Canonical Juju

juju run is inconsistent as who the commands run as

Bug #1881491 reported by James Troup
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Juju
Triaged
Low
Unassigned

Bug Description

juju run --help (2.7.6-bionic-amd64) says this:

  If the target is a machine, the command is run as the "root" user on
  the remote machine.

However this appears to be the almost exact opposite of what actually happens:

 * --application => root
 * --unit => root
 * --machine => ubuntu
 * --all => ubuntu

At an absolute minimum, the documentation must match reality. After that, I think it may be
worth reviewing why these run as different users and whether the principle-of-least-surprise violation
is worth whatever the perceived gain is.

Revision history for this message
Ian Booth (wallyworld) wrote :

Interestingly, the help doc was changed back in 2017

https://github.com/juju/juju/pull/7090

due to this bug being raised

https://bugs.launchpad.net/juju/+bug/1628593

So it seems at one point juju run was executing as "ubuntu", then switched to "root".

And now for machines it is "ubuntu" again.

IMO running as an unprivileged user is better and you can always sudo if needed.

There's also been a few discussions/bugs about people not liking the "ubuntu" user

eg https://discourse.juju.is/t/ubuntu-w-o-the-ubuntu-user/271

One request was for there to be a "juju" user instead.

Changed in juju:
milestone: none → 2.8.1
status: New → Triaged
importance: Undecided → High
Ian Booth (wallyworld)
Changed in juju:
milestone: 2.8.1 → 2.8.2
Revision history for this message
Ian Booth (wallyworld) wrote :

https://github.com/juju/juju/pull/11915 fixes the help text.

Will move the bug to 2.9 so we can look at fixing who the commands run as.

Changed in juju:
milestone: 2.8.2 → 2.9-beta1
summary: - juju run --help is dangerously misleading about who commands run as
+ juju run is inconsistent as who the commands run as
Canonical Juju QA Bot (juju-qa-bot)
Changed in juju:
milestone: 2.9-beta1 → 2.9-rc1
Revision history for this message
Pen Gale (pengale) wrote :

This reflects how the agents work. The unit agent runs as root, and we therefore must run as root, in order to be able to access the hook context. This applies to the --application flag as well. Other commands run more conservatively as the ubuntu user. Help docs have been updated to reflect this.

Changed in juju:
importance: High → Low
milestone: 2.9-rc1 → none
Revision history for this message
John A Meinel (jameinel) wrote :

--application means 'all units of this application'. --unit is a single unit of the application. --all means 'all machines' and --machine means 'just this machine'.

Revision history for this message
Canonical Juju QA Bot (juju-qa-bot) wrote :

This bug has not been updated in 2 years, so we're marking it Low importance. If you believe this is incorrect, please update the importance.

tags: added: expirebugs-bot
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.