Uploaded image for project: 'Jenkins'
  1. Jenkins
  2. JENKINS-50195

Create a non root user for running Jenkins and the evergreen-client

    Details

    • Sprint:
      Evergreen - Milestone 1
    • Similar Issues:

      Description

      Issue

      Currently the user for Jenkins is still root, we need to fix this and be for instance jenkins before we deliver it to users.

      Expected

      The processes should not running as root.

      We must do like the jenkins/jenkins image in this regard.

        Attachments

          Issue Links

            Activity

            Hide
            rtyler R. Tyler Croy added a comment -

            I'm assuming the issue here is that the java process is running as root, correct?

            Or are you concerned about supervisord running as root too?

            Assuming it's the first one, supervisord supports dropping permissions when it executes processes, so perhaps we should just update the supervisord.conf to run both java and eventually nodejs as the jenkins user?

            Show
            rtyler R. Tyler Croy added a comment - I'm assuming the issue here is that the java process is running as root, correct? Or are you concerned about supervisord running as root too? Assuming it's the first one, supervisord supports dropping permissions when it executes processes, so perhaps we should just update the supervisord.conf to run both java and eventually nodejs as the jenkins user?
            Hide
            batmat Baptiste Mathus added a comment -

            Yes, Jenkins right now. And same for evergreen-client once it will exist as a process too.

            I think we should ideally run supervisord in userspace too, if it does not need to be root

             

            Show
            batmat Baptiste Mathus added a comment - Yes, Jenkins right now. And same for evergreen-client once it will exist as a process too. I think we should ideally run supervisord  in userspace too, if it does not need to be root .   
            Hide
            rtyler R. Tyler Croy added a comment -

            I don't have a good notion right now of whether supervisord needs root or not.

            I'm going to leave this ticket in the backlog, but feel free to pick it up for Milestone 1 if the other stuff gets tackled in good time.

            Show
            rtyler R. Tyler Croy added a comment - I don't have a good notion right now of whether supervisord needs root or not. I'm going to leave this ticket in the backlog, but feel free to pick it up for Milestone 1 if the other stuff gets tackled in good time.
            Hide
            batmat Baptiste Mathus added a comment -

            Ack, tagged for current milestone so that it shows up on the board. But ack also to work on it only if others are done. I agree it's not critical to the current phase.

            Show
            batmat Baptiste Mathus added a comment - Ack, tagged for current milestone so that it shows up on the board. But ack also to work on it only if others are done. I agree it's not critical to the current phase.
            Hide
            rtyler R. Tyler Croy added a comment -

            Baptiste Mathus, FYI the reason I'd like to get to this (if possible) in Milestone 1 is that it will be difficult to seamlessly upgrade in the future without a full re-installation.

            If the filesystem permissions are correct when somebody starts with Milestone 1, in theory we can continue upgrading them all the way to GA

            Show
            rtyler R. Tyler Croy added a comment - Baptiste Mathus , FYI the reason I'd like to get to this (if possible) in Milestone 1 is that it will be difficult to seamlessly upgrade in the future without a full re-installation. If the filesystem permissions are correct when somebody starts with Milestone 1, in theory we can continue upgrading them all the way to GA

              People

              • Assignee:
                batmat Baptiste Mathus
                Reporter:
                batmat Baptiste Mathus
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: