Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50195

Create a non root user for running Jenkins and the evergreen-client

XMLWordPrintable

    • Evergreen - Milestone 1

      Issue

      Currently the user for Jenkins is still root, we need to fix this and be for instance jenkins before we deliver it to users.

      Expected

      The processes should not running as root.

      We must do like the jenkins/jenkins image in this regard.

          [JENKINS-50195] Create a non root user for running Jenkins and the evergreen-client

          R. Tyler Croy added a comment -

          I'm assuming the issue here is that the java process is running as root, correct?

          Or are you concerned about supervisord running as root too?

          Assuming it's the first one, supervisord supports dropping permissions when it executes processes, so perhaps we should just update the supervisord.conf to run both java and eventually nodejs as the jenkins user?

          R. Tyler Croy added a comment - I'm assuming the issue here is that the java process is running as root, correct? Or are you concerned about supervisord running as root too? Assuming it's the first one, supervisord supports dropping permissions when it executes processes, so perhaps we should just update the supervisord.conf to run both java and eventually nodejs as the jenkins user?

          Baptiste Mathus added a comment -

          Yes, Jenkins right now. And same for evergreen-client once it will exist as a process too.

          I think we should ideally run supervisord in userspace too, if it does not need to be root

           

          Baptiste Mathus added a comment - Yes, Jenkins right now. And same for evergreen-client once it will exist as a process too. I think we should ideally run supervisord  in userspace too, if it does not need to be root .   

          R. Tyler Croy added a comment -

          I don't have a good notion right now of whether supervisord needs root or not.

          I'm going to leave this ticket in the backlog, but feel free to pick it up for Milestone 1 if the other stuff gets tackled in good time.

          R. Tyler Croy added a comment - I don't have a good notion right now of whether supervisord needs root or not. I'm going to leave this ticket in the backlog, but feel free to pick it up for Milestone 1 if the other stuff gets tackled in good time.

          Baptiste Mathus added a comment -

          Ack, tagged for current milestone so that it shows up on the board. But ack also to work on it only if others are done. I agree it's not critical to the current phase.

          Baptiste Mathus added a comment - Ack, tagged for current milestone so that it shows up on the board. But ack also to work on it only if others are done. I agree it's not critical to the current phase.

          R. Tyler Croy added a comment -

          batmat, FYI the reason I'd like to get to this (if possible) in Milestone 1 is that it will be difficult to seamlessly upgrade in the future without a full re-installation.

          If the filesystem permissions are correct when somebody starts with Milestone 1, in theory we can continue upgrading them all the way to GA

          R. Tyler Croy added a comment - batmat , FYI the reason I'd like to get to this (if possible) in Milestone 1 is that it will be difficult to seamlessly upgrade in the future without a full re-installation. If the filesystem permissions are correct when somebody starts with Milestone 1, in theory we can continue upgrading them all the way to GA

            batmat Baptiste Mathus
            batmat Baptiste Mathus
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: