add prod dirs via .gitkeep #174
Conversation
|
@bdunne please review. |
kbrock
force-pushed
the
more_dirs
branch
3 times, most recently
from
eab3437 to
2112d1e
Compare
|
update: moved chmod for core over to ui. unwip: rpm working |
|
removed a few of the |
rpm_spec/manageiq.spec.in
Outdated
| %{__chmod} 6750 %{buildroot}%{app_root}/{log,config,certs} | ||
| %{__chmod} 6750 %{buildroot}%{app_root}/data/git_repos |
There was a problem hiding this comment.
Would it be simpler to just 6750 the entire data dir into the previous line?
| %{__chmod} 6750 %{buildroot}%{app_root}/{log,config,certs} | |
| %{__chmod} 6750 %{buildroot}%{app_root}/data/git_repos | |
| %{__chmod} 6750 %{buildroot}%{app_root}/{log,config,certs,data} |
There was a problem hiding this comment.
I'm not sure what else is in there, but I assume anything else needs writability as well
There was a problem hiding this comment.
by default, the directories are 755. So all the lines above changing to manageiq.manageiq makes them writeable and readable.
This change says that root (basically just evmserverd and appliance_console) will write to these directories, and we want manageiq to be able to read and write to those files. (the umask for root is 755 and makes our processes blow up.)
There area also some ui directories that need access. I have moved those over to the ui spec per previous request in this pr
There was a problem hiding this comment.
^ ignore.
So we can chmod -r data which will change anything that we add at a later time.
Just need to be aware if we add any files to github, they will potentially be running with escalated privileges
There was a problem hiding this comment.
I don't think we should chmod -r, because the content inside the git repos directory are external git repos. Not sure what side effects that might cause. Maybe @NickLaMuro has some thoughts here.
There was a problem hiding this comment.
So, seems that git will only track the executable permissions, not the full set of nix permission levels:
So, with that said, I assume what ever we do here, it needs to be able to allow anyone that executes playbooks that might come with a role (and I assume that could include a shell/python executable) to be able to run those scripts. But that might be less of an issue since the repos here are just bare repos, and so the actually checkout happens into /tmp.
So we might be okay with whatever is done here as /tmp is where any actually interaction would come from from a potentially different and less privileged user.
There was a problem hiding this comment.
I chmod the data dir and the git_repo
let me know if this is not what you were asking for
|
@Fryguy I'm confused what you want
My goal was to What exactly are you asking for? Put something in place. Hope that is what you were asking for. |
These directories are created in the core repo (via .gitkeep) no need to create them here. The rpm is making them writeable by user manageiq so the app will run fine as a non-root user
|
Checked commit kbrock@3df8dbd with ruby 2.6.3, rubocop 1.13.0, haml-lint 0.35.0, and yamllint |
part of ManageIQ/manageiq#20394
requires:
Goal
Manipulate the files less. Letting them get created by git and staying as hands off as possible.
Changes
.gitkeep) instead of usingmkdirin therpmspecrootwill be available for processes running asmanageiq.(the changes are listed as final result, some of the changes were partially in place before this PR)