Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PMM-12693 run grafana as non root #2648

Merged
merged 37 commits into from
Dec 4, 2023
Merged

PMM-12693 run grafana as non root #2648

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
37 commits
Select commit Hold shift + click to select a range
82e5705
PMM-12693 Run grafana as non-root
ademidoff Nov 27, 2023
8346c92
PMM-12693 rebuild grafana with new perms
ademidoff Nov 27, 2023
65b6861
PMM-12693 remove sqlite migration
ademidoff Nov 27, 2023
6c03ba9
PMM-12693 remove sqlite migration
ademidoff Nov 27, 2023
da21c09
PMM-12693 revert some spec changes
ademidoff Nov 27, 2023
a67b354
PMM-12693 check grafana logs
ademidoff Nov 27, 2023
be227be
PMM-12693 remove grafana-db-migrator
ademidoff Nov 27, 2023
c2f1682
PMM-12693 create grafana dir explicitly
ademidoff Nov 27, 2023
a2cc6e4
PMM-12693 fix with_items syntax
ademidoff Nov 27, 2023
fc676ae
PMM-12693 take ownership of /etc/grafana
ademidoff Nov 27, 2023
4749491
PMM-12693 try other options for /etc/grafana
ademidoff Nov 27, 2023
57ac5ee
PMM-12693 try different permissions on /etc/grafana
ademidoff Nov 28, 2023
02573be
PMM-12693 remove grafana user
ademidoff Nov 28, 2023
38049d5
PMM-12693 remove grafana user
ademidoff Nov 28, 2023
0a7bd7d
PMM-12693 set dir permissions for grafana-dashboards
ademidoff Nov 28, 2023
e1bc5dd
PMM-12693 do not install packages twice
ademidoff Nov 28, 2023
8b3179b
PMM-12693 remove CentOS 7 tasks
ademidoff Nov 29, 2023
8ff568a
PMM-12693 move grafana bootstrap to an earlier time
ademidoff Nov 29, 2023
37a6510
PMM-12693 remove more CentOS 7 tasks
ademidoff Nov 29, 2023
dd3ffe6
PMM-12693 move clickhouse install back
ademidoff Nov 29, 2023
2202025
PMM-12693 do not upgrade sqlite
ademidoff Nov 29, 2023
db32437
PMM-12693 clean up the dashboards playbook
ademidoff Nov 29, 2023
8d41a45
PMM-12693 clean up the update playbook
ademidoff Nov 30, 2023
87efdce
Update build/packages/rpm/server/SPECS/percona-dashboards.spec
ademidoff Nov 30, 2023
1ed4b2e
PMM-12693 follow up on review
ademidoff Nov 30, 2023
f98371f
Merge branch 'PMM-12693-run-grafana-as-non-root' of github.com:percon…
ademidoff Nov 30, 2023
5773ba6
Merge branch 'v3' into PMM-12693-run-grafana-as-non-root
ademidoff Dec 1, 2023
60679c7
PMM-12693 move the version copying out of dashboards_update
ademidoff Dec 1, 2023
1971153
PMM-12693 trigger the build
ademidoff Dec 1, 2023
e4ba6a7
PMM-12693 hackily start pmm-agent
ademidoff Dec 1, 2023
8853957
PMM-12693 check the status of services
ademidoff Dec 4, 2023
e8b4e0b
PMM-7 wait for container to get healthy
ademidoff Dec 4, 2023
30f95c5
PMM-7 debug: output grafana logs
ademidoff Dec 4, 2023
087b238
PMM-7 debug the ownership of /etc/grafana/grafana.ini
ademidoff Dec 4, 2023
7e2cfae
PMM-7 change ownership of /etc/grafana to pmm
ademidoff Dec 4, 2023
cdfd731
PMM-7 change ownership of /srv/grafana to pmm
ademidoff Dec 4, 2023
8d9ac7e
PMM-7 cleanup the workflow
ademidoff Dec 4, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
10 changes: 9 additions & 1 deletion .github/workflows/managed.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,7 +78,15 @@ jobs:
run: docker exec -i pmm-server git config --global --add safe.directory /root/go/src/github.com/percona/pmm

