Avoid using sudo in agent launchers when the current user is not a sudoer
#5835
Conversation
Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
|
Can one of the admins verify this patch? |
l0rd
added
the
kind/enhancement
|
Can one of the admins verify this patch? |
| # sh agents/che-core-api-agent/src/test/resources/run_launcher_bats_tests.sh | ||
| # | ||
|
|
||
| images=(bitnami/che-codeigniter:3.1.3-r6 bitnami/che-express:4.15.3-r2 bitnami/che-java-play:1.3.12-r3 bitnami/che-laravel:5.4.23-r1 bitnami/che-rails:5.1.2-r0 bitnami/che-swift:3.1.1-r0 bitnami/che-symfony:3.3.2-r0 eclipse/centos_jdk8 eclipse/centos_jdk8 eclipse/cpp_gcc eclipse/debian_jdk8 eclipse/debian_jre eclipse/dotnet_core eclipse/hadoop-dev eclipse/kotlin eclipse/node eclipse/php eclipse/php:5.6 eclipse/php:gae eclipse/selenium eclipse/ubuntu_android eclipse/ubuntu_go eclipse/ubuntu_jdk8 eclipse/ubuntu_jre eclipse/ubuntu_python:2.7 eclipse/ubuntu_python:gae_python2.7 eclipse/ubuntu_python:latest eclipse/ubuntu_rails kaloyanraev/che-zendserver registry.centos.org/che-stacks/centos-go registry.centos.org/che-stacks/centos-nodejs registry.centos.org/che-stacks/spring-boot registry.centos.org/che-stacks/vertx registry.centos.org/che-stacks/wildfly-swarm tomitribe/ubuntu_tomee_173_jdk8 registry.centos.org/che-stacks/centos-git) |
There was a problem hiding this comment.
is there a way to grab list of images automatically by asking dockerhub or github repo ?
There was a problem hiding this comment.
Probably parsing stacks.json. That may be done in another PR.
|
|
||
| is_current_user_sudoer() { | ||
| sudo -n true >& /dev/null && return 0 || return 1 | ||
| } |
There was a problem hiding this comment.
& is bash
you should use
is_current_user_sudoer() {
sudo -n true > /dev/null 2>&1 && return 0 || return 1
}
and maybe it could be simplified to
is_current_user_sudoer() {
sudo -n true > /dev/null 2>&1
}
| is_current_user_root() { | ||
| test "$(id -u)" = 0 && return 0 || return 1 | ||
| } | ||
|
|
There was a problem hiding this comment.
maybe we could avoid the return operations ?
is_current_user_root() {
test "$(id -u)" = 0
}
There was a problem hiding this comment.
yes that's better. let me change it
| @@ -23,7 +32,7 @@ if [ ${CURL_INSTALLED} = false ] && [ ${WGET_INSTALLED} = false ]; then | |||
| CURL_INSTALLED=true | |||
| fi | |||
|
|
|||
| test "$(id -u)" = 0 || SUDO="sudo -E" | |||
| if is_current_user_root && is_current_user_sudoer; then SUDO="sudo -E"; fi | |||
There was a problem hiding this comment.
is_current_user_root && is_current_user_sudoer || SUDO="sudo -E"
?
There was a problem hiding this comment.
Ok your version is more consistent with the rest of the script. Will change that
| @@ -0,0 +1,43 @@ | |||
| #!/bin/bash | |||
There was a problem hiding this comment.
is there a way to launch tests as part of the maven build ?
There was a problem hiding this comment.
it could be run as part of the profile integration tests and using docker containers
https://github.com/eclipse/che/blob/185273f8b92fe5523e676255cd7be172e90ee418/plugins/plugin-java-debugger/che-plugin-java-debugger-server/pom.xml#L234-L235
There was a problem hiding this comment.
That would be cool but I can't see how to do docker exec using the docker-maven-plugin. It doesn't look so trivial anyway. Do you mind if we address that in a separate PR?
There was a problem hiding this comment.
As a general tendency, if something is postponed then it won't be done at all :(
docker-maven-plugin allows starting container in privileged mode and then we can execute tests script inside it.
May be I am mistaken but could you clarify what issue you faced here?
There was a problem hiding this comment.
separate PR is fine for me as this PR should unblock the usage of a specific branch of Che for OpenShift.
There was a problem hiding this comment.
As a general tendency, if something is postponed then it won't be done at all :(
I have to admit that you are right @tolusha :-) I was hoping in some softness since that's an improvement of an improvement I added to the codebase (the bats files). But man you don't seem to be much indulgent today so let's try to fix that ;-)
Let me try to address that today. If takes too long I will ask you again to be indulgent hoping to have more luck the second time.
May be I am mistaken but could you clarify what issue you faced here?
In the fabric8 docker-maven-plugin I've seen a docker:start goal but not a docker:exec. And in the tests I've written we first start a container (docker run) and then executes the tests inside the container (docker exec). Maybe docker:watch may help but not sure.
There was a problem hiding this comment.
Thanks @benoitf. At least someone has been indulgent today :-) However I will give it a try and tell you how it goes
Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
| @@ -23,7 +32,7 @@ if [ ${CURL_INSTALLED} = false ] && [ ${WGET_INSTALLED} = false ]; then | |||
| CURL_INSTALLED=true | |||
| fi | |||
|
|
|||
| test "$(id -u)" = 0 || SUDO="sudo -E" | |||
| is_current_user_root && is_current_user_sudoer || SUDO="sudo -E" | |||
There was a problem hiding this comment.
Can you elaborate on what will happen if a user is root but sudo command is not installed in a container?
There was a problem hiding this comment.
@garagatyi if current user is root this code is not setting SUDO variable. Your scenario should work just fine. I've just tested with:
unset SUDO
is_current_user_root() {
return 0
}
is_current_user_sudoer() {
return 0
}
is_current_user_root && is_current_user_sudoer || SUDO="sudo -E"
echo SUDO=${SUDO}
# output sould be:
# SUDO=But since it doesn't look easy to understand to me neither I've extracted it to a function and made it more readable and covered by the tests (and found a bug in the process):
set_sudo_command() {
if is_current_user_sudoer && ! is_current_user_root; then SUDO="sudo -E"; else unset SUDO; fi
}There was a problem hiding this comment.
Yes, it is what I had expected. In your example return value of function is_current_user_sudoer should return 1 since sudo is not installed. Then
is_current_user_root && is_current_user_sudoer || SUDO="sudo -E"
echo SUDO=${SUDO}
echos SUDO=sudo -E
Now the logic of set_sudo_command function looks good.
Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
…sudoer (eclipse-che#5835) Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
…sudoer (eclipse-che#5835) Signed-off-by: Mario Loriedo <mloriedo@redhat.com>
What does this PR do?
Add a check in agent launchers to verify if the user is a sudoer. Then, if the user is not a sudoer, variable
$SUDOis kept empty.To check if a user is a sudoer we use the following bash function:
I have added some bats files to tests if
is_current_user_sudoer()works fine with all eclipse/che workspace docker images.This modification has been tested on both Docker and OpenShift (creation of workspace).
What issues does this PR fix or reference?
Starting an agent with a user that was not a sudoer (e.g. UID 10000) was impossible.
Changelog
Allowing agents bootstrap by non privileged users
Release Notes
Allowing agents bootstrap by non privileged users