copr / copr

Clone

#1076 docker: run copr-backend services as copr:copr
Merged 4 years ago by frostyx. Opened 4 years ago by frostyx.
copr/ frostyx/copr docker-compose-backend-non-root  into  master

file modified
+2 -2 
@@ -25,10 +25,10 @@ 
 

  

      command = "{} -v {}".format(ansible_playbook_bin, args)
 

      try:
 

-         log.info("{}: begin: {}".format(comment, command))
 

+         log.info("%s: begin: %s", comment, command)
 

          result = subprocess.check_output(command, shell=True, stderr=subprocess.STDOUT, encoding="utf-8")
 

      except CalledProcessError as e:
 

-         log.info("CalledProcessError: {}".format(e.output))
 

+         log.info("CalledProcessError: %s", e.output)
 

          raise
 

  

      log.debug(comment + ": end")

file modified
+1 -1 
@@ -31,7 +31,7 @@ 
 

  

      err_msg = None
 

      try:
 

-         conn = SSHConnection(opts.build_user or "root", vm_ip)
 

+         conn = SSHConnection(opts.build_user or "root", vm_ip, config_file=opts.ssh.builder_config)
 

          rc, stdout, _ = conn.run_expensive("echo hello")
 

          if rc != 0 or stdout != "hello\n":
 

              err_msg = "Unexpected check output"

file modified
+9 -4 
@@ -79,11 +79,16 @@ 
 

  # copy filesystem setup and setup ownership and permissions
 

  COPY docker/backend/files/ /
 

  RUN chmod 700 /root && \
 

-     chmod 400 /root/.ssh/id_rsa && \
 

      chmod 700 /home/copr && \
 

-     chown copr:copr /home/copr
 

+     chmod 400 /home/copr/.ssh/id_rsa && \
 

+     chmod 600 /home/copr/.ssh/id_rsa.pub && \
 

+     chown -R copr:copr /home/copr
 

+ 

+ # copr user needs permissions for /bin/sign
 

+ RUN gpasswd -a copr obsrun
 

+ 

+ # copr user needs permissions to create lock files
 

+ RUN chmod o+w /var/lock
 

  

- # fix permissions for .ssh
 

- RUN chmod 700 /root/.ssh
 

  

  CMD ["/bin/run.sh"]

file removed
-93 
@@ -1,93 +0,0 @@ 
 

- # config file for ansible -- http://ansible.github.com
 

- # nearly all parameters can be overridden in ansible-playbook or with command line flags
 

- # ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first
 

- 

- [defaults]
 

- 

- # location of inventory file, eliminates need to specify -i
 

- 

- hostfile = /root/provision/inventory
 

- 

- # location of ansible library, eliminates need to specify --module-path
 

- 

- library = /root/provision/library:/usr/share/ansible
 

- 

- # default module name used in /usr/bin/ansible when -m is not specified
 

- 

- module_name = command
 

- 

- # home directory where temp files are stored on remote systems.  Should
 

- # almost always contain $HOME or be a directory writeable by all users
 

- 

- #remote_tmp = $HOME/.ansible/tmp
 

- remote_tmp = /tmp
 

- 

- # the default pattern for ansible-playbooks ("hosts:")
 

- 

- pattern = *
 

- 

- # the default number of forks (parallelism) to be used.  Usually you
 

- # can crank this up.
 

- 

- forks=25
 

- 

- # the timeout used by various connection types.  Usually this corresponds
 

- # to an SSH timeout
 

- 

- timeout=10
 

- 

- # when using --poll or "poll:" in an ansible playbook, and not specifying
 

- # an explicit poll interval, use this interval
 

- 

- poll_interval=15
 

- 

- # when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook,
 

- # and not specifying "--sudo-user" or "sudo_user" respectively, sudo
 

- # to this user account
 

- 

- sudo_user=root
 

- 

- # connection to use when -c <connection_type> is not specified
 

- 

- #transport=paramiko
 

- transport=ssh
 

- #transport=smart
 

- 

- # this is needed for paramiko, ssh already have this said in .ssh/config
 

- host_key_checking = False
 

- 

- # remote SSH port to be used when --port or "port:" or an equivalent inventory
 

- # variable is not specified.
 

