Closed
Bug 1199379
Opened 9 years ago
Closed 8 years ago
TC jobs are all running as root (need option to run as non-root)
Categories
(Taskcluster :: Workers, defect)
Taskcluster
Workers
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: dustin, Unassigned)
References
Details
(Whiteboard: [docker-worker])
Attachments
(1 file)
Running 'id' in the current image: https://tools.taskcluster.net/task-inspector/#GVKdGQcmT3KDBVtIIUQrHQ/0 uid=0(root) gid=0(root) groups=0(root) So, yeah. This caused some particularly weird errors when running plugin-container on CentOS 6. I don't know how (or if, TBH) it worked on Ubuntu.
Reporter | ||
Comment 1•9 years ago
|
||
Bug 1199379: don't build as root, and verify r?ted
Attachment #8653660 -
Flags: review?(ted)
Reporter | ||
Updated•9 years ago
|
Assignee: nobody → dustin
Comment 2•9 years ago
|
||
Comment on attachment 8653660 [details] MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek https://reviewboard.mozilla.org/r/17479/#review15603 Good call!
Attachment #8653660 -
Flags: review?(ted) → review+
Reporter | ||
Comment 3•9 years ago
|
||
Comment on attachment 8653660 [details] MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek Bug 1199379: don't build as root, and verify r?ted.mielczarek
Attachment #8653660 -
Attachment description: MozReview Request: Bug 1199379: don't build as root, and verify r?ted → MozReview Request: Bug 1199379: don't build as root, and verify r?ted.mielczarek
Reporter | ||
Comment 4•9 years ago
|
||
Actually, I'm going to hold off on this. It turns out that *everything* runs as root in TaskCluster, and caches don't work with non-root users. So the current setup builds stuff as root, which mostly works; if I land this patch, then nothing will work.
Reporter | ||
Comment 5•9 years ago
|
||
A workaround will be to have build-linux.sh chmod the relevant folders, then su - to worker and re-run itself. I'll see if i can make that work.
Keywords: leave-open
Comment 6•9 years ago
|
||
(In reply to Dustin J. Mitchell [:dustin] from comment #0) > So, yeah. This caused some particularly weird errors when running > plugin-container on CentOS 6. I don't know how (or if, TBH) it worked on > Ubuntu. We have an idea: /home/worker is mode 0700 in the CentOS image but mode 0755 in the Ubuntu image, and the root-owned plugin-container that had given up its superuser powers was treated as "other" in those permissions, so it broke on CentOS but would still work on Ubuntu.
Updated•9 years ago
|
Reporter | ||
Comment 7•9 years ago
|
||
I'd rather not build as root, all other things being equal. So I think fixing that is the better solution, rather than convincing firefox to build and run as root. I'm about to put another review request up for that workaround. Sorry for the multiple review reqs!
Reporter | ||
Comment 8•9 years ago
|
||
Comment on attachment 8653660 [details] MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek Bug 1199379: drop root before beginning the build r?ted.mielczarek This requires doing some cleanup of permissions on the cache mounts first; eventually, this should be done by the docker-worker.
Attachment #8653660 -
Attachment description: MozReview Request: Bug 1199379: don't build as root, and verify r?ted.mielczarek → MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek
Reporter | ||
Updated•9 years ago
|
Attachment #8653660 -
Flags: review+ → review?(ted)
Updated•9 years ago
|
Attachment #8653660 -
Flags: review?(ted) → review+
Comment 9•9 years ago
|
||
Comment on attachment 8653660 [details] MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek https://reviewboard.mozilla.org/r/17479/#review15851 Bummer that you have to leave all those FIXMEs in, but at least you have bugs on file.
Reporter | ||
Comment 10•9 years ago
|
||
With that landed, this no longer blocks bug 1189892, but needs a more complete solution.
Assignee: dustin → nobody
No longer blocks: 1189892
Reporter | ||
Updated•9 years ago
|
Component: General Automation → Docker-Worker
Product: Release Engineering → Taskcluster
QA Contact: catlee
Summary: TC jobs are all running as root → TC jobs are all running as root (need option to run as non-root)
Updated•9 years ago
|
Whiteboard: [docker-worker]
Updated•9 years ago
|
Component: Docker-Worker → Worker
Comment 13•8 years ago
|
||
I believe this has largely been solved by running as another user and chown-ing the workspace directories correctly. Reopen with comments if this has not been solved.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 14•8 years ago
|
||
The idea was that we would not run tasks as root by default, but it really doesn't seem to be bothering anyone, so maybe we can just leave it as-is.
Comment 15•7 years ago
|
||
Removing leave-open keyword from resolved bugs, per :sylvestre.
Keywords: leave-open
Assignee | ||
Updated•6 years ago
|
Component: Worker → Workers
You need to log in
before you can comment on or make changes to this bug.
Description
•