-
Notifications
You must be signed in to change notification settings - Fork 279
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
refactor(gui-client/linux): use the same systemd service file in CI as in production #4832
Conversation
The latest updates on your projects. Learn more about Vercel for Git ↗︎ 1 Ignored Deployment
|
Terraform Cloud Plan Output
|
Performance Test ResultsTCP
UDP
|
@@ -38,6 +38,7 @@ UMask=077 | |||
Environment="FIREZONE_DNS_CONTROL=systemd-resolved" | |||
Environment="LOG_DIR=/var/log/dev.firezone.client" | |||
Environment="RUST_LOG=info" | |||
EnvironmentFile="/etc/default/firezone-client-ipc" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The ID and token could actually go in this type of file for the headless Clients, if we end up setting them up as deb packages and put the systemd service file in /usr/lib
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM.
Can't remember if you checked already, but maybe there's a capability we can set that will avoid running as root?
Here's what I checked:
These others remain:
|
…adable (#4825) ```[tasklist] # Before merging - [x] Add CI test to check that the Unix domain socket is owned by `root:firezone` (#4832 will do this) ``` This allows the GUI (running as a normal user who belongs to the `firezone` group) to read back the connlib logs and export them in the zip file. <img width="716" alt="image" src="https://github.com/firezone/firezone/assets/13400041/59cb7cc5-fd6a-4b27-a311-1b9c56b7b23e">
This will keep the files from going out of sync.
This PR also checks that the IPC service creates the IPC socket with
root:firezone
as the owner and group, when running under systemd.