From 9b44bbb60d4fa98b5ca7f60ef5ff8f1c860ff4f5 Mon Sep 17 00:00:00 2001 From: Alex Demidoff Date: Fri, 1 Dec 2023 00:17:53 +0300 Subject: [PATCH] PMM-12529 Run pmm-agent as non root (#2590) * PMM-12529 run pmm-agent as non-root * PMM-12529 update the spec and package files to leverage user pmm * PMM-12529 fix the changelog * PMM-12529 see if disabling parallel fixes the tests * PMM-12529 leave a todo for re-enabling parallel runs * PMM-12529 do not create pmm-agent user * PMM-12529 add PostgreSQL to deb description * PMM-12529 restore some changes * PMM-12529 provide a playbook to install pmm-client * PMM-12529 fix a typo * PMM-12529 Move the agent role to build roles * PMM-12529 fix the tax syntax * PMM-12529 create an empty dir * PMM-12529 pass the client to PMM Server docker * PMM-12529 fix the tabulation * PMM-12529 remove v2 from paths * PMM-12529 update the agent installation path --- build/ansible/pmm/post-build-actions.yml | 1 + build/ansible/roles/pmm-client/tasks/main.yml | 44 +++++++++++++++++++ build/ansible/roles/pmm-images/tasks/main.yml | 11 ++--- build/docker/server/Dockerfile | 3 ++ build/docker/server/Dockerfile.el9 | 3 ++ build/docker/server/create_users.sh | 1 - build/packages/deb/control | 4 +- build/scripts/build-server-docker | 3 +- build/scripts/vars | 2 +- managed/services/supervisord/pmm_config.go | 1 + .../supervisord.d/pmm-db_disabled.ini | 1 + .../testdata/supervisord.d/pmm-db_enabled.ini | 1 + update/ansible/playbook/tasks/files/pmm.ini | 1 + update/ansible/playbook/tasks/update.yml | 1 - 14 files changed, 63 insertions(+), 14 deletions(-) create mode 100644 build/ansible/roles/pmm-client/tasks/main.yml diff --git a/build/ansible/pmm/post-build-actions.yml b/build/ansible/pmm/post-build-actions.yml index 6e4b431400..8ad28081ab 100644 --- a/build/ansible/pmm/post-build-actions.yml +++ b/build/ansible/pmm/post-build-actions.yml @@ -61,6 +61,7 @@ - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux' - ansible_distribution_major_version == '9' + # TODO: move to a version-less directory, e.g. /usr/local/percona/pmm - name: pmm-agent | Setup pmm-agent command: > pmm-agent setup diff --git a/build/ansible/roles/pmm-client/tasks/main.yml b/build/ansible/roles/pmm-client/tasks/main.yml new file mode 100644 index 0000000000..5e6b04c702 --- /dev/null +++ b/build/ansible/roles/pmm-client/tasks/main.yml @@ -0,0 +1,44 @@ +--- +# This role installs pmm-client. +- name: Get the image version + slurp: + src: /usr/share/percona-dashboards/VERSION + register: image_version_file + +- name: Set the PMM image version + set_fact: + pmm_image_version: "{{ image_version_file['content'] | b64decode | trim }}" + +- name: Create a temporary directory + file: + path: /tmp/pmm-client + state: directory + +- name: Unpack the tarball + unarchive: + src: /tmp/pmm-client.tar.gz + dest: /tmp/pmm-client + remote_src: true + extra_opts: [--strip-components=1] + +- name: Install the client + command: env PMM_USER=pmm PMM_GROUP=pmm /tmp/pmm-client/install_tarball + +- name: Remove the tarball + file: + path: /tmp/pmm-client.tar.gz + state: absent + +- name: Remove the temporary directory + file: + path: /tmp/pmm-client + state: absent + +- name: Create symlinks to the binaries + file: + src: /usr/local/percona/pmm/bin/{{ item }} + dest: /usr/sbin/{{ item }} + state: link + loop: + - pmm-admin + - pmm-agent diff --git a/build/ansible/roles/pmm-images/tasks/main.yml b/build/ansible/roles/pmm-images/tasks/main.yml index 0a96c7322d..0dec550a35 100644 --- a/build/ansible/roles/pmm-images/tasks/main.yml +++ b/build/ansible/roles/pmm-images/tasks/main.yml @@ -103,7 +103,6 @@ - { name: nginx, gid: 999 } - { name: grafana, gid: 998 } - { name: clickhouse, gid: 997 } - - { name: pmm-agent, gid: 996 } - name: Create users | Create users user: @@ -119,7 +118,6 @@ - { name: nginx, uid: 999, comment: "nginx user", shell: "/sbin/nologin", home: "/var/cache/nginx", group: nginx, } - { name: grafana, uid: 998, comment: "Grafana Dashboard", shell: "/sbin/nologin", home: "/etc/grafana", group: grafana, } - { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, } - - { name: pmm-agent, uid: 996, comment: "pmm-agent", shell: "/bin/false", home: "/usr/local/percona/", group: pmm-agent, } when: ansible_virtualization_type == "docker" - name: Create directories | Create dirs @@ -168,12 +166,9 @@ - name: PMM | Enable repo for pmm-client command: percona-release enable {{ pmm_client_repos }} -- name: Install RPMs | Install pmm-client rpm - yum: - name: - - pmm-client - state: installed - enablerepo: "{{ pmm_client_repo_name }}" +- name: Install pmm-client + include_role: + name: pmm-client - name: Disable pmm-agent service | Disable pmm-agent when: ansible_virtualization_type != "docker" diff --git a/build/docker/server/Dockerfile b/build/docker/server/Dockerfile index 883d6bb08b..5eba5415b4 100644 --- a/build/docker/server/Dockerfile +++ b/build/docker/server/Dockerfile @@ -18,6 +18,9 @@ RUN yum -y install epel-release && yum -y install ansible COPY RPMS /tmp/RPMS COPY gitCommit /tmp/gitCommit +# Use COPY as we want to unarchive it with ansible +COPY pmm-client.tar.gz /tmp/ + COPY ansible /opt/ansible RUN cp -r /opt/ansible/roles /opt/ansible/pmm-docker/roles RUN ansible-playbook -vvv -i 'localhost,' -c local /opt/ansible/pmm-docker/main.yml \ diff --git a/build/docker/server/Dockerfile.el9 b/build/docker/server/Dockerfile.el9 index 134bbdb6fa..054e115042 100644 --- a/build/docker/server/Dockerfile.el9 +++ b/build/docker/server/Dockerfile.el9 @@ -30,6 +30,9 @@ RUN microdnf -y install epel-release && \ COPY RPMS /tmp/RPMS COPY gitCommit /tmp/gitCommit +# Use COPY as we want to unarchive it with ansible +COPY pmm-client.tar.gz /tmp/ + COPY ansible /opt/ansible # NOTE: this needs to be refactored, since some of the playbooks are duplicates RUN cp -r /opt/ansible/roles /opt/ansible/pmm-docker/roles diff --git a/build/docker/server/create_users.sh b/build/docker/server/create_users.sh index 7cf342d344..14aee0f31c 100644 --- a/build/docker/server/create_users.sh +++ b/build/docker/server/create_users.sh @@ -5,7 +5,6 @@ users=( "nginx:999:/sbin/nologin:/var/cache/nginx:nginx" "grafana:998:/sbin/nologin:/etc/grafana:grafana" "clickhouse:997:/sbin/nologin:/var/lib/clickhouse:clickhouse" - "pmm-agent:996:/bin/false:/usr/local/percona/:pmm-agent" ) for user in "${users[@]}"; do diff --git a/build/packages/deb/control b/build/packages/deb/control index d04408ef56..c2f910ce6f 100644 --- a/build/packages/deb/control +++ b/build/packages/deb/control @@ -14,5 +14,5 @@ Description: Percona Monitoring and Management Client performance. It is developed by Percona in collaboration with experts in the field of managed database services, support and consulting. PMM is a free and open-source solution that you can run in your own environment for maximum security and reliability. - It provides thorough time-based analysis for MySQL and MongoDB servers to ensure that your data works as efficiently - as possible. + It provides thorough time-based analysis for MySQL, PostgreSQL and MongoDB servers to ensure that your data works as + efficiently as possible. diff --git a/build/scripts/build-server-docker b/build/scripts/build-server-docker index f27055221a..10e2a8b6ab 100755 --- a/build/scripts/build-server-docker +++ b/build/scripts/build-server-docker @@ -16,6 +16,7 @@ ls ${docker_root}/ansible ls ${docker_root}/ansible/roles/pmm-images ls ${docker_root}/ansible/roles/pmm-images/tasks cp ${root_dir}/tmp/source/pmm/build/docker/server/* ${docker_root}/ +cp ${root_dir}/results/tarball/pmm-client-*.tar.gz ${docker_root}/pmm-client.tar.gz # enable 'local' repo in ansible playbooks sed -i -e "s/enablerepo: \"pmm-server\"/enablerepo: local/" ${docker_root}/ansible/roles/pmm-images/tasks/main.yml @@ -27,7 +28,7 @@ docker run --rm -v ${rpms_dir}:/home/builder/rpm/RPMS ${rpmbuild_docker_image} s sudo chown -R builder /home/builder/rpm/RPMS until /usr/bin/createrepo_c --update /home/builder/rpm/RPMS; do echo "waiting" - sleep 1 + sleep 1 done " diff --git a/build/scripts/vars b/build/scripts/vars index 3d905add23..06378e9164 100644 --- a/build/scripts/vars +++ b/build/scripts/vars @@ -7,7 +7,7 @@ root_dir=${ROOT_DIR:-$root_dir_tmp} tmp_dir=${root_dir}/tmp # In VERSION file we can have numeric value like '2.0.0' as well as -# alphanumeric value like '2.0.0-alpha3' which we can not be used entirely +# alphanumeric value like '2.0.0-alpha3' which can not be used entirely # e.g. in Version directive in spec files. So we define: # * full_pmm_version to contain full version and build metadata: '2.0.0-alpha3-PMM-1234-fb-branch-123abc'; # * pmm_version to contain only MAJOR.MINOR.PATCH: '2.0.0'; diff --git a/managed/services/supervisord/pmm_config.go b/managed/services/supervisord/pmm_config.go index 988cd5a0f3..5744991b9d 100644 --- a/managed/services/supervisord/pmm_config.go +++ b/managed/services/supervisord/pmm_config.go @@ -181,6 +181,7 @@ redirect_stderr = true [program:pmm-agent] priority = 15 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml +user = pmm autorestart = true autostart = true startretries = 1000 diff --git a/managed/testdata/supervisord.d/pmm-db_disabled.ini b/managed/testdata/supervisord.d/pmm-db_disabled.ini index a1fd14f1f1..181c4794c4 100644 --- a/managed/testdata/supervisord.d/pmm-db_disabled.ini +++ b/managed/testdata/supervisord.d/pmm-db_disabled.ini @@ -76,6 +76,7 @@ redirect_stderr = true [program:pmm-agent] priority = 15 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml +user = pmm autorestart = true autostart = true startretries = 1000 diff --git a/managed/testdata/supervisord.d/pmm-db_enabled.ini b/managed/testdata/supervisord.d/pmm-db_enabled.ini index 3c57dfd6cf..b88e9dd0eb 100644 --- a/managed/testdata/supervisord.d/pmm-db_enabled.ini +++ b/managed/testdata/supervisord.d/pmm-db_enabled.ini @@ -100,6 +100,7 @@ redirect_stderr = true [program:pmm-agent] priority = 15 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml +user = pmm autorestart = true autostart = true startretries = 1000 diff --git a/update/ansible/playbook/tasks/files/pmm.ini b/update/ansible/playbook/tasks/files/pmm.ini index ae0531c1aa..f905eea5a5 100644 --- a/update/ansible/playbook/tasks/files/pmm.ini +++ b/update/ansible/playbook/tasks/files/pmm.ini @@ -103,6 +103,7 @@ redirect_stderr = true [program:pmm-agent] priority = 15 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm/config/pmm-agent.yaml +user = pmm autorestart = true autostart = true startretries = 1000 diff --git a/update/ansible/playbook/tasks/update.yml b/update/ansible/playbook/tasks/update.yml index 4d25db6e61..b1db8e3891 100644 --- a/update/ansible/playbook/tasks/update.yml +++ b/update/ansible/playbook/tasks/update.yml @@ -15,7 +15,6 @@ - percona-alertmanager - pmm-managed - pmm-update - - pmm-client - pmm-dump - vmproxy - grafana-db-migrator