- name: Update binaries
run: docker exec -i pmm-server make run-managed-ci run-agent run-vmproxy
run: |
# We need to make this directory owned by pmm, since it's currently owned by the grafana user in the devcontainer.
# TODO: remove the line below after this PR is merged to v3.
docker exec -t pmm-server chown -R pmm:pmm /etc/grafana /srv/grafana
docker exec -i pmm-server make run-managed-ci run-agent run-vmproxy

- name: Check the status of components
run: |
docker exec -t pmm-server supervisorctl status || :
ademidoff marked this conversation as resolved.
Show resolved Hide resolved

- name: Run tests
run: docker exec -i pmm-server make -C managed test-cover
Expand Down
2 changes: 1 addition & 1 deletion Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ env-update-image: ## Pull latest dev image

env-compose-up: env-update-image
COMPOSE_PROFILES=$(PROFILES) \
docker compose up --detach --renew-anon-volumes --remove-orphans
docker compose up --detach --renew-anon-volumes --remove-orphans --wait --wait-timeout 100

env-devcontainer:
docker exec -it --workdir=/root/go/src/github.com/percona/pmm pmm-server .devcontainer/setup.py
Expand Down
50 changes: 15 additions & 35 deletions build/ansible/pmm/post-build-actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -71,36 +71,25 @@
--server-address=127.0.0.1:443
--server-insecure-tls

- name: Reread supervisord configuration EL7
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
command: supervisorctl reread
register: reread_result
changed_when: "'No config updates to processes' not in reread_result.stdout"

- name: Reread supervisord configuration EL9
when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
command: /usr/local/bin/supervisorctl reread
register: reread_result
changed_when: "'No config updates to processes' not in reread_result.stdout"

- name: See what services are running
debug: var=reread_result.stdout_lines

- name: Stop pmm-managed before deleting the database EL7
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
supervisorctl:
name: pmm-managed
state: stopped
ignore_errors: True

- name: Stop pmm-managed before deleting the database EL9
when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
supervisorctl:
name: pmm-managed
state: stopped
supervisorctl_path: /usr/local/bin/supervisorctl
# become: true
# ignore_errors: True

- name: Supervisord stop | Stop supervisord service for AMI/OVF
when: ansible_virtualization_type != "docker"
Expand Down Expand Up @@ -128,16 +117,10 @@
ignore_errors: yes
when: ansible_virtualization_type != "docker"

- name: Remove pmm-managed database EL7
when: ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
postgresql_db:
login_user: postgres
name: pmm-managed
state: absent
register: db_check_result

- name: Remove pmm-managed database EL9
when: (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
postgresql_db:
login_user: postgres
name: pmm-managed
Expand All @@ -150,7 +133,6 @@
msg: "pmm-managed database was removed"
when: db_check_result.changed == True


- name: Remove pmm-managed role from postgres
postgresql_user:
name: pmm-managed
Expand All @@ -167,10 +149,6 @@
when: ansible_virtualization_type != "docker"
service: name=supervisord state=stopped enabled=yes

- name: Supervisord stop EL7 | Stop supervisord service for docker
when: ansible_virtualization_type == "docker" and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
shell: supervisorctl shutdown

- name: Supervisord stop EL9 | Stop supervisord service for docker
when: ansible_virtualization_type == "docker" and (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
shell: /usr/local/bin/supervisorctl shutdown
Expand All @@ -180,8 +158,10 @@

# "yum clean all" function will only remove cache from configured yum repositories
# Details: https://bugzilla.redhat.com/show_bug.cgi?id=1357083
- name: Remove yum cache | Remove yum cache dir
command: rm -rf /var/cache/yum
- name: Cleanup yum cache
file:
state: absent
path: /var/cache/yum

