diff options
author | Eirk Nygaard <eirik.nygaard@yahooinc.com> | 2022-10-20 10:49:35 +0000 |
---|---|---|
committer | Eirk Nygaard <eirik.nygaard@yahooinc.com> | 2022-10-21 12:19:02 +0000 |
commit | 604af1235637971912bdc36d79decbac3bffe1bb (patch) | |
tree | fe087bb411b7e2d219b6cf0962ba555865c11671 /vespabase | |
parent | d585895070d794ac4535e49b72d8d4b8a30f49ae (diff) |
Support running Vespa in container as non-root
This removes the old VESPA_UNPRIVILEGED environment variable. Instead we use
the old mechanisme if id of the user starting Vespa is root. If the container
is started with a non-root user some sanity checking is done to either fail
because wrong permissions are active, or warn the user for possibly too low
limits.
Diffstat (limited to 'vespabase')
-rwxr-xr-x | vespabase/src/common-env.sh | 53 | ||||
-rwxr-xr-x | vespabase/src/rhel-prestart.sh | 25 |
2 files changed, 55 insertions, 23 deletions
diff --git a/vespabase/src/common-env.sh b/vespabase/src/common-env.sh index 628ebe6b074..41c25be4ac9 100755 --- a/vespabase/src/common-env.sh +++ b/vespabase/src/common-env.sh @@ -207,26 +207,45 @@ consider_fallback VESPA_USE_NO_VESPAMALLOC "vespa-rpc-invoke vespa-get-config v fixlimits () { - # Cannot bump limits when not root (for testing) - if [ "${VESPA_UNPRIVILEGED}" = yes ]; then - return 0 - fi - # number of open files: - if varhasvalue file_descriptor_limit; then - ulimit -n ${file_descriptor_limit} || exit 1 - elif [ `ulimit -n` -lt 262144 ]; then - ulimit -n 262144 || exit 1 + max_processes_limit=409600 + if ! varhasvalue file_descriptor_limit; then + file_descriptor_limit=262144 fi - # core file size - if [ `ulimit -c` != "unlimited" ]; then - ulimit -c unlimited - fi + max_processes=$(ulimit -u) + core_size=$(ulimit -c) + file_descriptor=$(ulimit -n) + # Warn if we Cannot bump limits when not root + if [ "$(id -u)" -ne 0 ]; then + # number of open files: + if [ $file_descriptor -lt $file_descriptor_limit ]; then + echo "Expected file descriptor limit to be at least $file_descriptor_limit, was $file_descriptor" + fi + + # core file size + if [ "$core_size" != "unlimited" ]; then + echo "Expected core file size to be unlimited, was $core_size" + fi + + # number of processes/threads + if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt "$max_processes_limit" ]; then + echo "Expected max processes to be at least $max_processes_limit, was $max_processes" + fi + else + # number of open files: + if [ $file_descriptor -lt $file_descriptor_limit ]; then + ulimit -n files || exit 1 + fi - # number of processes/threads - max_processes=`ulimit -u` - if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt 409600 ]; then - ulimit -u 409600 + # core file size + if [ "$core_size" != "unlimited" ]; then + ulimit -c unlimited + fi + + # number of processes/threads + if [ "$max_processes" != "unlimited" ] && [ "$max_processes" -lt "$max_processes_limit" ]; then + ulimit -u "$max_processes_limit" + fi fi } diff --git a/vespabase/src/rhel-prestart.sh b/vespabase/src/rhel-prestart.sh index 79a8e61848c..0aedfb4622d 100755 --- a/vespabase/src/rhel-prestart.sh +++ b/vespabase/src/rhel-prestart.sh @@ -85,6 +85,7 @@ fi if [ "$VESPA_GROUP" = "" ]; then VESPA_GROUP=$(id -rgn) fi +IS_ROOT=$([ "$(id -ru)" == "0" ] && echo true || echo false) cd $VESPA_HOME || { echo "Cannot cd to $VESPA_HOME" 1>&2; exit 1; } @@ -94,9 +95,21 @@ fixdir () { exit 1 fi mkdir -p "$4" - if [ "${VESPA_UNPRIVILEGED}" != yes ]; then - chown $1 "$4" - chgrp $2 "$4" + if ! $IS_ROOT; then + local stat="$(stat -c "%U %G" $4)" + local user=${stat% *} + local group=${stat#* } + if [ "$1" != "$user" ]; then + echo "Wrong owner for $VESPA_HOME/$4, expected $1, was $user" + exit 1 + fi + if [ "$2" != "$group" ]; then + echo "Wrong group for $VESPA_HOME/$4, expected $2, was $group" + exit 1 + fi + else + chown $1 "$4" + chgrp $2 "$4" fi chmod $3 "$4" } @@ -130,9 +143,9 @@ fixdir ${VESPA_USER} ${VESPA_GROUP} 755 var/vespa/bundlecache fixdir ${VESPA_USER} ${VESPA_GROUP} 755 var/vespa/bundlecache/configserver fixdir ${VESPA_USER} ${VESPA_GROUP} 755 var/vespa/cache/config -if [ "${VESPA_UNPRIVILEGED}" != yes ]; then - chown -hR ${VESPA_USER} logs/vespa - chown -hR ${VESPA_USER} var/db/vespa +if [ "$(id -u)" -eq 0 ]; then + chown -hR ${VESPA_USER} logs/vespa + chown -hR ${VESPA_USER} var/db/vespa fi # END directory fixups |