Skip to content

Commit

Permalink
PMM-12530 run supervisor as non root (#2643)
Browse files Browse the repository at this point in the history
* PMM-12530 remove clickhouse upgrade role

* PMM-12530 set pmm user for supervisord jobs

* PMM-12530 move supervisord configs to the role

* PMM-12530 move non-docker tasks to their own playbook

* PMM-12530 fix wrong copy of grafana.ini

* PMM-12530 fix wrong description

* PMM-12530 a few description fixes

* PMM-12530 fix wrong task syntax

* PMM-12530 use loop instead of with_items

* PMM-12530 use a different become method for supervisorctl

* PMM-12530 use a command to restart grafana

* PMM-12530 use an interim Dockerfile

* PMM-12530 update the port in the docs

* PMM-12530 remove the service task

* PMM-12530 use a base Dockerfile

* PMM-12530 remove user creation for non-docker

* PMM-12530 provision deps for the base image

* PMM-12530 clean up supervisord role

* PMM-12530 put back dummy creds

* PMM-12530 clean up ansible scripts

* PMM-12530 change ownership of the distro file

* PMM-12530 update the entrypoint

* PMM-12530 remove support for v1 paths

* PMM-12530 remove supervisord.service

* PMM-12530 add a config for ansible

* PMM-12530 fix permissions for maintenance file

* PMM-12530 move ansible to the build directory

* PMM-12530 switch to pmm user

* PMM-12530 clean up Dockerfile

* PMM-12530 optimize entrypoint and dir creation tasks

* PMM-12530 fix nginx failures

* PMM-12530 fix the syntax error

* PMM-12530 remove comments

* PMM-12530 update the easy install script

* PMM-12530 move ansible lint checks to a proper Makefile

* PMM-12530 fix wrong syntaxt in docker volume

* PMM-12530 update the task description

* PMM-12530 send nginx logs to /dev/std{err,out}
  • Loading branch information
ademidoff authored Dec 18, 2023
1 parent b6acd98 commit 0c90f57
Show file tree
Hide file tree
Showing 47 changed files with 355 additions and 512 deletions.
4 changes: 2 additions & 2 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ $ docker volume create pmm-data
3. Run PMM server container
```bash
$ docker run --detach --restart always \
--publish 443:443 \
--publish 443:8443 \
--volume pmm-data:/srv \
--name pmm-server \
percona/pmm-server:3
Expand Down Expand Up @@ -99,4 +99,4 @@ As a general rule of thumb, please try to create bug reports that are:

## Licensing

Percona is dedicated to **keeping open source open**. Wherever possible, we strive to include permissive licensing for both our software and documentation. For this project, we are using the [GNU AGPLv3](https://github.com/percona/pmm/blob/main/LICENSE) license.
Percona is dedicated to **keeping open source open**. Wherever possible, we strive to include permissive licensing for both our software and documentation. For this project, we are using the [GNU AGPLv3](./LICENSE) license.
1 change: 0 additions & 1 deletion api-tests/server/version_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,6 @@ import (
func TestVersion(t *testing.T) {
t.Parallel()
paths := []string{
"managed/v1/version",
"v1/version",
}
for _, path := range paths {
Expand Down
2 changes: 1 addition & 1 deletion api/nginx/nginx.conf
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@

daemon off;

error_log stderr info;
error_log /dev/stderr info;
# error_log stderr debug;

events {
Expand Down
33 changes: 18 additions & 15 deletions build/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -66,36 +66,39 @@ pmm-ami:
-var 'pmm_client_repo_name=percona-experimental-x86_64' \
-var 'pmm_server_repo=experimental' \
-only amazon-ebs -color=false \
packer/pmm.json
packer/pmm.json

pmm-ami-rc:
docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
build -var 'pmm_client_repos=original testing' \
-var 'pmm_client_repo_name=percona-testing-x86_64' \
-var 'pmm_server_repo=testing' \
-only amazon-ebs '-color=false' \
packer/pmm.json
-var 'pmm_client_repo_name=percona-testing-x86_64' \
-var 'pmm_server_repo=testing' \
-only amazon-ebs '-color=false' \
packer/pmm.json

pmm-ami-el9:
mkdir -p update && \
cp -r ../update/ansible/playbook/* update/ && \
sed -i 's|become_method: su|become_method: sudo|g' update/tasks/roles/postgres/tasks/main.yml && \
sed -i 's|become_method: su|become_method: sudo|g' ./roles/postgres/tasks/main.yml && \
docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
build -var 'pmm_client_repos=original experimental' \
-var 'pmm_client_repo_name=percona-experimental-x86_64' \
-var 'pmm_server_repo=experimental' \
-only amazon-ebs -color=false \
packer/pmm.el9.json
packer/pmm.el9.json

pmm-ami-el9-rc:
mkdir -p update && \
cp -r ../update/ansible/playbook/* update/ && \
