Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

worker: run under a regular user #190

Open
wants to merge 3 commits into
base: main
Choose a base branch
from
Open

worker: run under a regular user #190

wants to merge 3 commits into from

Conversation

lzaoral
Copy link
Member

@lzaoral lzaoral commented Nov 27, 2023

No description provided.

@lzaoral lzaoral force-pushed the worker-run-under-regular-user branch 2 times, most recently from 0bf7821 to ba77baa Compare November 27, 2023 15:34
@kdudka
Copy link
Contributor

kdudka commented Nov 27, 2023

Do we want to use the osh-worker user for RPM-based deployment but the osh user for container-based deployment?

@lzaoral lzaoral force-pushed the worker-run-under-regular-user branch 4 times, most recently from d198b33 to 3ce44d8 Compare November 29, 2023 12:03
@lzaoral lzaoral mentioned this pull request Nov 30, 2023
Merged
@lzaoral
worker: execute osh-worker under a regular user
391b5d1 
The creation of the osh-worker system user was made according to Fedora's
packaging guidelines [1].

[1] https://docs.fedoraproject.org/en-US/packaging-guidelines/UsersAndGroups/#_dynamic_allocation
@lzaoral
containers: remove the :U attribute
fc5d1af 
... because all containers run under a user with the same UID 1000.
@lzaoral lzaoral force-pushed the worker-run-under-regular-user branch from 3ce44d8 to 7c91c47 Compare November 30, 2023 13:24
@lzaoral lzaoral changed the title [WIP] worker: run under regular user worker: run under a regular user Nov 30, 2023
@lzaoral lzaoral force-pushed the worker-run-under-regular-user branch from 7c91c47 to 0fb5fc7 Compare November 30, 2023 15:00
@lzaoral lzaoral requested a review from kdudka November 30, 2023 15:01
@lzaoral lzaoral marked this pull request as ready for review November 30, 2023 15:01
@kdudka
Copy link
Contributor

kdudka commented Nov 30, 2023

This is not going to be a smooth migration. We will need to transfer existing data of the csmock user (such as auth tokens and download cache). This data is used by both csmock and cspodman. We should also check how this will affect task cancellation because osh-worker will not have permission to kill processes of other users any more. This reminds me a csmock patch that I was experimenting with 3 years ago: csutils/csmock@main...kdudka:csmock:script

@lzaoral
Copy link
Member Author

lzaoral commented Dec 5, 2023

This is not going to be a smooth migration.

@kdudka Definitely! This PR is more a proof of concept that it already possible to execute the worker daemon under an unprivileged user.

@hanchuntao

This comment was marked as off-topic.

Sign in to view
@kdudka

This comment was marked as off-topic.

Sign in to view
@kdudka kdudka mentioned this pull request Dec 19, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kdudka kdudka Awaiting requested review from kdudka kdudka is a code owner

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@lzaoral @kdudka @hanchuntao