Support running Vespa in container as non-root

This removes the old VESPA_UNPRIVILEGED environment variable. Instead we use the old mechanisme if id of the user starting Vespa is root. If the container is started with a non-root user some sanity checking is done to either fail because wrong permissions are active, or warn the user for possibly too low limits.
author: Eirk Nygaard <eirik.nygaard@yahooinc.com> 2022-10-20 10:49:35 +0000
committer: Eirk Nygaard <eirik.nygaard@yahooinc.com> 2022-10-21 12:19:02 +0000
commit: 604af1235637971912bdc36d79decbac3bffe1bb (patch)
tree: fe087bb411b7e2d219b6cf0962ba555865c11671 /vespabase
parent: d585895070d794ac4535e49b72d8d4b8a30f49ae (diff)
2 files changed, 55 insertions, 23 deletions
diff --git a/vespabase/src/common-env.sh b/vespabase/src/common-env.sh
index 628ebe6b074..41c25be4ac9 100755
--- a/vespabase/src/common-env.sh
+++ b/vespabase/src/common-env.sh
@@ -207,26 +207,45 @@ consider_fallback VESPA_USE_NO_VESPAMALLOC  "vespa-rpc-invoke vespa-get-config v
 
 
 fixlimits () {
-    # Cannot bump limits when not root (for testing)
-    if [ "${VESPA_UNPRIVILEGED}" = yes ]; then
-	return 0
-    fi
-    # number of open files:
-    if varhasvalue file_descriptor_limit; then
-       ulimit -n ${file_descriptor_limit} || exit 1
-    elif [ `ulimit -n` -lt 262144 ]; then
-        ulimit -n 262144 || exit 1
+    max_processes_limit=409600
+    if ! varhasvalue file_descriptor_limit; then
+        file_descriptor_limit=262144
     fi
 
-    # core file size
-    if [ `ulimit -c` != "unlimited" ]; then
-        ulimit -c unlimited
-    fi
+    max_processes=$(ulimit -u)
+    core_size=$(ulimit -c)
+    file_descriptor=$(ulimit -n)
+    # Warn if we Cannot bump limits when not root
+    if [ "$(id -u)" -ne 0 ]; then
+        # number of open files:
+        if [ $file_descriptor -lt $file_descriptor_limit ]; then
+            echo "Expected file descriptor limit to be at least $file_descriptor_limit, was $file_descriptor"
+        fi
+
+        # core file size
+        if [ "$core_size" != "unlimited" ]; then
+            echo "Expected core file size to be unlimited, was $core_size"
+        fi
+
+        # number of processes/threads
+        if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt "$max_processes_limit" ]; then
+            echo "Expected max processes to be at least $max_processes_limit, was $max_processes"
+        fi
+    else
+        # number of open files:
+        if [ $file_descriptor -lt $file_descriptor_limit ]; then
+            ulimit -n files || exit 1
+        fi
 
-    # number of processes/threads
-    max_processes=`ulimit -u`
-    if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt 409600 ]; then
-        ulimit -u 409600
+        # core file size
+        if [ "$core_size" != "unlimited" ]; then
+            ulimit -c unlimited
+        fi
+
+        # number of processes/threads
+        if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt "$max_processes_limit" ]; then
+            ulimit -u "$max_processes_limit"
+        fi
     fi
 }
 
diff --git a/vespabase/src/rhel-prestart.sh b/vespabase/src/rhel-prestart.sh
index 79a8e61848c..0aedfb4622d 100755
--- a/vespabase/src/rhel-prestart.sh
+++ b/vespabase/src/rhel-prestart.sh
@@ -85,6 +85,7 @@ fi
 if [ "$VESPA_GROUP" = "" ]; then
     VESPA_GROUP=$(id -rgn)
 fi
+IS_ROOT=$([ "$(id -ru)" == "0" ] && echo true || echo false)
 
 cd $VESPA_HOME || { echo "Cannot cd to $VESPA_HOME" 1>&2; exit 1; }
 
@@ -94,9 +95,21 @@ fixdir () {
         exit 1
     fi
     mkdir -p "$4"
-    if [ "${VESPA_UNPRIVILEGED}" != yes ]; then
-      chown $1 "$4"
-      chgrp $2 "$4"
+    if ! $IS_ROOT; then
+        local stat="$(stat -c "%U %G" $4)"
+        local user=${stat% *}
+        local group=${stat#* }
+        if [ "$1" != "$user" ]; then
+            echo "Wrong owner for $VESPA_HOME/$4, expected $1, was $user"
+            exit 1
+        fi
+        if [ "$2" != "$group" ]; then
+            echo "Wrong group for $VESPA_HOME/$4, expected $2, was $group"
+            exit 1
+        fi
+    else
+        chown $1 "$4"
+        chgrp $2 "$4"
     fi
     chmod $3 "$4"
 }
@@ -130,9 +143,9 @@ fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/bundlecache
 fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/bundlecache/configserver
 fixdir ${VESPA_USER} ${VESPA_GROUP}   755  var/vespa/cache/config
 
-if [ "${VESPA_UNPRIVILEGED}" != yes ]; then
-  chown -hR ${VESPA_USER} logs/vespa
-  chown -hR ${VESPA_USER} var/db/vespa
+if [ "$(id -u)" -eq 0 ]; then
+    chown -hR ${VESPA_USER} logs/vespa
+    chown -hR ${VESPA_USER} var/db/vespa
 fi
 
 # END directory fixups
author	Eirk Nygaard <eirik.nygaard@yahooinc.com>	2022-10-20 10:49:35 +0000
committer	Eirk Nygaard <eirik.nygaard@yahooinc.com>	2022-10-21 12:19:02 +0000
commit	604af1235637971912bdc36d79decbac3bffe1bb (patch)
tree	fe087bb411b7e2d219b6cf0962ba555865c11671 /vespabase
parent	d585895070d794ac4535e49b72d8d4b8a30f49ae (diff)