sed -i 's|become_method: su|become_method: sudo|g' update/tasks/roles/postgres/tasks/main.yml && \
docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
build -var 'pmm_client_repos=original testing' \
-var 'pmm_client_repo_name=percona-testing-x86_64' \
sed -i 's|become_method: su|become_method: sudo|g' ./roles/postgres/tasks/main.yml && \
docker run --rm -v ${HOME}/.aws:/root/.aws -v `pwd`:/build -w /build hashicorp/packer:${PACKER_VERSION} \
build -var 'pmm_client_repos=original testing' \
-var 'pmm_client_repo_name=percona-testing-x86_64' \
-var 'pmm_server_repo=testing' \
-only amazon-ebs '-color=false' \
packer/pmm.el9.json
-only amazon-ebs '-color=false' \
packer/pmm.el9.json

## ----------------- PACKER ------------------

check: ## Run required checkers and linters
ansible-playbook --syntax-check ansible/pmm-docker/update.yml
ansible-playbook --check ansible/pmm-docker/update.yml
ansible-lint ansible/pmm-docker/update.yml
File renamed without changes.
11 changes: 11 additions & 0 deletions build/ansible/ansible.cfg
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
# This is the default ansible.cfg file.
# It necessary for ansible to work properly when it acts as 'pmm' user.
# Otherwise, it will fail with 'Permission denied' error since the default paths are '/root/.ansible/tmp'
# Ref: https://github.com/ansible/ansible/blob/stable-2.9/examples/ansible.cfg
[defaults]

remote_tmp = /tmp
local_tmp = /tmp

# additional paths to search for roles in, colon separated
roles_path = /opt/ansible/roles
Original file line number Diff line number Diff line change
Expand Up @@ -2,8 +2,10 @@
# This playbook contains tasks executed during initialization PMM Server
- hosts: localhost
become: true
become_method: su
become_user: pmm
gather_facts: true
tasks:
- name: Run initialization role
include_role:
name: initialization


roles:
- initialization
Original file line number Diff line number Diff line change
Expand Up @@ -9,19 +9,19 @@
PATH: /usr/local/bin:{{ ansible_env.PATH }}

pre_tasks:
- name: detect /srv/pmm-distribution
- name: Detect /srv/pmm-distribution
stat:
path: /srv/pmm-distribution
no_log: true
register: srv_pmm_distribution

- name: detect containers
- name: Detect container environment
set_fact:
is_docker: '{{ lookup("file", "/srv/pmm-distribution") == "docker" }}'
no_log: true
when: srv_pmm_distribution.stat.exists

- name: force container
- name: Set the variable to true if undefined
set_fact:
is_docker: true
when: is_docker is undefined
Expand All @@ -31,19 +31,10 @@
copy:
src: maintenance.html
dest: /usr/share/pmm-server/maintenance/
owner: pmm
group: pmm
mode: 0644

- name: Cleanup yum metadata
command: yum clean metadata
become: true
tags:
- skip_ansible_lint

- name: Upgrade supervisor config
copy:
src: pmm.ini
dest: /etc/supervisord.d/pmm.ini

# restart pmm-managed-init and pmm-managed first as they may update supervisord configuration on start
- name: Generate new supervisor config
command: pmm-managed-init
Expand All @@ -57,59 +48,17 @@
option: autostart
value: "false"

- name: Upgrade supervisord config
copy:
src: supervisord.ini
dest: /etc/supervisord.d/supervisord.ini

- name: Remove supervisord
file:
state: absent
path: /etc/supervisord.d/supervisord.ini
when: not is_docker

# Set forking type to 'simple'
- name: Configure systemd
when: not is_docker
copy:
src: supervisord.service
dest: /usr/lib/systemd/system/supervisord.service
mode: 0644

- name: Remove old supervisord service configuration
when: not is_docker
file:
path: /etc/systemd/system/supervisord.service
state: absent

# Start the services
- name: Enable supervisord | Make the service persist between reboots
when: not is_docker
systemd:
name: supervisord
enabled: yes

- name: Supervisord start | Start supervisord service for AMI/OVF
when: not is_docker
systemd:
name: supervisord
state: started # supervisord may already be running
daemon_reload: yes

- name: Check that supervisor socket exists
stat:
path: /run/supervisor/supervisor.sock
register: is_supervisor_running

- name: Start supervisord for docker
when:
- is_docker
- not is_supervisor_running.stat.exists
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
register: supervisor_socket

# During build time, this will be the first start of supervisord.
- name: Start supervisord
when: not supervisor_socket.stat.exists
shell: supervisord -c /etc/supervisord.conf &

- name: Wait until postgres port is present before continuing
- name: Wait until postgres port is present
wait_for:
host: localhost
port: 5432
Expand All @@ -118,95 +67,51 @@
- name: Run initialization playbook
include_role:
name: initialization
vars:
ui_upgrade: True

- name: Enable crond service
