-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
use DynamicUser=yes for all cockpit components #16811
base: main
Are you sure you want to change the base?
use DynamicUser=yes for all cockpit components #16811
Conversation
I filed systemd/systemd#23067 to start the discussion. |
Unless it's otherwise specified in the configuration file, we now spawn cockpit-session by connecting to /run/cockpit/session. We leave the cockpit_ws_session_program variable in place to allow the tests to override things. Update the unit files for cockpit-ws to ensure that the socket is available when cockpit-ws is running.
systemd spawns this for us now, so we don't need the setuid bit anymore.
Unfortunately, socket units can't set DynamicUser=yes, so add a dependency on a separate .service created just for this purpose. /run/cockpit/session is now owned by group cockpit-session-socket which also gets added as a supplementary group to the cockpit-ws units.
Similar to the last commit, we create a dynamic group for the sockets in /run/cockpit/wsinstance and add a supplementary group to cockpit-tls.
We only dynamically generate a single .socket file now. The rest of them are in version control and installed verbatim.
Rebased after the rebasing of #16808 and the recent heavy changes to sysuser management. Locally this at least works for a simple local session, let's see if there's any fallout beyond what's already in #16808.
I didn't port this bit yet, let's do that step separately. We have much more freedom to change this once everything is a DynamicUser. |
Cool -- the test failures are by and large the same as in #16808. Just the unit lifecycle test fails in addition, but that'll be straightforward to fix -- and indeed we should adjust this some more to check proper cleanup after stopping. |
Switch over to systemd allocating user IDs for us dynamically, dropping our static users.
We create these users dynamically:
cockpit-session-socket
is the group owner of/run/cockpit/session
cockpit-wsinstance-socket
is the group owner of all sockets in/run/cockpit/wsinstance/
cockpit-tls
gets its own usercockpit-wsinstance-http{,s@}.service
each get a user. In this case, I think the separate https instances even each get a separate user.Right now it's not working. There seem to be quite some edge cases, particularly involving the use of
DynamicUser
in combination withSupplementaryGroup
. Also, the approach to using virtual services to create the dynamic user is really strange.I feel like we maybe shouldn't proceed here until we get better support for this from systemd.