• Type: Bug
• Resolution: Fixed
• Priority: Major
• Component/s: evergreen
• Labels:

  • evergreen

[JENKINS-50195] Create a non root user for running Jenkins and the evergreen-client

Baptiste Mathus created issue - 2018-03-15 14:14

Baptiste Mathus made changes - 2018-03-15 14:14

Labels

New: essentials

Baptiste Mathus made changes - 2018-03-15 14:14

Epic Link

New: JENKINS-49845 [ 188829 ]

Baptiste Mathus made changes - 2018-03-15 14:15

Description

Original: h3. Issue Currently the user for Jenkins is still {{root}}, we need to fix this and be for instance {{jenkins}} before we deliver it to users. h3. Expected The processes should *not* running as root. We must do like the {{jenkins/jenkins}} image.

New: h3. Issue Currently the user for Jenkins is still {{root}}, we need to fix this and be for instance {{jenkins}} before we deliver it to users. h3. Expected The processes should *not* running as root. We must do like the {{jenkins/jenkins}} image in this regard.

Collapse comment: R. Tyler Croy added a comment - 2018-03-15 15:59

R. Tyler Croy added a comment - 2018-03-15 15:59

I'm assuming the issue here is that the java process is running as root, correct?

Or are you concerned about supervisord running as root too?

Assuming it's the first one, supervisord supports dropping permissions when it executes processes, so perhaps we should just update the supervisord.conf to run both java and eventually nodejs as the jenkins user?

Expand comment: R. Tyler Croy added a comment - 2018-03-15 15:59

R. Tyler Croy added a comment - 2018-03-15 15:59 I'm assuming the issue here is that the java process is running as root, correct? Or are you concerned about supervisord running as root too? Assuming it's the first one, supervisord supports dropping permissions when it executes processes, so perhaps we should just update the supervisord.conf to run both java and eventually nodejs as the jenkins user?

R. Tyler Croy made changes - 2018-03-15 17:02

Assignee

Original: R. Tyler Croy [ rtyler ]

Collapse comment: Baptiste Mathus added a comment - 2018-03-16 14:44

Baptiste Mathus added a comment - 2018-03-16 14:44

Yes, Jenkins right now. And same for evergreen-client once it will exist as a process too.

I think we should ideally run supervisord in userspace too, if it does not need to be root. 

 

Expand comment: Baptiste Mathus added a comment - 2018-03-16 14:44

Baptiste Mathus added a comment - 2018-03-16 14:44 Yes, Jenkins right now. And same for evergreen-client once it will exist as a process too. I think we should ideally run supervisord  in userspace too, if it does not need to be root .   

Collapse comment: R. Tyler Croy added a comment - 2018-03-16 20:39

R. Tyler Croy added a comment - 2018-03-16 20:39

I don't have a good notion right now of whether supervisord needs root or not.

I'm going to leave this ticket in the backlog, but feel free to pick it up for Milestone 1 if the other stuff gets tackled in good time.

Expand comment: R. Tyler Croy added a comment - 2018-03-16 20:39

R. Tyler Croy added a comment - 2018-03-16 20:39 I don't have a good notion right now of whether supervisord needs root or not. I'm going to leave this ticket in the backlog, but feel free to pick it up for Milestone 1 if the other stuff gets tackled in good time.

Baptiste Mathus made changes - 2018-03-18 14:42

Sprint

New: Essentials - Milestone 1 [ 511 ]

Collapse comment: Baptiste Mathus added a comment - 2018-03-18 14:43

Baptiste Mathus added a comment - 2018-03-18 14:43

Ack, tagged for current milestone so that it shows up on the board. But ack also to work on it only if others are done. I agree it's not critical to the current phase.

Expand comment: Baptiste Mathus added a comment - 2018-03-18 14:43

Baptiste Mathus added a comment - 2018-03-18 14:43 Ack, tagged for current milestone so that it shows up on the board. But ack also to work on it only if others are done. I agree it's not critical to the current phase.

Load more newer events