Run tasks under unique OS user accounts on darwin (macOS)
Categories
(Taskcluster :: Workers, task, P2)
Tracking
(Not tracked)
People
(Reporter: pmoore, Assigned: pmoore)
References
Details
Attachments
(1 file)
Currently, tasks run as the worker user on darwin (macOS). Work started in https://github.com/taskcluster/generic-worker/blob/844b6421b643c40dab759c7ff907c95a67db57f7/plat_darwin.go to create individual task OS users per task but this code is incomplete and unused.
|
||
Updated•5 years ago
|
|
||
Comment 1•5 years ago
|
||
CCing Jake, as he's been recently fighting with macOS things, including user creation, in Mojave and might have some input.
|
||
Comment 2•5 years ago
|
||
Pete is going to pick this up next week.
Some guidance for Pete: not everything needs to work under task/user isolation to start. For a first pass, I would focus on only the features required to run the PGO task on Mac (bug 1528374). :chmanchester can probably help with that.
|
||
Comment 3•5 years ago
|
||
:pete, could we get away with not setting passwords for dynamically created users?
Also, as just a heads up, when it comes to gw on mojave, we might need to start signing the binaries in order to make calls certain calls to dscl. On yosemite, it should be no issue but on Mojave the OS enforces certain security parameters that can't easily be overridden.
|
||
Comment 4•5 years ago
|
||
Pete, do you have any updates on macOS user isolation for the PGO worker pool?
|
Assignee | |
Comment 5•5 years ago
|
||
(In reply to Jake Watkins [:dividehex] from comment #3)
:pete, could we get away with not setting passwords for dynamically created users?
Potentially we could, although that isn't how I was intending to implement. Can you share a bit of detail about why that would be preferred?
Also, as just a heads up, when it comes to gw on mojave, we might need to start signing the binaries in order to make calls certain calls to dscl. On yosemite, it should be no issue but on Mojave the OS enforces certain security parameters that can't easily be overridden.
Thanks for the heads up. At the moment, the releases on github are not signed, but we do download them to the puppet master for propogation to the workers, so we could perhaps sign the version hosted on the puppet master, until we have automated signing the versions on github releases. But I'll look into creating signed releases on github too at some point, which would be best.
|
|
Assignee | |
Comment 6•5 years ago
|
||
(In reply to Chris Peterson [:cpeterson] from comment #4)
Pete, do you have any updates on macOS user isolation for the PGO worker pool?
Hi Chris, I'm working on this now, and hope to have something ready in the next couple of weeks.
|
|
Assignee | |
Comment 7•5 years ago
|
||
This is where the development is being done. The PR isn't ready for review yet, but adding the link for those who may wish to monitor progress.
|
|
Assignee | |
Comment 9•5 years ago
|
||
Finally ready for review!
|
|
Assignee | |
Comment 10•5 years ago
|
||
Released in generic-worker 15.0.0.
|
|
Assignee | |
Updated•5 years ago
|
|
|
Assignee | |
Comment 11•5 years ago
•
|
||
For those installing the new generic-worker, please pay special attention to the updated installation instructions.
Any problems/issues, let me know!
|
|
Assignee | |
Comment 12•5 years ago
|
||
I'm reopening this bug, as I've found a bug (bug 1560388) which will need fixing before we go to production...
|
|
Assignee | |
Comment 13•5 years ago
•
|
||
Blocking bug has now been fixed, so closing this bug too.
Released in generic-worker 15.1.0.
|
|
Assignee | |
Comment 14•5 years ago
|
||
Jake, see comment 11 for installation instructions. Thanks!
|
|
||
Comment 15•5 years ago
|
||
(In reply to Pete Moore [:pmoore][:pete] from comment #14)
Jake, see comment 11 for installation instructions. Thanks!
Thanks, Pete!
Description
•