Skip to content

Commit

Permalink
PMM-12693 run grafana as non root (#2648)
Browse files Browse the repository at this point in the history
* PMM-12693 Run grafana as non-root

* PMM-12693 rebuild grafana with new perms

* PMM-12693 remove sqlite migration

* PMM-12693 remove sqlite migration

* PMM-12693 revert some spec changes

* PMM-12693 check grafana logs

* PMM-12693 remove grafana-db-migrator

* PMM-12693 create grafana dir explicitly

* PMM-12693 fix with_items syntax

* PMM-12693 take ownership of /etc/grafana

* PMM-12693 try other options for /etc/grafana

* PMM-12693 try different permissions on /etc/grafana

* PMM-12693 remove grafana user

* PMM-12693 remove grafana user

* PMM-12693 set dir permissions for grafana-dashboards

* PMM-12693 do not install packages twice

* PMM-12693 remove CentOS 7 tasks

* PMM-12693 move grafana bootstrap to an earlier time

* PMM-12693 remove more CentOS 7 tasks

* PMM-12693 move clickhouse install back

* PMM-12693 do not upgrade sqlite

* PMM-12693 clean up the dashboards playbook

* PMM-12693 clean up the update playbook

* Update build/packages/rpm/server/SPECS/percona-dashboards.spec

Co-authored-by: Nurlan Moldomurov <[email protected]>

* PMM-12693 follow up on review

* PMM-12693 move the version copying out of dashboards_update

* PMM-12693 trigger the build

* PMM-12693 hackily start pmm-agent

* PMM-12693 check the status of services

* PMM-7 wait for container to get healthy

* PMM-7 debug: output grafana logs

* PMM-7 debug the ownership of /etc/grafana/grafana.ini

* PMM-7 change ownership of /etc/grafana to pmm

* PMM-7 change ownership of /srv/grafana to pmm

* PMM-7 cleanup the workflow

---------

Co-authored-by: Nurlan Moldomurov <[email protected]>
  • Loading branch information
ademidoff and BupycHuk authored Dec 4, 2023
1 parent 2b250e6 commit 5d570ea
Show file tree
Hide file tree
Showing 22 changed files with 158 additions and 889 deletions.
10 changes: 9 additions & 1 deletion .github/workflows/managed.yml
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,15 @@ jobs:
run: docker exec -i pmm-server git config --global --add safe.directory /root/go/src/github.com/percona/pmm

- name: Update binaries
run: docker exec -i pmm-server make run-managed-ci run-agent run-vmproxy
run: |
# We need to make this directory owned by pmm, since it's currently owned by the grafana user in the devcontainer.
# TODO: remove the line below after this PR is merged to v3.
docker exec -t pmm-server chown -R pmm:pmm /etc/grafana /srv/grafana
docker exec -i pmm-server make run-managed-ci run-agent run-vmproxy
- name: Check the status of components
run: |
docker exec -t pmm-server supervisorctl status || :
- name: Run tests
run: docker exec -i pmm-server make -C managed test-cover
Expand Down
2 changes: 1 addition & 1 deletion Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ env-update-image: ## Pull latest dev image

env-compose-up: env-update-image
COMPOSE_PROFILES=$(PROFILES) \
docker compose up --detach --renew-anon-volumes --remove-orphans
docker compose up --detach --renew-anon-volumes --remove-orphans --wait --wait-timeout 100

env-devcontainer:
docker exec -it --workdir=/root/go/src/github.com/percona/pmm pmm-server .devcontainer/setup.py
Expand Down
50 changes: 15 additions & 35 deletions build/ansible/pmm/post-build-actions.yml
Original file line number Diff line number Diff line change
Expand Up @@ -71,36 +71,25 @@
--server-address=127.0.0.1:443
--server-insecure-tls
- name: Reread supervisord configuration EL7
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
command: supervisorctl reread
register: reread_result
changed_when: "'No config updates to processes' not in reread_result.stdout"

- name: Reread supervisord configuration EL9
when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
command: /usr/local/bin/supervisorctl reread
register: reread_result
changed_when: "'No config updates to processes' not in reread_result.stdout"

- name: See what services are running
debug: var=reread_result.stdout_lines

- name: Stop pmm-managed before deleting the database EL7
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
supervisorctl:
name: pmm-managed
state: stopped
ignore_errors: True

- name: Stop pmm-managed before deleting the database EL9
when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
supervisorctl:
name: pmm-managed
state: stopped
supervisorctl_path: /usr/local/bin/supervisorctl
# become: true
# ignore_errors: True

- name: Supervisord stop | Stop supervisord service for AMI/OVF
when: ansible_virtualization_type != "docker"
Expand Down Expand Up @@ -128,16 +117,10 @@
ignore_errors: yes
when: ansible_virtualization_type != "docker"

- name: Remove pmm-managed database EL7
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
postgresql_db:
login_user: postgres
name: pmm-managed
state: absent
register: db_check_result

