Juju Charms Collection
adt-cloud-worker package

Merge lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user into lp:~canonical-ci-engineering/charms/trusty/adt-cloud-worker/trunk

  1. Trusty Tahr (14.04)
  2. acw-charm-exec-user
  3. Merge into trunk
Proposed by Paul Larson
Status: Merged
Approved by: Paul Larson
Approved revision: 14
Merged at revision: 13
Proposed branch: lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user
Merge into: lp:~canonical-ci-engineering/charms/trusty/adt-cloud-worker/trunk
Diff against target: 49 lines (+8/-2)
3 files modified
hooks/actions.py (+5/-0)
hooks/services.py (+1/-0)
templates/upstart.conf (+2/-2)
To merge this branch: bzr merge lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user
Reviewer Review Type Date Requested Status
Celso Providelo (community) Approve
Paul Larson Needs Resubmitting
Review via email: mp+252768@code.launchpad.net

Commit message

Run the worker as a normal user, rather than the user that was used to install the code.

Description of the change

Use a different user to run the worker than the user that was used to install the code, so that there's no risk anything in the worker can be used to modify itself.

To post a comment you must log in.
Revision history for this message
Celso Providelo (cprov) wrote :

Paul,

Well done and great timing!

It will only work after https://code.launchpad.net/~cprov/charms/trusty/adt-cloud-worker/uci-nova/+merge/252769 lands, moving the security setup (specifically the ssh-keygen) to adt-run, which will run as the worker user, instead of "root".

[]

review: Approve
Revision history for this message
Ubuntu CI Bot (uci-bot) wrote :

Attempt to merge into lp:~canonical-ci-engineering/charms/trusty/adt-cloud-worker/trunk failed due to conflicts:

text conflict in hooks/actions.py
text conflict in hooks/services.py

lp:~pwlars/charms/trusty/adt-cloud-worker/acw-charm-exec-user updated
13. By Paul Larson

merge

14. By Paul Larson

whitespace

Revision history for this message
Celso Providelo (cprov) wrote :

Paul,

Thanks for fixing the conflicts and investigating if there isn't anything better than "sudo -u xxx" for running jobs as a different user. We will have to wait for upstart 1.4+ ...

review: Approve
Revision history for this message
Paul Larson (pwlars) :
review: Needs Resubmitting
Revision history for this message
Celso Providelo (cprov) :
review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
=== modified file 'hooks/actions.py'
--- hooks/actions.py 2015-03-12 15:33:33 +0000
+++ hooks/actions.py 2015-03-12 18:32:51 +0000
@@ -5,6 +5,7 @@
55
6from charmhelpers import fetch6from charmhelpers import fetch
7from charmhelpers.core import hookenv7from charmhelpers.core import hookenv
8from charmhelpers.core.host import adduser
89
9from charmhelpers.payload.archive import extract_tarfile10from charmhelpers.payload.archive import extract_tarfile
1011
@@ -43,6 +44,10 @@
43 f.write(config_content)44 f.write(config_content)
4445
4546
47def create_user(service_name):
48 adduser('acw-worker')
49
50
46def install_adt_uci_nova(service_name):51def install_adt_uci_nova(service_name):
47 hookenv.log('Attempting to install "uci-nova" autopkgtest ssh-setup ...')52 hookenv.log('Attempting to install "uci-nova" autopkgtest ssh-setup ...')
48 shutil.copy2(53 shutil.copy2(
4954
=== modified file 'hooks/services.py'
--- hooks/services.py 2015-03-12 15:33:33 +0000
+++ hooks/services.py 2015-03-12 18:32:51 +0000
@@ -18,6 +18,7 @@
18 actions.get_cloud_worker_from_tarball,18 actions.get_cloud_worker_from_tarball,
19 actions.install_python_packages,19 actions.install_python_packages,
20 actions.get_config_file,20 actions.get_config_file,
21 actions.create_user,
21 actions.install_adt_uci_nova,22 actions.install_adt_uci_nova,
22 helpers.render_template(23 helpers.render_template(
23 source='upstart.conf',24 source='upstart.conf',
2425
=== modified file 'templates/upstart.conf'
--- templates/upstart.conf 2015-03-05 01:09:53 +0000
+++ templates/upstart.conf 2015-03-12 18:32:51 +0000
@@ -15,8 +15,8 @@
1515
16script16script
1717
18 mkdir -p ${SERVICE_DIR}/logs18 install -d -o acw-worker ${SERVICE_DIR}/logs
19 chdir ${SERVICE_DIR}19 chdir ${SERVICE_DIR}
20 exec ./ve/bin/python3 adt-cloud-worker.py >> logs/adt-cloud-worker.log 2>&120 exec sudo -u acw-worker sh -c "./ve/bin/python3 adt-cloud-worker.py >> logs/adt-cloud-worker.log 2>&1"
2121
22end script22end script

Subscribers

People subscribed via source and target branches