Some jobs cannot run as root
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
lpci |
Fix Released
|
Low
|
Simone Pelosi |
Bug Description
lpcraft runs jobs as root inside the container. However, there are some reasonable jobs that call code that refuses to run as root. For example, test suites that use a local PostgreSQL instance (e.g. lp-signing) call `initdb`, which fails with an error if run as root. This requires fairly horrible workarounds like this:
run: |
# PostgreSQL's initdb refuses to run as root, so drop privileges
# for the test.
getent passwd lp-signing-test >/dev/null || useradd -m -U lp-signing-test
cleanup () { rm -rf "$tmpdir"; }
trap cleanup EXIT
cp -a . "$tmpdir/
chown -R lp-signing-
runuser -u lp-signing-test -- ...
I'm not entirely sure what the best solution is; we may need to try out a few alternatives. One reasonable approach might be something like a `user` key which would ensure that that user exists, arrange for the project tree to be owned by that user (note that it's currently under `/root`, and other users can't see subdirectories of that ...), and drop privileges to that user. There may be other approaches. Note that the username can matter; for example, when testing this, I found that lp-signing's test suite specifically fails if run as an "lp-signing" user, because it wants to create a PostgreSQL role by that name which then conflicts with an automatically-
We could also consider not running as root by default, though perhaps that's more trouble than it's worth since there may already be some jobs that rely on being able to programmatically fiddle with their environment as root in `run` - I don't know.
Related branches
- Colin Watson (community): Approve
-
Diff: 481 lines (+308/-3)11 files modifiedNEWS.rst (+2/-0)
docs/configuration.rst (+6/-0)
lpci/commands/run.py (+11/-0)
lpci/commands/tests/test_run.py (+49/-0)
lpci/config.py (+11/-0)
lpci/env.py (+4/-0)
lpci/providers/_base.py (+1/-0)
lpci/providers/_lxd.py (+34/-0)
lpci/providers/tests/test_lxd.py (+144/-3)
lpci/tests/test_config.py (+43/-0)
lpci/tests/test_env.py (+3/-0)
Changed in lpcraft: | |
status: | New → Triaged |
importance: | Undecided → Low |
Changed in lpci: | |
assignee: | nobody → Simone Pelosi (pelpsi) |
status: | Triaged → In Progress |
Changed in lpci: | |
status: | In Progress → Fix Committed |
Changed in lpci: | |
status: | Fix Committed → Fix Released |
https:/ /code.launchpad .net/~cjwatson/ lpci/+git/ lpci/+merge/ 429388 makes a small start at this, by at least making the project tree be in a place where non-root users can see it.