Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

use DynamicUser=yes for all cockpit components #16811

Draft
wants to merge 7 commits into
base: main
Choose a base branch
from

Conversation

allisonkarlitskaya
Copy link
Member

Switch over to systemd allocating user IDs for us dynamically, dropping our static users.

We create these users dynamically:

  • cockpit-session-socket is the group owner of /run/cockpit/session
  • cockpit-wsinstance-socket is the group owner of all sockets in /run/cockpit/wsinstance/
  • cockpit-tls gets its own user
  • cockpit-wsinstance-http{,s@}.service each get a user. In this case, I think the separate https instances even each get a separate user.

Right now it's not working. There seem to be quite some edge cases, particularly involving the use of DynamicUser in combination with SupplementaryGroup. Also, the approach to using virtual services to create the dynamic user is really strange.

I feel like we maybe shouldn't proceed here until we get better support for this from systemd.

@allisonkarlitskaya allisonkarlitskaya added the blocked Don't land until something else happens first (see task list) label Jan 11, 2022
@allisonkarlitskaya allisonkarlitskaya temporarily deployed to cockpit-dist January 11, 2022 08:06 Inactive
@martinpitt martinpitt removed their request for review April 7, 2022 09:02
@martinpitt
Copy link
Member

I filed systemd/systemd#23067 to start the discussion.

martinpitt and others added 6 commits May 10, 2024 10:17
Unless it's otherwise specified in the configuration file, we now spawn
cockpit-session by connecting to /run/cockpit/session.

We leave the cockpit_ws_session_program variable in place to allow the
tests to override things.

Update the unit files for cockpit-ws to ensure that the socket is
available when cockpit-ws is running.
systemd spawns this for us now, so we don't need the setuid bit anymore.
Unfortunately, socket units can't set DynamicUser=yes, so add a
dependency on a separate .service created just for this purpose.

/run/cockpit/session is now owned by group cockpit-session-socket which
also gets added as a supplementary group to the cockpit-ws units.
Similar to the last commit, we create a dynamic group for the sockets in
/run/cockpit/wsinstance and add a supplementary group to cockpit-tls.
We only dynamically generate a single .socket file now.  The rest of
them are in version control and installed verbatim.
@martinpitt
Copy link
Member

martinpitt commented May 10, 2024

Rebased after the rebasing of #16808 and the recent heavy changes to sysuser management. Locally this at least works for a simple local session, let's see if there's any fallout beyond what's already in #16808.

cockpit-wsinstance-http{,s@}.service each get a user.

I didn't port this bit yet, let's do that step separately. We have much more freedom to change this once everything is a DynamicUser.

@martinpitt martinpitt added the no-test For doc/workflow changes, or experiments which don't need a full CI run, label May 10, 2024
@martinpitt
Copy link
Member

Cool -- the test failures are by and large the same as in #16808. Just the unit lifecycle test fails in addition, but that'll be straightforward to fix -- and indeed we should adjust this some more to check proper cleanup after stopping.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
blocked Don't land until something else happens first (see task list) no-test For doc/workflow changes, or experiments which don't need a full CI run,
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants