PMM-12530 run supervisor as non root #2643

ademidoff · 2023-11-24T12:56:11Z

PMM-12530

Link to the Feature Build: SUBMODULES-3462

With this PR we:

move all ansible scripts to one place: /build/ansible directory located in the root of this repo
start the container as pmm user (it has a number of implications, we'll detail them in the documentation when releasing)

codecov · 2023-11-24T13:56:38Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (b6acd98) 43.30% compared to head (03d2f50) 43.32%.

Additional details and impacted files

@@            Coverage Diff             @@
##               v3    #2643      +/-   ##
==========================================
+ Coverage   43.30%   43.32%   +0.01%     
==========================================
  Files         361      361              
  Lines       42323    42323              
==========================================
+ Hits        18329    18337       +8     
+ Misses      22447    22440       -7     
+ Partials     1547     1546       -1

Flag	Coverage Δ
admin	`10.43% <ø> (-0.05%)`	⬇️
agent	`53.37% <ø> (+0.14%)`	⬆️
managed	`44.76% <100.00%> (-0.02%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

ademidoff · 2023-12-17T11:17:39Z

build/ansible/roles/nginx/files/conf.d/pmm.conf

@@ -179,8 +179,8 @@
    }

    # Swagger UI
-    rewrite ^/swagger/swagger.json$ /swagger.json permanent;
-    rewrite ^(/swagger)/(.*)$ /swagger permanent;
+    rewrite ^/swagger/swagger.json$ $scheme://$http_host/swagger.json permanent;


nginx was trying to connect to port :8080 otherwise :)

ademidoff · 2023-12-17T11:19:07Z

build/ansible/roles/nginx/tasks/main.yml

 - name: Remove the default nginx config files
  file:
-    path: /etc/nginx/*.default
+    path: "{{ item }}"


Ansible's file module doesn't work with patterns :|

BupycHuk

Outstanding work!

BupycHuk · 2023-12-18T06:53:46Z

build/Makefile

-			docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
-			build -var 'pmm_client_repos=original testing' \
-				  	-var 'pmm_client_repo_name=percona-testing-x86_64' \
+		sed -i 's|become_method: su|become_method: sudo|g' ./roles/postgres/tasks/main.yml && \


not related to PR: why do we need these seds? don't we have this kind of logic in ansible?

nevermind, anyway it will be dropped

I didn't much know what to do with the seds, so just ended up updating the paths.
We needed these seds because in AMI we have to use sudo instead of su.

Now it will be a totally different story, as you mentioned )

BupycHuk · 2023-12-18T06:54:54Z

build/Makefile

+check:                          ## Run required checkers and linters
+	ansible-playbook --syntax-check ansible/pmm-docker/update.yml
+	ansible-playbook --check ansible/pmm-docker/update.yml
+	ansible-lint ansible/pmm-docker/update.yml


build/ansible/pmm/systemd.yml

ademidoff changed the base branch from main to v3 November 24, 2023 12:56

ademidoff mentioned this pull request Nov 24, 2023

PMM-12530 Run supervisor as non-root Percona-Lab/pmm-submodules#3462

Closed

ademidoff force-pushed the PMM-12530-run-supervisor-as-non-root branch 5 times, most recently from 65d5f14 to 71e32c6 Compare November 26, 2023 06:31

ademidoff closed this Dec 12, 2023

ademidoff force-pushed the PMM-12530-run-supervisor-as-non-root branch from eff2e66 to b6acd98 Compare December 12, 2023 12:55

ademidoff added 4 commits December 12, 2023 16:13

PMM-12530 remove clickhouse upgrade role

ab1acd8

PMM-12530 set pmm user for supervisord jobs

027be28

PMM-12530 move supervisord configs to the role

f21c888

PMM-12530 move non-docker tasks to their own playbook

60c5ca1

ademidoff reopened this Dec 12, 2023

ademidoff added 6 commits December 12, 2023 20:36

PMM-12530 fix wrong copy of grafana.ini

194e5ca

PMM-12530 fix wrong description

51434b9

PMM-12530 a few description fixes

bee6fb6

PMM-12530 fix wrong task syntax

4fa4250

PMM-12530 use loop instead of with_items

c9d2b83

PMM-12530 use a different become method for supervisorctl

dbfa806

ademidoff force-pushed the PMM-12530-run-supervisor-as-non-root branch from 29cd3cc to dbfa806 Compare December 12, 2023 23:28

