PMM-12530 run supervisor as non root

README.md

@@ -57,7 +57,7 @@ $ docker volume create pmm-data
 3. Run PMM server container
 ```bash
 $ docker run --detach --restart always \
---publish 443:443 \
+--publish 443:8443 \
 --volume pmm-data:/srv \
 --name pmm-server \
 percona/pmm-server:3
@@ -99,4 +99,4 @@ As a general rule of thumb, please try to create bug reports that are:
 
 ## Licensing
 
-Percona is dedicated to **keeping open source open**. Wherever possible, we strive to include permissive licensing for both our software and documentation. For this project, we are using the [GNU AGPLv3](https://github.com/percona/pmm/blob/main/LICENSE) license.
+Percona is dedicated to **keeping open source open**. Wherever possible, we strive to include permissive licensing for both our software and documentation. For this project, we are using the [GNU AGPLv3](./LICENSE) license.

api-tests/server/version_test.go

@@ -34,7 +34,6 @@ import (
 func TestVersion(t *testing.T) {
 	t.Parallel()
 	paths := []string{
-		"managed/v1/version",
 		"v1/version",
 	}
 	for _, path := range paths {

api/nginx/nginx.conf

@@ -3,7 +3,7 @@
 
 daemon off;
 
-error_log stderr info;
+error_log /dev/stderr info;
 # error_log stderr debug;
 
 events {

build/Makefile

@@ -66,36 +66,39 @@ pmm-ami:
 						-var 'pmm_client_repo_name=percona-experimental-x86_64' \
 						-var 'pmm_server_repo=experimental' \
 						-only amazon-ebs -color=false \
-                                                packer/pmm.json
+						packer/pmm.json
 
 pmm-ami-rc:
 	docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
 			build -var 'pmm_client_repos=original testing' \
-				  	-var 'pmm_client_repo_name=percona-testing-x86_64' \
-					-var 'pmm_server_repo=testing' \
-				  	-only amazon-ebs '-color=false' \
-                                        packer/pmm.json
+						-var 'pmm_client_repo_name=percona-testing-x86_64' \
+						-var 'pmm_server_repo=testing' \
+						-only amazon-ebs '-color=false' \
+						packer/pmm.json
 
 pmm-ami-el9:
 	mkdir -p update && \
-	cp -r ../update/ansible/playbook/* update/ && \
-		sed -i 's|become_method: su|become_method: sudo|g' update/tasks/roles/postgres/tasks/main.yml && \
+		sed -i 's|become_method: su|become_method: sudo|g' ./roles/postgres/tasks/main.yml && \
 		docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
 		build -var 'pmm_client_repos=original experimental' \
 					-var 'pmm_client_repo_name=percona-experimental-x86_64' \
 					-var 'pmm_server_repo=experimental' \
 					-only amazon-ebs -color=false \
-                                        packer/pmm.el9.json
+					packer/pmm.el9.json
 
 pmm-ami-el9-rc:
 	mkdir -p update && \
-			cp -r ../update/ansible/playbook/* update/ && \
-			sed -i 's|become_method: su|become_method: sudo|g' update/tasks/roles/postgres/tasks/main.yml && \
-			docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
-			build -var 'pmm_client_repos=original testing' \
-				  	-var 'pmm_client_repo_name=percona-testing-x86_64' \
+		sed -i 's|become_method: su|become_method: sudo|g' ./roles/postgres/tasks/main.yml && \
+		docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
+		build -var 'pmm_client_repos=original testing' \
+					-var 'pmm_client_repo_name=percona-testing-x86_64' \
 					-var 'pmm_server_repo=testing' \
-				  	-only amazon-ebs '-color=false' \
-                                        packer/pmm.el9.json
+					-only amazon-ebs '-color=false' \
+					packer/pmm.el9.json
 
 ## ----------------- PACKER ------------------
+
+check:                          ## Run required checkers and linters
+	ansible-playbook --syntax-check ansible/pmm-docker/update.yml
+	ansible-playbook --check ansible/pmm-docker/update.yml
+	ansible-lint ansible/pmm-docker/update.yml

build/ansible/ansible.cfg

@@ -0,0 +1,11 @@
+# This is the default ansible.cfg file.
+# It necessary for ansible to work properly when it acts as 'pmm' user.
+# Otherwise, it will fail with 'Permission denied' error since the default paths are '/root/.ansible/tmp'
+# Ref: https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg
+[defaults]
+
+remote_tmp     = /tmp
+local_tmp      = /tmp
+
+# additional paths to search for roles in, colon separated
+roles_path     = /opt/ansible/roles

update/ansible/playbook/tasks/init.yml → build/ansible/pmm-docker/init.yml

@@ -2,8 +2,10 @@
 # This playbook contains tasks executed during initialization PMM Server
 - hosts: localhost
   become: true
+  become_method: su
+  become_user: pmm
   gather_facts: true
-  tasks:
-    - name: Run initialization role
-      include_role:
-        name: initialization
+
+
+  roles:
+    - initialization

update/ansible/playbook/tasks/update.yml → build/ansible/pmm-docker/update.yml

@@ -9,19 +9,19 @@
     PATH: /usr/local/bin:{{ ansible_env.PATH }}
 
   pre_tasks:
-    - name: detect /srv/pmm-distribution
+    - name: Detect /srv/pmm-distribution
       stat:
         path: /srv/pmm-distribution
       no_log: true
       register: srv_pmm_distribution
 
-    - name: detect containers
+    - name: Detect container environment
       set_fact:
         is_docker: '{{ lookup("file", "/srv/pmm-distribution") == "docker" }}'
       no_log: true
       when: srv_pmm_distribution.stat.exists
 
-    - name: force container
+    - name: Set the variable to true if undefined
       set_fact:
         is_docker: true
       when: is_docker is undefined
@@ -31,19 +31,10 @@
       copy:
         src: maintenance.html
         dest: /usr/share/pmm-server/maintenance/
+        owner: pmm
+        group: pmm
         mode: 0644
 
-    - name: Cleanup yum metadata
-      command: yum clean metadata
-      become: true
-      tags:
-        - skip_ansible_lint
-
-    - name: Upgrade supervisor config
-      copy:
-        src: pmm.ini
-        dest: /etc/supervisord.d/pmm.ini
-
     # restart pmm-managed-init and pmm-managed first as they may update supervisord configuration on start
     - name: Generate new supervisor config
       command: pmm-managed-init
@@ -57,59 +48,17 @@
         option: autostart
         value: "false"
 
-    - name: Upgrade supervisord config
-      copy:
-        src: supervisord.ini
-        dest: /etc/supervisord.d/supervisord.ini
-
-    - name: Remove supervisord
-      file:
-        state: absent
-        path: /etc/supervisord.d/supervisord.ini
-      when: not is_docker
-
-    # Set forking type to 'simple'
-    - name: Configure systemd
-      when: not is_docker
-      copy:
-        src: supervisord.service
-        dest: /usr/lib/systemd/system/supervisord.service
-        mode: 0644
-
-    - name: Remove old supervisord service configuration
-      when: not is_docker
-      file:
-        path: /etc/systemd/system/supervisord.service
-        state: absent
-
-    # Start the services
-    - name: Enable supervisord        | Make the service persist between reboots
-      when: not is_docker
-      systemd:
-        name: supervisord
-        enabled: yes
-
-    - name: Supervisord start        | Start supervisord service for AMI/OVF
-      when: not is_docker
-      systemd:
-        name: supervisord
-        state: started # supervisord may already be running
-        daemon_reload: yes
-
     - name: Check that supervisor socket exists
       stat:
         path: /run/supervisor/supervisor.sock
-      register: is_supervisor_running
-
-    - name: Start supervisord for docker
-      when: 
-        - is_docker 
-        - not is_supervisor_running.stat.exists
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+      register: supervisor_socket
+
+    # During build time, this will be the first start of supervisord.
+    - name: Start supervisord
+      when: not supervisor_socket.stat.exists
       shell: supervisord -c /etc/supervisord.conf &
 
-    - name: Wait until postgres port is present before continuing
+    - name: Wait until postgres port is present
       wait_for:
         host: localhost
         port: 5432
@@ -118,95 +67,51 @@
     - name: Run initialization playbook
       include_role:
         name: initialization
-      vars:
-        ui_upgrade: True
-
-    - name: Enable crond service
-      when: not is_docker
-      service:
-        name: crond
-        state: started
-        enabled: yes
-
-    - name: Increase number of open files for jobs
-      when: not is_docker
-      ini_file:
-        dest: /etc/supervisord.conf
-        section: supervisord
-        option: minfds
-        value: "800000"
 