- 

- remote_port=22
 

- 

- # if set, always run /usr/bin/ansible commands as this user, and assume this value
 

- # if "user:" is not set in a playbook.  If not set, use the current Unix user
 

- # as the default
 

- 

- remote_user=root
 

- 

- # if set, always use this private key file for authentication, same as if passing
 

- # --private-key-file to ansible or ansible-playbook
 

- 

- #private_key_file=/path/to/file
 

- 

- 

- # additional plugin paths for non-core plugins
 

- 

- action_plugins=/usr/lib/python2.7/site-packages/ansible/runner/action_plugins:/root/provision/action_plugins/
 

- 

- private_key_file=/root/.ssh/id_rsa
 

- 

- [paramiko_connection]
 

- record_host_keys=False
 

- 

- # nothing to configure yet
 

- 

- [ssh_connection]
 

- 

- # if uncommented, sets the ansible ssh arguments to the following.  Leaving off ControlPersist
 

- # will result in poor performance, so use transport=paramiko on older platforms rather than
 

- # removing it
 

- 

- ssh_args=-o PasswordAuthentication=no -o ControlMaster=auto -o ControlPersist=60s

file removed
-1 
@@ -1,1 +0,0 @@ 
 

- builder

file modified
+3 -3 
@@ -48,8 +48,8 @@ 
 

  #   group0_max_workers=8
 

  group0_name=dockergroup
 

  group0_archs=i386,x86_64
 

- group0_spawn_playbook=/root/provision/spawn_local.yml
 

- group0_terminate_playbook=/root/provision/terminate_local.yml
 

+ group0_spawn_playbook=/home/copr/provision/spawn_local.yml
 

+ group0_terminate_playbook=/home/copr/provision/terminate_local.yml
 

  group0_max_workers=1
 

  group0_max_vm_total=1
 

  
@@ -101,4 +101,4 @@ 
 

  builder_perl=True
 

  

  [ssh]
 

- builder_config=/root/.ssh/builder_config
 

+ builder_config=/home/copr/.ssh/builder_config

file modified
+18 -18 
@@ -133,42 +133,42 @@ 
 

  

  [program:signd]
 

  command=/usr/sbin/signd
 

- user=root
 

- group=root
 

+ user=copr
 

+ group=copr
 

  

  [program:copr-backend-log]
 

  command=/usr/bin/copr_run_logger.py
 

- user=root
 

- group=root
 

- environment=PYTHONPATH="/usr/share/copr/"
 

+ user=copr
 

+ group=copr
 

+ environment=PYTHONPATH="/usr/share/copr/",HOME=/home/copr
 

  priority=901
 

  

  [program:copr-backend-vmm]
 

  command=/usr/bin/copr_run_vmm.py
 

- user=root
 

- group=root
 

- environment=PYTHONPATH="/usr/share/copr/"
 

+ user=copr
 

+ group=copr
 

+ environment=PYTHONPATH="/usr/share/copr/",HOME=/home/copr
 

  priority=902
 

  

  [program:copr-backend-build]
 

  command=/usr/bin/copr_run_build_dispatcher.py
 

- user=root
 

- group=root
 

- environment=PYTHONPATH="/usr/share/copr/"
 

+ user=copr
 

+ group=copr
 

+ environment=PYTHONPATH="/usr/share/copr/",HOME=/home/copr
 

  priority=903
 

  

  [program:copr-backend-action]
 

  command=/usr/bin/copr_run_action_dispatcher.py
 

- user=root
 

- group=root
 

- environment=PYTHONPATH="/usr/share/copr/"
 

+ user=copr
 

+ group=copr
 

+ environment=PYTHONPATH="/usr/share/copr/",HOME=/home/copr
 

  priority=904
 

  

  [program:copr-backend]
 