ademidoff added 8 commits December 13, 2023 07:46

PMM-12530 use a command to restart grafana

0181a73

PMM-12530 use an interim Dockerfile

600c2b0

PMM-12530 update the port in the docs

0c185bf

PMM-12530 remove the service task

915e0dd

PMM-12530 use a base Dockerfile

d0c78ad

PMM-12530 remove user creation for non-docker

f5b1805

PMM-12530 provision deps for the base image

d5b67a1

PMM-12530 clean up supervisord role

c506b6a

ademidoff force-pushed the PMM-12530-run-supervisor-as-non-root branch from ba3abef to 9958160 Compare December 15, 2023 16:20

PMM-12530 move ansible to the build directory

f9ada73

ademidoff force-pushed the PMM-12530-run-supervisor-as-non-root branch from 9958160 to f9ada73 Compare December 15, 2023 18:00

ademidoff added 8 commits December 15, 2023 21:11

PMM-12530 switch to pmm user

c769b10

PMM-12530 clean up Dockerfile

529ef14

PMM-12530 optimize entrypoint and dir creation tasks

7767b10

PMM-12530 fix nginx failures

514999e

PMM-12530 fix the syntax error

8c80ddc

PMM-12530 remove comments

7e565f3

PMM-12530 update the easy install script

a58bcee

PMM-12530 move ansible lint checks to a proper Makefile

263eefa

ademidoff commented Dec 17, 2023

View reviewed changes

PMM-12530 fix wrong syntaxt in docker volume

769479a

ademidoff force-pushed the PMM-12530-run-supervisor-as-non-root branch from ff6bc21 to 769479a Compare December 17, 2023 12:24

BupycHuk approved these changes Dec 18, 2023

View reviewed changes

ademidoff marked this pull request as ready for review December 18, 2023 07:09

ademidoff requested review from a team and talhabinrizwan as code owners December 18, 2023 07:09

ademidoff requested review from artemgavrilov, idoqo and JiriCtvrtka and removed request for a team December 18, 2023 07:09

artemgavrilov approved these changes Dec 18, 2023

View reviewed changes

build/ansible/pmm/systemd.yml Outdated Show resolved Hide resolved

ademidoff added 2 commits December 18, 2023 10:07

PMM-12530 update the task description

b0b32b1

PMM-12530 send nginx logs to /dev/std{err,out}

03d2f50

ademidoff merged commit 0c90f57 into v3 Dec 18, 2023
30 checks passed

ademidoff deleted the PMM-12530-run-supervisor-as-non-root branch December 18, 2023 13:21

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

PMM-12530 run supervisor as non root #2643

PMM-12530 run supervisor as non root #2643

ademidoff commented Nov 24, 2023 •

edited

Loading

codecov bot commented Nov 24, 2023 •

edited

Loading

ademidoff Dec 17, 2023

ademidoff Dec 17, 2023

BupycHuk left a comment

BupycHuk Dec 18, 2023

BupycHuk Dec 18, 2023

ademidoff Dec 18, 2023 •

edited

Loading

BupycHuk Dec 18, 2023

PMM-12530 run supervisor as non root #2643

PMM-12530 run supervisor as non root #2643

Conversation

ademidoff commented Nov 24, 2023 • edited Loading

codecov bot commented Nov 24, 2023 • edited Loading

Codecov Report

ademidoff Dec 17, 2023

Choose a reason for hiding this comment

ademidoff Dec 17, 2023

Choose a reason for hiding this comment

BupycHuk left a comment

Choose a reason for hiding this comment

BupycHuk Dec 18, 2023

Choose a reason for hiding this comment

BupycHuk Dec 18, 2023

Choose a reason for hiding this comment

ademidoff Dec 18, 2023 • edited Loading

Choose a reason for hiding this comment

BupycHuk Dec 18, 2023

Choose a reason for hiding this comment

ademidoff commented Nov 24, 2023 •

edited

Loading

codecov bot commented Nov 24, 2023 •

edited

Loading

ademidoff Dec 18, 2023 •

edited

Loading