- name: Remove pmm-managed database EL9
when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
postgresql_db:
login_user: postgres
name: pmm-managed
Expand All @@ -150,7 +133,6 @@
msg: "pmm-managed database was removed"
when: db_check_result.changed == True


- name: Remove pmm-managed role from postgres
postgresql_user:
name: pmm-managed
Expand All @@ -167,10 +149,6 @@
when: ansible_virtualization_type != "docker"
service: name=supervisord state=stopped enabled=yes

- name: Supervisord stop EL7 | Stop supervisord service for docker
when: ansible_virtualization_type == "docker" and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
shell: supervisorctl shutdown

- name: Supervisord stop EL9 | Stop supervisord service for docker
when: ansible_virtualization_type == "docker" and (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
shell: /usr/local/bin/supervisorctl shutdown
Expand All @@ -180,8 +158,10 @@

# "yum clean all" function will only remove cache from configured yum repositories
# Details: https://bugzilla.redhat.com/show_bug.cgi?id=1357083
- name: Remove yum cache | Remove yum cache dir
command: rm -rf /var/cache/yum
- name: Cleanup yum cache
file:
state: absent
path: /var/cache/yum

- name: Post-build cleanup | Cleanup build logs and data
file: path={{ item }} state=absent
Expand All @@ -207,7 +187,7 @@
path: /srv/victoriametrics
owner: pmm
group: pmm
mode: '0775'
mode: 0775
with_items:
- absent
- directory
Expand All @@ -218,4 +198,4 @@
state: directory
owner: pmm
group: pmm
mode: "0775"
mode: 0775
35 changes: 0 additions & 35 deletions build/ansible/roles/ami-ovf/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,6 @@
- name: Packages | Clean up yum metadata
command: yum clean metadata

- name: Packages | Add PMM3 Server release repository for EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
yum_repository:
name: pmm-server
description: PMM Server YUM repository - x86_64
baseurl: https://repo.percona.com/pmm3-components/yum/experimental/7/RPMS/x86_64/
gpgcheck: yes
enabled: yes
gpgkey: file:///etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY

- name: Packages | Add PMM3 Server release repository for EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand All @@ -31,14 +19,6 @@
enabled: yes
gpgkey: file:///etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY

- name: Disable SELinux | EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
selinux:
policy: targeted
state: permissive

- name: Disable SELinux | EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand All @@ -49,15 +29,6 @@
policy: targeted
state: permissive

- name: Add firewalld rule | EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
firewalld: port={{ item }} permanent=true state=enabled immediate=yes
with_items:
- 80/tcp
- 443/tcp

- name: Add firewalld rule | EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand Down Expand Up @@ -86,12 +57,6 @@
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'

- name: PMM | Delete centos EL7
shell: cd /tmp; nohup sh -c "trap 'userdel -r centos' EXIT; sleep 600" </dev/null >/dev/null 2>&1 &
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'

- name: PMM | Delete ec2-user EL9
shell: cd /tmp; nohup sh -c "trap 'userdel -r ec2-user' EXIT; sleep 600" </dev/null >/dev/null 2>&1 &
when:
Expand Down
38 changes: 0 additions & 38 deletions build/ansible/roles/cloud-node/tasks/main.yml
Original file line number Diff line number Diff line change
@@ -1,13 +1,5 @@
---
# Common things for all cloud images
- name: Packages | Add EPEL repository for EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
yum:
name: https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
state: installed

- name: Packages | Add EPEL repository for EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand All @@ -16,19 +8,6 @@
name: epel-release
state: installed

- name: Packages | Install OS tools for EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
yum:
name:
- screen
- yum-utils
- cloud-init
- firewalld
- python2-pip
- ansible

- name: Packages | Install OS tools for EL9
when:
- (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
Expand All @@ -41,16 +20,6 @@
- python3-libselinux
- python3-firewall

- name: Firewalld | Start EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
- ansible_os_family == 'RedHat'
service:
name: firewalld
state: started
enabled: yes

- name: Firewalld | Start EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand Down Expand Up @@ -137,13 +106,6 @@
dest: /etc/sudoers.d/90-admin-user
mode: 0440

- name: change cloud user EL7 | Change cloud user
when: create_admin == "true" and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
replace:
dest: /etc/cloud/cloud.cfg
regexp: "name: centos"
replace: "name: admin"

- name: change cloud user for OVF EL9 | Change cloud user
when:
- create_admin == "true"
Expand Down
2 changes: 1 addition & 1 deletion build/ansible/roles/pmm-images/files/grafana.ini
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ command =
/usr/sbin/grafana server
--homepath=/usr/share/grafana
--config=/etc/grafana/grafana.ini
user = grafana
user = pmm
directory = /usr/share/grafana
autorestart = true
autostart = true
Expand Down
Loading

0 comments on commit 5d570ea

Please sign in to comment.