_root() {
test "$(id -u)" = 0
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes that's better. let me change it
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
@@ -23,7 +32,7 @@ if [ ${CURL_INSTALLED} = false ] && [ ${WGET_INSTALLED} = false ]; then | |||
CURL_INSTALLED=true | |||
fi | |||
|
|||
test "$(id -u)" = 0 || SUDO="sudo -E" | |||
if is_current_user_root && is_current_user_sudoer; then SUDO="sudo -E"; fi |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is_current_user_root && is_current_user_sudoer || SUDO="sudo -E"
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok your version is more consistent with the rest of the script. Will change that
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
@@ -0,0 +1,43 @@ | |||
#!/bin/bash |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
is there a way to launch tests as part of the maven build ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
any suggestion?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it could be run as part of the profile integration tests and using docker containers
https://github.com/eclipse/che/blob/185273f8b92fe5523e676255cd7be172e90ee418/plugins/plugin-java-debugger/che-plugin-java-debugger-server/pom.xml#L234-L235
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That would be cool but I can't see how to do docker exec
using the docker-maven-plugin. It doesn't look so trivial anyway. Do you mind if we address that in a separate PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a general tendency, if something is postponed then it won't be done at all :(
docker-maven-plugin
allows starting container in privileged mode and then we can execute tests script inside it.
May be I am mistaken but could you clarify what issue you faced here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
separate PR is fine for me as this PR should unblock the usage of a specific branch of Che for OpenShift.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a general tendency, if something is postponed then it won't be done at all :(
I have to admit that you are right @tolusha :-) I was hoping in some softness since that's an improvement of an improvement I added to the codebase (the bats files). But man you don't seem to be much indulgent today so let's try to fix that ;-)
Let me try to address that today. If takes too long I will ask you again to be indulgent hoping to have more luck the second time.
May be I am mistaken but could you clarify what issue you faced here?
In the fabric8 docker-maven-plugin I've seen a docker:start
goal but not a docker:exec
. And in the tests I've written we first start a container (docker run
) and then executes the tests inside the container (docker exec
). Maybe docker:watch
may help but not sure.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks @benoitf. At least someone has been indulgent today :-) However I will give it a try and tell you how it goes
Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
@@ -23,7 +32,7 @@ if [ ${CURL_INSTALLED} = false ] && [ ${WGET_INSTALLED} = false ]; then | |||
CURL_INSTALLED=true | |||
fi | |||
|
|||
test "$(id -u)" = 0 || SUDO="sudo -E" | |||
is_current_user_root && is_current_user_sudoer || SUDO="sudo -E" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you elaborate on what will happen if a user is root but sudo command is not installed in a container?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@garagatyi if current user is root this code is not setting SUDO variable. Your scenario should work just fine. I've just tested with:
unset SUDO
is_current_user_root() {
return 0
}
is_current_user_sudoer() {
return 0
}
is_current_user_root && is_current_user_sudoer || SUDO="sudo -E"
echo SUDO=${SUDO}
# output sould be:
# SUDO=
But since it doesn't look easy to understand to me neither I've extracted it to a function and made it more readable and covered by the tests (and found a bug in the process):
set_sudo_command() {
if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, it is what I had expected. In your example return value of function is_current_user_sudoer
should return 1 since sudo is not installed. Then
is_current_user_root && is_current_user_sudoer || SUDO="sudo -E"
echo SUDO=${SUDO}
echos SUDO=sudo -E
Now the logic of set_sudo_command
function looks good.
Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
…sudoer (eclipse-che#5835) Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
…sudoer (eclipse-che#5835) Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
What does this PR do?
Add a check in agent launchers to verify if the user is a sudoer. Then, if the user is not a sudoer, variable
$SUDO
is kept empty.To check if a user is a sudoer we use the following bash function:
I have added some bats files to tests if
is_current_user_sudoer()
works fine with all eclipse/che workspace docker images.This modification has been tested on both Docker and OpenShift (creation of workspace).
What issues does this PR fix or reference?
Starting an agent with a user that was not a sudoer (e.g. UID 10000) was impossible.
Changelog
Allowing agents bootstrap by non privileged users
Release Notes
Allowing agents bootstrap by non privileged users