- command=/usr/bin/copr_be.py -u root -g root
 

- user=root
 

- group=root
 

- environment=PYTHONPATH="/usr/share/copr/"
 

+ command=/usr/bin/copr_be.py -u copr -g copr
 

+ user=copr
 

+ group=copr
 

+ environment=PYTHONPATH="/usr/share/copr/",HOME=/home/copr
 

  priority=903
 

  

  [include]

file modified
+3 -1 
@@ -6,7 +6,7 @@ 
 

  

  # location of inventory file, eliminates need to specify -i
 

  

- hostfile = /home/copr/provision/inventory
 

+ inventory = /home/copr/provision/inventory
 

  

  # location of ansible library, eliminates need to specify --module-path
 

  
@@ -79,6 +79,8 @@ 
 

  

  private_key_file=/home/copr/.ssh/id_rsa
 

  

+ gather_subset = !hardware
 

+ 

  [paramiko_connection]
 

  record_host_keys=False

docker/backend/files/home/copr/.ssh/builder_config docker/backend/files/root/.ssh/builder_config
file renamed
file was moved with no change to the file
docker/backend/files/home/copr/.ssh/id_rsa docker/backend/files/root/.ssh/id_rsa
file renamed
file was moved with no change to the file
docker/backend/files/home/copr/.ssh/id_rsa.pub docker/backend/files/root/.ssh/id_rsa.pub
file renamed
file was moved with no change to the file
docker/backend/files/home/copr/provision/inventory docker/backend/files/root/provision/inventory
file renamed
file was moved with no change to the file
docker/backend/files/home/copr/provision/spawn_local.yml docker/backend/files/root/provision/spawn_local.yml
file renamed
file was moved with no change to the file
docker/backend/files/home/copr/provision/terminate_local.yml docker/backend/files/root/provision/terminate_local.yml
file renamed
file was moved with no change to the file
file removed
-95 
@@ -1,95 +0,0 @@ 
 

- # config file for ansible -- http://ansible.github.com
 

- # nearly all parameters can be overridden in ansible-playbook or with command line flags
 

- # ansible will read ~/.ansible.cfg or /etc/ansible/ansible.cfg, whichever it finds first
 

- 

- [defaults]
 

- 

- # location of inventory file, eliminates need to specify -i
 

- 

- hostfile = /root/provision/inventory
 

- 

- # location of ansible library, eliminates need to specify --module-path
 

- 

- library = /root/provision/library:/usr/share/ansible
 

- 

- # default module name used in /usr/bin/ansible when -m is not specified
 

- 

- module_name = command
 

- 

- # home directory where temp files are stored on remote systems.  Should
 

- # almost always contain $HOME or be a directory writeable by all users
 

- 

- #remote_tmp = $HOME/.ansible/tmp
 

- remote_tmp = /tmp
 

- 

- # the default pattern for ansible-playbooks ("hosts:")
 

- 

- pattern = *
 

- 

- # the default number of forks (parallelism) to be used.  Usually you
 

- # can crank this up.
 

- 

- forks=25
 

- 

- # the timeout used by various connection types.  Usually this corresponds
 

- # to an SSH timeout
 

- 

- timeout=10
 

- 

- # when using --poll or "poll:" in an ansible playbook, and not specifying
 

- # an explicit poll interval, use this interval
 

- 

- poll_interval=15
 

- 

- # when specifying --sudo to /usr/bin/ansible or "sudo:" in a playbook,
 

- # and not specifying "--sudo-user" or "sudo_user" respectively, sudo
 

- # to this user account
 

- 

- sudo_user=root
 

- 

- # connection to use when -c <connection_type> is not specified
 

- 

- #transport=paramiko
 

- transport=ssh
 

- #transport=smart
 

- 

- # this is needed for paramiko, ssh already have this said in .ssh/config
 

- host_key_checking = False
 

- 

- # remote SSH port to be used when --port or "port:" or an equivalent inventory
 

- # variable is not specified.
 