     # See https://github.com/Supervisor/supervisor/issues/1264 for explanation
     # why we do reread + stop/remove/add instead of using supervisorctl Ansible module.
-    - name: Reread supervisord configuration EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Reread supervisord configuration
       command: supervisorctl reread
+      become: true
+      become_user: pmm
+      become_method: su
       register: reread_result
       changed_when: "'No config updates to processes' not in reread_result.stdout"
 
     - name: Check reread results
       debug: var=reread_result.stdout_lines
 
-    - name: Restart pmm-managed EL9
-      when: 
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
-      command: supervisorctl {{ item }} pmm-managed
+    - name: Restart pmm-managed
+      command: "supervisorctl {{ item }} pmm-managed"
       become: true
-      changed_when: true
-      with_items: ["stop", "remove", "add"]
-
-    # give pmm-managed time to update supervisord configuration,
+      become_user: pmm
+      become_method: su
+      loop: 
+        - stop
+        - remove
+        - add
+
+    # Give pmm-managed time to update supervisord configuration,
     # and give update UI time to catch up after pmm-managed restart
     - name: Wait for pmm-managed
       pause: seconds=10
 
     # Fix things that should be fixed before restarts.
 
-    - name: Stop systemd pmm-agent service, if running
-      systemd:
-        name: pmm-agent
-        state: stopped
-        enabled: no
-      when: not is_docker
-
-    # https://jira.percona.com/browse/PMM-9298
-    - name: Copy rezise-xfs file for lvm
-      copy:
-        src: resize-xfs-lvm
-        dest: /var/lib/cloud/scripts/per-boot/resize-xfs
-        mode: 0755
-      when: not is_docker
-
-    # https://jira.percona.com/browse/PMM-5271
-    - name: Check volume size
-      when: not is_docker
-      replace:
-        dest: /var/lib/cloud/scripts/per-boot/resize-xfs
-        regexp: "set -o errexit"
-        replace: ""
-
-    - name: Reread supervisord configuration again EL9
-      when: 
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Reread supervisord configuration again
       command: supervisorctl reread
       register: reread_result
       changed_when: "'No config updates to processes' not in reread_result.stdout"
 
     - name: Check reread results
       debug: var=reread_result.stdout_lines
 
-    - name: Restart services EL9
-      when: 
-        - is_docker
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Restart services
       command: supervisorctl {{ item.1 }} {{ item.0 }}
       become: true
-      changed_when: true
+      become_user: pmm
+      become_method: su
+      # changed_when: true
       with_nested:
         - - nginx
           - grafana
@@ -237,31 +142,27 @@
         query: UPDATE "user" SET id='1' WHERE login='admin';
       when: not ansible_check_mode
 
-    # we need to put this step as one of the last steps, because it removes pmm.ini
-    - name: Remove redundant packages
-      yum:
-        state: absent
-        name:
-          - logrotate # https://jira.percona.com/browse/PMM-7627
+    # - name: Remove redundant packages
+    #   yum:
+    #     state: absent
+    #     name:
+    #       - logrotate # https://jira.percona.com/browse/PMM-7627
 
     # Regenerating pmm.ini and enabling pmm-update-perform-init
     - name: Generate new supervisor config
       command: pmm-managed-init
+      become: true
+      become_user: pmm
+      become_method: su      
       register: managed_init_result
       changed_when: True
 
-    - name: Reread pmm-update-perform-init supervisor config EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Reread pmm-update-perform-init supervisor config
       command: supervisorctl reread
       register: reread_init__result
       changed_when: "'No config updates to processes' not in reread_init__result.stdout"
 
-    - name: Update/restart other services EL9
-      when:
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Update/restart other services
       command: supervisorctl update
       register: update_result
       changed_when: "'updated' in update_result.stdout"
@@ -281,10 +182,7 @@
 
     # SIGUSR2 is sent to supervisord by pmm-managed right before the update for logging to work correctly.
     # We use that fact to show what was restarted during the update.
-    - name: Get supervisord logs EL9
-      when: 
-        - ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
-        - ansible_distribution_major_version == '9'
+    - name: Get supervisord logs
       shell: supervisorctl maintail -100000 | tac | awk '!flag; /received SIGUSR2/{flag = 1};' | tac
       register: maintail_result
       changed_when: False

update/ansible/playbook/tasks/create-lvm.yml → build/ansible/pmm/create-lvm.yml

@@ -1,3 +1,4 @@
+# TODO: This role seems to no longer be used. Verify and remove.
 - hosts: localhost
   become: true
   gather_facts: true