TC jobs are all running as root (need option to run as non-root)

RESOLVED FIXED

Status

Taskcluster
Worker
RESOLVED FIXED
2 years ago
8 months ago

People

(Reporter: dustin, Unassigned)

Tracking

(Depends on: 1 bug, {leave-open})

Details

(Whiteboard: [docker-worker])

MozReview Requests

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
Running 'id' in the current image:

https://tools.taskcluster.net/task-inspector/#GVKdGQcmT3KDBVtIIUQrHQ/0
uid=0(root) gid=0(root) groups=0(root)

So, yeah.  This caused some particularly weird errors when running plugin-container on CentOS 6.  I don't know how (or if, TBH) it worked on Ubuntu.
(Reporter)

Comment 1

2 years ago
Created attachment 8653660 [details]
MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek

Bug 1199379: don't build as root, and verify r?ted
Attachment #8653660 - Flags: review?(ted)
(Reporter)

Updated

2 years ago
Assignee: nobody → dustin
Comment on attachment 8653660 [details]
MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek

https://reviewboard.mozilla.org/r/17479/#review15603

Good call!
Attachment #8653660 - Flags: review?(ted) → review+
(Reporter)

Comment 3

2 years ago
Comment on attachment 8653660 [details]
MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek

Bug 1199379: don't build as root, and verify r?ted.mielczarek
Attachment #8653660 - Attachment description: MozReview Request: Bug 1199379: don't build as root, and verify r?ted → MozReview Request: Bug 1199379: don't build as root, and verify r?ted.mielczarek
(Reporter)

Comment 4

2 years ago
Actually, I'm going to hold off on this.  It turns out that *everything* runs as root in TaskCluster, and caches don't work with non-root users.  So the current setup builds stuff as root, which mostly works; if I land this patch, then nothing will work.
Blocks: 1189892
Depends on: 1093833
(Reporter)

Comment 5

2 years ago
A workaround will be to have build-linux.sh chmod the relevant folders, then su - to worker and re-run itself.  I'll see if i can make that work.
Keywords: leave-open
(In reply to Dustin J. Mitchell [:dustin] from comment #0)
> So, yeah.  This caused some particularly weird errors when running
> plugin-container on CentOS 6.  I don't know how (or if, TBH) it worked on
> Ubuntu.

We have an idea: /home/worker is mode 0700 in the CentOS image but mode 0755 in the Ubuntu image, and the root-owned plugin-container that had given up its superuser powers was treated as "other" in those permissions, so it broke on CentOS but would still work on Ubuntu.
See Also: → bug 1199481
(Reporter)

Comment 7

2 years ago
I'd rather not build as root, all other things being equal.  So I think fixing that is the better solution, rather than convincing firefox to build and run as root.

I'm about to put another review request up for that workaround.  Sorry for the multiple review reqs!
(Reporter)

Comment 8

2 years ago
Comment on attachment 8653660 [details]
MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek

Bug 1199379: drop root before beginning the build r?ted.mielczarek

This requires doing some cleanup of permissions on the cache mounts first;
eventually, this should be done by the docker-worker.
Attachment #8653660 - Attachment description: MozReview Request: Bug 1199379: don't build as root, and verify r?ted.mielczarek → MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek
(Reporter)

Updated

2 years ago
Attachment #8653660 - Flags: review+ → review?(ted)
Attachment #8653660 - Flags: review?(ted) → review+
Comment on attachment 8653660 [details]
MozReview Request: Bug 1199379: drop root before beginning the build r?ted.mielczarek

https://reviewboard.mozilla.org/r/17479/#review15851

Bummer that you have to leave all those FIXMEs in, but at least you have bugs on file.
(Reporter)

Comment 10

2 years ago
With that landed, this no longer blocks bug 1189892, but needs a more complete solution.
Assignee: dustin → nobody
No longer blocks: 1189892

Comment 11

2 years ago
https://hg.mozilla.org/integration/mozilla-inbound/rev/c82573f56056
https://hg.mozilla.org/mozilla-central/rev/c82573f56056
(Reporter)

Updated

2 years ago
Component: General Automation → Docker-Worker
Product: Release Engineering → Taskcluster
QA Contact: catlee
Summary: TC jobs are all running as root → TC jobs are all running as root (need option to run as non-root)
Whiteboard: [docker-worker]
Component: Docker-Worker → Worker

Comment 13

8 months ago
I believe this has largely been solved by running as another user and chown-ing the workspace directories correctly.  Reopen with comments if this has not been solved.
Status: NEW → RESOLVED
Last Resolved: 8 months ago
Resolution: --- → FIXED
(Reporter)

Comment 14

8 months ago
The idea was that we would not run tasks as root by default, but it really doesn't seem to be bothering anyone, so maybe we can just leave it as-is.
You need to log in before you can comment on or make changes to this bug.