PMM-12529 Run pmm-agent as non root (#2590)

* PMM-12529 run pmm-agent as non-root

* PMM-12529 update the spec and package files to leverage user pmm

* PMM-12529 fix the changelog

* PMM-12529 see if disabling parallel fixes the tests

* PMM-12529 leave a todo for re-enabling parallel runs

* PMM-12529 do not create pmm-agent user

* PMM-12529 add PostgreSQL to deb description

* PMM-12529 restore some changes

* PMM-12529 provide a playbook to install pmm-client

* PMM-12529 fix a typo

* PMM-12529 Move the agent role to build roles

* PMM-12529 fix the tax syntax

* PMM-12529 create an empty dir

* PMM-12529 pass the client to PMM Server docker

* PMM-12529 fix the tabulation

* PMM-12529 remove v2 from paths

* PMM-12529 update the agent installation path

build/ansible/pmm/post-build-actions.yml

@@ -61,6 +61,7 @@
         - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
         - ansible_distribution_major_version == '9'
 
+    # TODO: move to a version-less directory, e.g. /usr/local/percona/pmm
     - name: pmm-agent                  | Setup pmm-agent
       command: >
         pmm-agent setup

build/ansible/roles/pmm-client/tasks/main.yml

@@ -0,0 +1,44 @@
+---
+# This role installs pmm-client.
+- name: Get the image version
+  slurp:
+    src: /usr/share/percona-dashboards/VERSION
+  register: image_version_file
+
+- name: Set the PMM image version
+  set_fact:
+    pmm_image_version: "{{ image_version_file['content'] | b64decode | trim }}"
+
+- name: Create a temporary directory
+  file:
+    path: /tmp/pmm-client
+    state: directory
+
+- name: Unpack the tarball
+  unarchive:
+    src: /tmp/pmm-client.tar.gz
+    dest: /tmp/pmm-client
+    remote_src: true
+    extra_opts: [--strip-components=1]
+
+- name: Install the client
+  command: env PMM_USER=pmm PMM_GROUP=pmm /tmp/pmm-client/install_tarball
+
+- name: Remove the tarball
+  file:
+    path: /tmp/pmm-client.tar.gz
+    state: absent
+
+- name: Remove the temporary directory
+  file:
+    path: /tmp/pmm-client
+    state: absent
+
+- name: Create symlinks to the binaries
+  file:
+    src: /usr/local/percona/pmm/bin/{{ item }}
+    dest: /usr/sbin/{{ item }}
+    state: link
+  loop:
+    - pmm-admin
+    - pmm-agent

build/ansible/roles/pmm-images/tasks/main.yml

@@ -103,7 +103,6 @@
         - { name: nginx, gid: 999 }
         - { name: grafana, gid: 998 }
         - { name: clickhouse, gid: 997 }
-        - { name: pmm-agent, gid: 996 }
 
     - name: Create users              | Create users
       user:
@@ -119,7 +118,6 @@
         - { name: nginx, uid: 999, comment: "nginx user", shell: "/sbin/nologin", home: "/var/cache/nginx", group: nginx, }
         - { name: grafana, uid: 998, comment: "Grafana Dashboard", shell: "/sbin/nologin", home: "/etc/grafana", group: grafana, }
         - { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, }
-        - { name: pmm-agent, uid: 996, comment: "pmm-agent", shell: "/bin/false", home: "/usr/local/percona/", group: pmm-agent, }
   when: ansible_virtualization_type == "docker"
 
 - name: Create directories        | Create dirs
@@ -168,12 +166,9 @@
 - name: PMM                        | Enable repo for pmm-client
   command: percona-release enable {{ pmm_client_repos }}
 
-- name: Install RPMs               | Install pmm-client rpm
-  yum:
-    name:
-      - pmm-client
-    state: installed
-    enablerepo: "{{ pmm_client_repo_name }}"
+- name: Install pmm-client
+  include_role:
+    name: pmm-client
 
 - name: Disable pmm-agent service | Disable pmm-agent
   when: ansible_virtualization_type != "docker"

build/docker/server/Dockerfile

@@ -18,6 +18,9 @@ RUN yum -y install epel-release && yum -y install ansible
 COPY RPMS /tmp/RPMS
 COPY gitCommit /tmp/gitCommit
 
+# Use COPY as we want to unarchive it with ansible
+COPY pmm-client.tar.gz /tmp/
+
 COPY ansible /opt/ansible
 RUN cp -r /opt/ansible/roles /opt/ansible/pmm-docker/roles
 RUN ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/main.yml \

build/docker/server/Dockerfile.el9

@@ -30,6 +30,9 @@ RUN microdnf -y install epel-release && \
 COPY RPMS /tmp/RPMS
 COPY gitCommit /tmp/gitCommit
 
+# Use COPY as we want to unarchive it with ansible
+COPY pmm-client.tar.gz /tmp/
+
 COPY ansible /opt/ansible
 # NOTE: this needs to be refactored, since some of the playbooks are duplicates
 RUN cp -r /opt/ansible/roles /opt/ansible/pmm-docker/roles

build/docker/server/create_users.sh

@@ -5,7 +5,6 @@ users=(
   "nginx:999:/sbin/nologin:/var/cache/nginx:nginx"
   "grafana:998:/sbin/nologin:/etc/grafana:grafana"
   "clickhouse:997:/sbin/nologin:/var/lib/clickhouse:clickhouse"
-  "pmm-agent:996:/bin/false:/usr/local/percona/:pmm-agent"
 )
 
 for user in "${users[@]}"; do

build/packages/deb/control

@@ -14,5 +14,5 @@ Description: Percona Monitoring and Management Client
  performance. It is developed by Percona in collaboration with experts in the field of managed database services,
  support and consulting.
  PMM is a free and open-source solution that you can run in your own environment for maximum security and reliability.
- It provides thorough time-based analysis for MySQL and MongoDB servers to ensure that your data works as efficiently
- as possible.
+ It provides thorough time-based analysis for MySQL, PostgreSQL and MongoDB servers to ensure that your data works as 
+ efficiently as possible.

build/scripts/build-server-docker

@@ -16,6 +16,7 @@ ls ${docker_root}/ansible
 ls ${docker_root}/ansible/roles/pmm-images
 ls ${docker_root}/ansible/roles/pmm-images/tasks
 cp ${root_dir}/tmp/source/pmm/build/docker/server/* ${docker_root}/
+cp ${root_dir}/results/tarball/pmm-client-*.tar.gz ${docker_root}/pmm-client.tar.gz
 
 # enable 'local' repo in ansible playbooks
 sed -i -e "s/enablerepo: \"pmm-server\"/enablerepo: local/" ${docker_root}/ansible/roles/pmm-images/tasks/main.yml
@@ -27,7 +28,7 @@ docker run --rm -v ${rpms_dir}:/home/builder/rpm/RPMS ${rpmbuild_docker_image} s
     sudo chown -R builder /home/builder/rpm/RPMS
     until /usr/bin/createrepo_c --update /home/builder/rpm/RPMS; do
         echo "waiting"
-	sleep 1
+        sleep 1
     done
 "
 

build/scripts/vars

@@ -7,7 +7,7 @@ root_dir=${ROOT_DIR:-$root_dir_tmp}
 tmp_dir=${root_dir}/tmp
 
 # In VERSION file we can have numeric value like '2.0.0' as well as
-# alphanumeric value like '2.0.0-alpha3' which we can not be used entirely
+# alphanumeric value like '2.0.0-alpha3' which can not be used entirely
 # e.g. in Version directive in spec files. So we define:
 # * full_pmm_version to contain full version and build metadata: '2.0.0-alpha3-PMM-1234-fb-branch-123abc';
 # * pmm_version to contain only MAJOR.MINOR.PATCH: '2.0.0';

managed/services/supervisord/pmm_config.go

@@ -181,6 +181,7 @@ redirect_stderr = true
 [program:pmm-agent]
 priority = 15
 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000

managed/testdata/supervisord.d/pmm-db_disabled.ini

@@ -76,6 +76,7 @@ redirect_stderr = true
 [program:pmm-agent]
 priority = 15
 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000

managed/testdata/supervisord.d/pmm-db_enabled.ini

@@ -100,6 +100,7 @@ redirect_stderr = true
 [program:pmm-agent]
 priority = 15
 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000

update/ansible/playbook/tasks/files/pmm.ini

@@ -103,6 +103,7 @@ redirect_stderr = true
 [program:pmm-agent]
 priority = 15
 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000

update/ansible/playbook/tasks/update.yml

@@ -15,7 +15,6 @@
       - percona-alertmanager
       - pmm-managed
       - pmm-update
-      - pmm-client
       - pmm-dump
       - vmproxy
       - grafana-db-migrator