when: not is_docker
service:
name: crond
state: started
enabled: yes

- name: Increase number of open files for jobs
when: not is_docker
ini_file:
dest: /etc/supervisord.conf
section: supervisord
option: minfds
value: "800000"

# See https://github.com/Supervisor/supervisor/issues/1264 for explanation
# why we do reread + stop/remove/add instead of using supervisorctl Ansible module.
- name: Reread supervisord configuration EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
- name: Reread supervisord configuration
command: supervisorctl reread
become: true
become_user: pmm
become_method: su
register: reread_result
changed_when: "'No config updates to processes' not in reread_result.stdout"

- name: Check reread results
debug: var=reread_result.stdout_lines

- name: Restart pmm-managed EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
command: supervisorctl {{ item }} pmm-managed
- name: Restart pmm-managed
command: "supervisorctl {{ item }} pmm-managed"
become: true
changed_when: true
with_items: ["stop", "remove", "add"]

# give pmm-managed time to update supervisord configuration,
become_user: pmm
become_method: su
loop:
- stop
- remove
- add

# Give pmm-managed time to update supervisord configuration,
# and give update UI time to catch up after pmm-managed restart
- name: Wait for pmm-managed
pause: seconds=10

# Fix things that should be fixed before restarts.

- name: Stop systemd pmm-agent service, if running
systemd:
name: pmm-agent
state: stopped
enabled: no
when: not is_docker

# https://jira.percona.com/browse/PMM-9298
- name: Copy rezise-xfs file for lvm
copy:
src: resize-xfs-lvm
dest: /var/lib/cloud/scripts/per-boot/resize-xfs
mode: 0755
when: not is_docker

# https://jira.percona.com/browse/PMM-5271
- name: Check volume size
when: not is_docker
replace:
dest: /var/lib/cloud/scripts/per-boot/resize-xfs
regexp: "set -o errexit"
replace: ""

- name: Reread supervisord configuration again EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
- name: Reread supervisord configuration again
command: supervisorctl reread
register: reread_result
changed_when: "'No config updates to processes' not in reread_result.stdout"

- name: Check reread results
debug: var=reread_result.stdout_lines

- name: Restart services EL9
when:
- is_docker
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
- name: Restart services
command: supervisorctl {{ item.1 }} {{ item.0 }}
become: true
changed_when: true
become_user: pmm
become_method: su
# changed_when: true
with_nested:
- - nginx
- grafana
Expand Down Expand Up @@ -237,31 +142,27 @@
query: UPDATE "user" SET id='1' WHERE login='admin';
when: not ansible_check_mode

# we need to put this step as one of the last steps, because it removes pmm.ini
- name: Remove redundant packages
yum:
state: absent
name:
- logrotate # https://jira.percona.com/browse/PMM-7627
# - name: Remove redundant packages
# yum:
# state: absent
# name:
# - logrotate # https://jira.percona.com/browse/PMM-7627

# Regenerating pmm.ini and enabling pmm-update-perform-init
- name: Generate new supervisor config
command: pmm-managed-init
become: true
become_user: pmm
become_method: su
register: managed_init_result
changed_when: True

- name: Reread pmm-update-perform-init supervisor config EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
- name: Reread pmm-update-perform-init supervisor config
command: supervisorctl reread
register: reread_init__result
changed_when: "'No config updates to processes' not in reread_init__result.stdout"

- name: Update/restart other services EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
- name: Update/restart other services
command: supervisorctl update
register: update_result
changed_when: "'updated' in update_result.stdout"
Expand All @@ -281,10 +182,7 @@

# SIGUSR2 is sent to supervisord by pmm-managed right before the update for logging to work correctly.
# We use that fact to show what was restarted during the update.
- name: Get supervisord logs EL9
when:
- ansible_distribution == 'OracleLinux' or ansible_distribution == 'AlmaLinux'
- ansible_distribution_major_version == '9'
- name: Get supervisord logs
shell: supervisorctl maintail -100000 | tac | awk '!flag; /received SIGUSR2/{flag = 1};' | tac
register: maintail_result
changed_when: False
Expand Down
Original file line number Diff line number Diff line change
@@ -1,3 +1,4 @@
# TODO: This role seems to no longer be used. Verify and remove.
- hosts: localhost
become: true
gather_facts: true
Expand Down
File renamed without changes.
File renamed without changes.
File renamed without changes.
Loading

0 comments on commit 0c90f57

Please sign in to comment.