Juju Charms Collection
adt-cloud-worker package

Merge lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user into lp:~canonical-ci-engineering/charms/trusty/adt-cloud-worker/trunk

  1. Trusty Tahr (14.04)
  2. acw-charm-exec-user
  3. Merge into trunk
Proposed by Paul Larson
Status: Merged
Approved by: Paul Larson
Approved revision: 14
Merged at revision: 13
Proposed branch: lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user
Merge into: lp:~canonical-ci-engineering/charms/trusty/adt-cloud-worker/trunk
Diff against target: 49 lines (+8/-2)
3 files modified
hooks/actions.py (+5/-0)
hooks/services.py (+1/-0)
templates/upstart.conf (+2/-2)
To merge this branch: bzr merge lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user
Reviewer Review Type Date Requested Status
Celso Providelo (community) Approve
Paul Larson Needs Resubmitting
Review via email: mp+252768@code.launchpad.net

Commit message

Run the worker as a normal user, rather than the user that was used to install the code.

Description of the change

Use a different user to run the worker than the user that was used to install the code, so that there's no risk anything in the worker can be used to modify itself.

To post a comment you must log in.
Revision history for this message
Celso Providelo (cprov) wrote :

Paul,

Well done and great timing!

It will only work after https://code.launchpad.net/~cprov/charms/trusty/adt-cloud-worker/uci-nova/+merge/252769 lands, moving the security setup (specifically the ssh-keygen) to adt-run, which will run as the worker user, instead of "root".

[]

review: Approve
Revision history for this message
Ubuntu CI Bot (uci-bot) wrote :

Attempt to merge into lp:~canonical-ci-engineering/charms/trusty/adt-cloud-worker/trunk failed due to conflicts:

text conflict in hooks/actions.py
text conflict in hooks/services.py

lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user updated
13. By Paul Larson

merge

14. By Paul Larson

whitespace

Revision history for this message
Celso Providelo (cprov) wrote :

Paul,

Thanks for fixing the conflicts and investigating if there isn't anything better than "sudo -u xxx" for running jobs as a different user. We will have to wait for upstart 1.4+ ...

review: Approve
Revision history for this message
Paul Larson (pwlars) :
review: Needs Resubmitting
Revision history for this message
Celso Providelo (cprov) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'hooks/actions.py'
2--- hooks/actions.py 2015-03-12 15:33:33 +0000
3+++ hooks/actions.py 2015-03-12 18:32:51 +0000
4@@ -5,6 +5,7 @@
5
6 from charmhelpers import fetch
7 from charmhelpers.core import hookenv
8+from charmhelpers.core.host import adduser
9
10 from charmhelpers.payload.archive import extract_tarfile
11
12@@ -43,6 +44,10 @@
13 f.write(config_content)
14
15
16+def create_user(service_name):
17+ adduser('acw-worker')
18+
19+
20 def install_adt_uci_nova(service_name):
21 hookenv.log('Attempting to install "uci-nova" autopkgtest ssh-setup ...')
22 shutil.copy2(
23
24=== modified file 'hooks/services.py'
25--- hooks/services.py 2015-03-12 15:33:33 +0000
26+++ hooks/services.py 2015-03-12 18:32:51 +0000
27@@ -18,6 +18,7 @@
28 actions.get_cloud_worker_from_tarball,
29 actions.install_python_packages,
30 actions.get_config_file,
31+ actions.create_user,
32 actions.install_adt_uci_nova,
33 helpers.render_template(
34 source='upstart.conf',
35
36=== modified file 'templates/upstart.conf'
37--- templates/upstart.conf 2015-03-05 01:09:53 +0000
38+++ templates/upstart.conf 2015-03-12 18:32:51 +0000
39@@ -15,8 +15,8 @@
40
41 script
42
43- mkdir -p ${SERVICE_DIR}/logs
44+ install -d -o acw-worker ${SERVICE_DIR}/logs
45 chdir ${SERVICE_DIR}
46- exec ./ve/bin/python3 adt-cloud-worker.py >> logs/adt-cloud-worker.log 2>&1
47+ exec sudo -u acw-worker sh -c "./ve/bin/python3 adt-cloud-worker.py >> logs/adt-cloud-worker.log 2>&1"
48
49 end script

Subscribers

People subscribed via source and target branches