- name: Post-build cleanup | Cleanup build logs and data
file: path={{ item }} state=absent
Expand All @@ -207,7 +187,7 @@
path: /srv/victoriametrics
owner: pmm
group: pmm
mode: '0775'
mode: 0775
with_items:
- absent
- directory
Expand All @@ -218,4 +198,4 @@
state: directory
owner: pmm
group: pmm
mode: "0775"
mode: 0775
35 changes: 0 additions & 35 deletions build/ansible/roles/ami-ovf/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,18 +7,6 @@
- name: Packages | Clean up yum metadata
command: yum clean metadata

- name: Packages | Add PMM3 Server release repository for EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
yum_repository:
name: pmm-server
description: PMM Server YUM repository - x86_64
baseurl: https://repo.percona.com/pmm3-components/yum/experimental/7/RPMS/x86_64/
gpgcheck: yes
enabled: yes
gpgkey: file:///etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY

- name: Packages | Add PMM3 Server release repository for EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand All @@ -31,14 +19,6 @@
enabled: yes
gpgkey: file:///etc/pki/rpm-gpg/PERCONA-PACKAGING-KEY

- name: Disable SELinux | EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
selinux:
policy: targeted
state: permissive

- name: Disable SELinux | EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand All @@ -49,15 +29,6 @@
policy: targeted
state: permissive

- name: Add firewalld rule | EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
firewalld: port={{ item }} permanent=true state=enabled immediate=yes
with_items:
- 80/tcp
- 443/tcp

- name: Add firewalld rule | EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand Down Expand Up @@ -86,12 +57,6 @@
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'

- name: PMM | Delete centos EL7
shell: cd /tmp; nohup sh -c "trap 'userdel -r centos' EXIT; sleep 600" </dev/null >/dev/null 2>&1 &
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'

- name: PMM | Delete ec2-user EL9
shell: cd /tmp; nohup sh -c "trap 'userdel -r ec2-user' EXIT; sleep 600" </dev/null >/dev/null 2>&1 &
when:
Expand Down
38 changes: 0 additions & 38 deletions build/ansible/roles/cloud-node/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,13 +1,5 @@
---
# Common things for all cloud images
- name: Packages | Add EPEL repository for EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
yum:
name: https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-7-14.noarch.rpm
state: installed

- name: Packages | Add EPEL repository for EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand All @@ -16,19 +8,6 @@
name: epel-release
state: installed

- name: Packages | Install OS tools for EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
yum:
name:
- screen
- yum-utils
- cloud-init
- firewalld
- python2-pip
- ansible

- name: Packages | Install OS tools for EL9
when:
- (ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux') and ansible_distribution_major_version == '9'
Expand All @@ -41,16 +20,6 @@
- python3-libselinux
- python3-firewall

- name: Firewalld | Start EL7
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version == '7'
- ansible_os_family == 'RedHat'
service:
name: firewalld
state: started
enabled: yes

- name: Firewalld | Start EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
Expand Down Expand Up @@ -137,13 +106,6 @@
dest: /etc/sudoers.d/90-admin-user
mode: 0440

- name: change cloud user EL7 | Change cloud user
when: create_admin == "true" and ansible_distribution == 'CentOS' and ansible_distribution_major_version == '7'
replace:
dest: /etc/cloud/cloud.cfg
regexp: "name: centos"
replace: "name: admin"

- name: change cloud user for OVF EL9 | Change cloud user
when:
- create_admin == "true"
Expand Down
2 changes: 1 addition & 1 deletion build/ansible/roles/pmm-images/files/grafana.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,7 +7,7 @@ command =
/usr/sbin/grafana server
--homepath=/usr/share/grafana
--config=/etc/grafana/grafana.ini
user = grafana
user = pmm
directory = /usr/share/grafana
autorestart = true
autostart = true
Expand Down
Loading
Loading