- 

- remote_port=22
 

- 

- # if set, always run /usr/bin/ansible commands as this user, and assume this value
 

- # if "user:" is not set in a playbook.  If not set, use the current Unix user
 

- # as the default
 

- 

- remote_user=root
 

- 

- # if set, always use this private key file for authentication, same as if passing
 

- # --private-key-file to ansible or ansible-playbook
 

- 

- #private_key_file=/path/to/file
 

- 

- 

- # additional plugin paths for non-core plugins
 

- 

- action_plugins=/usr/lib/python2.7/site-packages/ansible/runner/action_plugins:/root/provision/action_plugins/
 

- 

- private_key_file=/root/.ssh/id_rsa
 

- 

- gather_subset = !hardware
 

- 

- [paramiko_connection]
 

- record_host_keys=False
 

- 

- # nothing to configure yet
 

- 

- [ssh_connection]
 

- 

- # if uncommented, sets the ansible ssh arguments to the following.  Leaving off ControlPersist
 

- # will result in poor performance, so use transport=paramiko on older platforms rather than
 

- # removing it
 

- 

- ssh_args=-o PasswordAuthentication=no -o ControlMaster=auto -o ControlPersist=60s

file modified
+1 -1 
@@ -35,7 +35,7 @@ 
 

  

  COPY . /copr
 

  COPY docker/builder/files/ /
 

- COPY docker/backend/files/root/.ssh/id_rsa.pub /root/.ssh/id_backend.pub
 

+ COPY docker/backend/files/home/copr/.ssh/id_rsa.pub /root/.ssh/id_backend.pub
 

  

  # needed to run sshd
 

  RUN ssh-keygen -f /etc/ssh/ssh_host_rsa_key -N '' -q

There is no reason for running copr-backend services as root:root in the docker-compose environment (except that it was easier to implement). However, at this point, we need to change this because we forbid running /usr/bin/copr-backend-process-action as root.

With this change, I am now unable to build the builder container:

ERROR: Service 'builder' failed to build: lstat docker/backend/files/root/.ssh/id_rsa.pub: no such file or directory

4 new commits added

  • docker: delete unnecessary ansible configs from /root and /etc
  • docker: run copr-backend services as copr:copr
  • backend: fix logger arguments
  • backend: use the expected ssh config
4 years ago

With this change, I am now unable to build the builder container:

Good catch, thank you! Fixed.

+1

+1, it's working for me now.

rebased onto 7ec5ac7
4 years ago

Pull-Request has been merged by frostyx
4 years ago
Changes Summary 16
+2 -2
file changed
backend/backend/ans_utils.py
+1 -1
file changed
backend/backend/vm_manage/check.py
+9 -4
file changed
docker/backend/Dockerfile
-93
file removed
docker/backend/files/etc/ansible/ansible.cfg
-1
file removed
docker/backend/files/etc/ansible/hosts
+3 -3
file changed
docker/backend/files/etc/copr/copr-be.conf
+18 -18
file changed
docker/backend/files/etc/supervisord.conf
+3 -1
file changed
docker/backend/files/home/copr/.ansible.cfg
+0 -0
file renamed
docker/backend/files/root/.ssh/builder_config
docker/backend/files/home/copr/.ssh/builder_config
+0 -0
file renamed
docker/backend/files/root/.ssh/id_rsa
docker/backend/files/home/copr/.ssh/id_rsa
+0 -0
file renamed
docker/backend/files/root/.ssh/id_rsa.pub
docker/backend/files/home/copr/.ssh/id_rsa.pub
+0 -0
file renamed
docker/backend/files/root/provision/inventory
docker/backend/files/home/copr/provision/inventory
+0 -0
file renamed
docker/backend/files/root/provision/spawn_local.yml
docker/backend/files/home/copr/provision/spawn_local.yml
+0 -0
file renamed
docker/backend/files/root/provision/terminate_local.yml
docker/backend/files/home/copr/provision/terminate_local.yml
-95
file removed
docker/backend/files/root/.ansible.cfg
+1 -1
file changed
docker/builder/Dockerfile
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.