Skip to content
This repository has been archived by the owner on Jan 25, 2023. It is now read-only.

Define $HOME when running Consul on supervisord #10

Merged
merged 2 commits into from
May 24, 2018
Merged

Define $HOME when running Consul on supervisord #10

merged 2 commits into from
May 24, 2018

Conversation

thevilledev
Copy link
Contributor

Consul uses references to $HOME environment variables quite a bit, for example on Google Cloud Platform retry-join provider. By default supervisord does not set it at all even if user is defined to a different user than root.

The user will be changed using setuid only. This does not start a login shell and does not change environment variables like USER or HOME.

This means that by default Consul tries to read GCP auth file from /.config/gcloud/application_default_credentials.json.

This PR modifies supervisord auto-generated config to include a proper definition for $HOME environment variable. For a user generated by useradd -d /opt/consul consul the resulting config file looks like this:

[program:consul]
command=/opt/consul/bin/consul agent -config-dir /opt/consul/config -data-dir /opt/consul/data
stdout_logfile=/opt/consul/log/consul-stdout.log
stderr_logfile=/opt/consul/log/consul-error.log
numprocs=1
autostart=true
autorestart=true
stopsignal=INT
user=consul
environment=HOME="/opt/consul"

@josh-padnick
Copy link
Collaborator

Thanks for submitting this PR! I realize there was a delay in responding, but we've now made the decision to commit to timely follow-up on the Gruntwork-managed GCP Terraform modules.

Regarding this PR, my concern with the proposed change is that today we create the consul user with this code, which does not create any home directory for the consul user.

In fact, here's the output I get when I check the value of $HOME via SSH:

josh@consul-server-josh-51p5:/home$ sudo su - consul -c 'echo $HOME'
No directory, logging in with HOME=/
/

This seems to match the behavior you described in your original report.

If we're going to pass the $HOME value to the supervisord process, we should probably resolve this. Perhaps we should amend the create_consul_user function to use:

 sudo useradd --create-home "$username"

Also, can you just add a comment to the supervisord config file that explains that when supervisord runs a process it does not start a login shell and does not change environment variables like USER or HOME, so we must pass this in manually?

If you make the above changes, I'd be happy to merge.

josh-padnick
josh-padnick reviewed May 24, 2018
View reviewed changes
modules/run-consul/run-consul
@@ -203,6 +203,9 @@ function generate_supervisor_config {
local readonly consul_bin_dir="$5"
local readonly consul_user="$6"

local consul_user_home_dir=""
consul_user_home_dir="$(get_owner_home_dir $consul_user)"
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This code format is necessary because the following code will not exit the script upon a failure of get_owner_home_dir:

# Script won't exit on a non-zero exit code from get_owner_home_dir
local readonly consul_user_home_dir="$(get_owner_home_dir $consul_user)"

@josh-padnick
Copy link
Collaborator

Just added the necessary changes, so we're good to merge now!

@josh-padnick josh-padnick merged commit f991a43 into hashicorp:master May 24, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@josh-padnick josh-padnick josh-padnick left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@thevilledev @josh-padnick