Ubuntu Repository Cache Charm

Merge lp:~tribaal/ubuntu-repository-cache/run-cron-as-root into lp:~tribaal/ubuntu-repository-cache/trunk

  1. run-cron-as-root
  2. Merge into trunk
Proposed by Chris Glass
Status: Merged
Merged at revision: 242
Proposed branch: lp:~tribaal/ubuntu-repository-cache/run-cron-as-root
Merge into: lp:~tribaal/ubuntu-repository-cache/trunk
Diff against target: 9 lines (+1/-1)
1 file modified
templates/cron/ubuntu-repository-cache_rsync.cron (+1/-1)
To merge this branch: bzr merge lp:~tribaal/ubuntu-repository-cache/run-cron-as-root
Reviewer Review Type Date Requested Status
Francis Ginther (community) Approve
Chris Glass Abstain
Review via email: mp+325996@code.launchpad.net

Description of the change

This branch lets the sync cron run as root, since juju-run is now a privileged operation.

This juju bug (https://bugs.launchpad.net/juju/+bug/1682411) made juju-run a privileged operation, therefore "dropping" to the www-sync user doesn't work anymore. Note that because of that very bug we didn't actually drop privileges anyway before: we called the code as www-sync but then were given root privileges by juju anyway - unknowingly exploiting a security problem - so this patch shouldn't actually change behavior.

To post a comment you must log in.
Revision history for this message
Francis Ginther (fginther) wrote :

The crontab format requires a user argument.

review: Needs Fixing
lp:~tribaal/ubuntu-repository-cache/run-cron-as-root updated
243. By Chris Glass

Added "root" user... crontab and /etc/cron.d have slightly different synthaxes!

Revision history for this message
Chris Glass (tribaal) :
review: Abstain
Revision history for this message
Francis Ginther (fginther) wrote :

Cron command will run as root now, approve.

review: Approve

Preview Diff

[H/L] Next/Prev Comment, [J/K] Next/Prev File, [N/P] Next/Prev Hunk
1=== modified file 'templates/cron/ubuntu-repository-cache_rsync.cron'
2--- templates/cron/ubuntu-repository-cache_rsync.cron 2017-04-04 12:12:06 +0000
3+++ templates/cron/ubuntu-repository-cache_rsync.cron 2017-06-20 12:42:17 +0000
4@@ -7,5 +7,5 @@
5 MIRROR_SERIES={{ MirrorSeries }}
6 # This cronjob will make the leader sync its view of the metadata with upstream
7 # It will then trigger a juju-run to let its peers synchronise.
8-{{ Minutes }} * * * * www-sync python3 -m ubuntu_repository_cache.metadata_sync
9+{{ Minutes }} * * * * root python3 -m ubuntu_repository_cache.metadata_sync
10

Subscribers

People subscribed via source and target branches

to all changes: