Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Packaging concerns for dropping privileges #1851

Open
bbockelm opened this issue Dec 23, 2024 · 3 comments
Open

Packaging concerns for dropping privileges #1851

bbockelm opened this issue Dec 23, 2024 · 3 comments
Assignees
@matyasselmeci
Labels
cache Issue relating to the cache component container director Issue relating to the director component enhancement New feature or request infrastructure GitHub Actions, Release management, and CI origin Issue relating to the origin component registry Issue relating to the registry component
Milestone
v7.13.0

Comments

@bbockelm
Copy link
Collaborator

bbockelm commented Dec 23, 2024
edited by matyasselmeci
Loading

The drop privileges code in #1850 adds a new component, xrdhttp-pelican, to function. This new plugin will take a message from the parent process (via a Unix socket) and do one of three things:

  1. If the parent dies unexpectedly (closing the socket), send a SIGTERM to itself.
  2. If the parent instructs it to send a signal, sends the specified signal to itself. This will be used for pelican to forward signals to xrootd.
  3. If the parent sends a file descriptor, overwrite the current TLS certificates with the one provided by the parent. This allows pelican to update xrootd's host certificates while running (since, after dropping privileges, it cannot arbitrarily overwrite things as root).

This ticket covers the packaging / infrastructure needs for the dropping privileges code to work. We need:

  1. Package and ship xrdhttp-pelican as part of the osg-testing repository so we can refer to it from images/Dockerfile and friends. The draft PR in Drop privileges to user pelican if requested #1850 does a build in the container but I think RPM is clearly preferred.
  2. (Create pelican user and appropriate directories in RPM packaging #1860) To tweak the pelican RPMs to generated by goreleaser to create the pelican user as a system daemon user.
  3. (Create pelican user and appropriate directories in RPM packaging #1860) Tweak the ownership of directories in the created RPM. Any directory that Pelican is expected to write to during runtime must be owned by the new pelican user. Off the top of my head, this includes:
    • The Prometheus database (/var/lib/pelican/monitoring).
    • The various configuration and stateful SQLite databases (/var/lib/pelican).
    • The webconfig file. NOTE: we might want to default this into a different location since it's currently in /etc/pelican; probably will need to change to /etc/pelican/web-config/web-config.yaml. Can defer for now.
    • Shoveler queue directory, /var/spool/pelican.

The code in #1850 will take care of the permissions necessary in /run/pelican.
@bbockelm bbockelm added enhancement New feature or request infrastructure GitHub Actions, Release management, and CI cache Issue relating to the cache component origin Issue relating to the origin component director Issue relating to the director component registry Issue relating to the registry component container labels Dec 23, 2024
@bbockelm bbockelm added this to the v7.13.0 milestone Dec 23, 2024
@matyasselmeci
Copy link
Contributor

@bbockelm can you make a v0.0.3 tag in PelicanPlatform/xrdhttp-pelican ? I need a tag to build it in Koji.

matyasselmeci added a commit to matyasselmeci/pelican that referenced this issue Dec 26, 2024
@matyasselmeci
Packaging: create pelican user and group and some directories for it
91ac9f1 
Part of PelicanPlatform#1851 ; this creates
a system user and group named `pelican`; it also pre-creates some directories
that Pelican won't be able to create after dropping privs to the `pelican`
user.
@matyasselmeci matyasselmeci mentioned this issue Dec 26, 2024
Open
@matyasselmeci
Copy link
Contributor

#1856 should take care of items 1 and 2

@matyasselmeci matyasselmeci linked a pull request Dec 26, 2024 that will close this issue
Packaging: create pelican user and group and some directories for it #1856
Open
@matyasselmeci matyasselmeci removed a link to a pull request Dec 26, 2024
Packaging: create pelican user and group and some directories for it #1856
Open
@matyasselmeci
Copy link
Contributor

See https://opensciencegrid.atlassian.net/browse/SOFTWARE-6048 for item 0.

@matyasselmeci matyasselmeci mentioned this issue Dec 30, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@matyasselmeci matyasselmeci

Labels
cache Issue relating to the cache component container director Issue relating to the director component enhancement New feature or request infrastructure GitHub Actions, Release management, and CI origin Issue relating to the origin component registry Issue relating to the registry component
Projects
None yet
Milestone
v7.13.0
Development

No branches or pull requests
2 participants
@bbockelm @matyasselmeci