New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
kolibri/tasks/install.yml spring cleaning (tighten up code, flow, in-line docs) #3514
Conversation
Credit goes to @benjaoming and @arky who originally structured this code. Thank you to both 💯 |
- name: Create Linux user {{ kolibri_user }} and add it to groups {{ apache_user }}, disk | ||
user: | ||
name: "{{ kolibri_user }}" | ||
groups: | ||
- "{{ apache_user }}" | ||
- disk |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@holta Security feature of debian. Please refer https://wiki.debian.org/SystemGroups
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If group disk is needed for USB drive access, yes we should annotate that in future.
This root-style access level might or might not be fully necessary (requirement seems to remain somewhat ambiguous?)
As noted @ 190ac34
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps 'plugdev' would be more suitable given the issue is with mounting usb based filesystems. Remember IIAB has it's own usb mounting routine in usbmount.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Perhaps 'plugdev' would be more suitable
Might be promising yes:
Group plugdev
"Allows members to mount (only with the options nodev and nosuid, for security reasons) and umount removable devices through pmount." according to https://wiki.debian.org/SystemGroups
Remember IIAB has it's own usb mounting routine in usbmount.
That's https://github.com/iiab/iiab/tree/master/roles/usb_lib if anybody's interested.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just FYI/FWIW: if one allows apt install kolibri
to create and set up a new KOLIBRI_USER, it does not add the user to any Linux groups (like www-data
or disk
).
[*] i.e. if installing a Kolibri .deb package at the command-line (outside of Ansible) and without setting export DEBIAN_FRONTEND=noninteractive
— so as to be presented with up-to-5 debconf interactive screens.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another FYI/FWIW: Kolibri appears to work just fine (with IIAB) when KOLIBRI_USER is not added to any Linux groups (like www-data
or disk
).
However I only tested on a VM (Ubuntu 22.04). So further testing would be required to see if Kolibri's USB drive functionality works or not. Which of course still requires:
# Set umask=0000 for VFAT, NTFS and exFAT in /etc/usbmount/usbmount.conf so
# Kolibri can export & import channels to USB sticks/drive:
usb_lib_umask0000_for_kolibri: True
As explained in usb_lib/README.rst here:
IIAB will generally mount USB drives 'rw' allowing root to both read and write to them. In addition, in March 2021 (
PR #2715 <https://github.com/iiab/iiab/issues/2715>
) Kolibri exports were enabled by also giving non-root users read and write access to VFAT/FAT32, NTFS and exFAT USB drives, usingumask=0000
(in /etc/usbmount/usbmount.conf) to override theumask=0022
default. If however you prefer to restore usbmount's default, setusb_lib_umask0000_for_kolibri: False
in/etc/iiab/local_vars.yml <http://FAQ.IIAB.IO/#What_is_local_vars.yml_and_how_do_I_customize_it.3F>
(preferably do this prior to installing IIAB).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just FYI/FWIW: if one allows
apt install kolibri
to create and set up a new KOLIBRI_USER, it does not add the user to any Linux groups (likewww-data
ordisk
).
Might want to tinker with https://github.com/iiab/iiab/blob/master/roles/kolibri/templates/kolibri.service.j2#L12 Think the only thing that might need 'disk' would be something like dd
to access the raw device.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Quick context for Group=www-data
on Line 12 of /etc/systemd/system/kolibri.service :
meaning of systemd "Group" option
https://serverfault.com/questions/805879/meaning-of-systemd-group-option/805883#805883
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Linux group disk
is proven to be unneeded with USB stick testing (using 64-bit Raspberry Pi OS, on a Raspberry Pi 4).
So I will remove it entirely.
(It would appear this root-level access was never needed from day one, and it's time to take security more seriously in 2023 now!)
@holta Someone needs to audit and update this code to ensure kolibri-server performance fixes are ported into IIAB. This was created long time ago before Kolibri official support for debian landed. |
In principle, yes a good idea. In practice however:
|
@holta Someone needs to audit and update this code to ensure kolibri-server performance fixes are ported into IIAB. This was created long time ago before Kolibri official support for debian landed.
It has been many moons since I worked on this. So I'll let /cc @jredrejo |
On a side note the upstream documentation references KOLIBRI_HOME as containing a .kolibri path, perhaps that path could be employed in IIAB also for maximum compatibility with the upstream docs? ie just change KOLIBRI_HOME to be '/library/kolibri/.kolibri' Other thing to consider would be populating /etc/kolibri/daemon.conf with more of the environmental variables from the custom systemd unit file template and just reference the daemon.conf file with 'EnvironmentFile=' -AND/OR- The stock options.ini as provided by kolibri below might need tinkering also as there would be options in use by the daemon that should match what the command line expects in CONTENT_DIR HTTP_PORT URL_PATH_PREFIX
I think the common ground between the cmdline tool (/usr/bin/kolibri) and running a daemon might be the options.ini file. |
I think setting group is a good practice, but has no practical implications as world and group have the same permissions on the assets in /library/kolibri/content |
I agree this is likely best. Hopefully I &/or others will have more time to confirm today/soon. |
Recap — after careful testing that group
|
fc399cd
to
0f9c6f2
Compare
Thanks everyone for the comments + suggestions over the past 3 days. Let's go with this PR. And if necessary later, we can further simplify in a future PR (e.g. removing all secondary groups for KOLIBRI_USER @radinamatic, @rtibbles and/or @jamalex might know when Kolibri docs are next scheduled to be updated (this year ideally, if possible!) Just FYI many of Kolibri's install docs and guidelines are currently stale by a few years, so let's give them time to catch up in 2023 hopefully. Just 3 examples here:
|
Link fixed just above, to help with installing Kolibri via apt/PPA: keyring /etc/apt/trusted.gpg DEPRECATED (#3343) |
This "spring cleaning" PR is mostly about in-line docs, while also cleaning up Ansible / Kolibri hygiene, and a few small code/flow adjustments, e.g.:
kolibri_deb_url
to install a custom Kolibri .deb file, thereby allowing easier later upgrades).Tested on Ubuntu 22.04
Recent related work: