action #177066
closedcoordination #161414: [epic] Improved salt based infrastructure management
Prevent _openqa-worker to install random packages size:S
0%
Description
Motivation¶
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/21108/files#diff-c61b6b7d08adaeb720aec789fbe11aff6a52dc44c3abc09b428fb8cb8cc46fa5R799 - "anything that speaks against removing sudo-permissions to [_openqa-worker] user?"
we already explicitly only give sudo to each individual but also _openqa-worker in https://gitlab.suse.de/openqa/salt-states-openqa/-/blob/master/openqa/worker.sls#L323 which apparently is needed for the openQA multi-machine setup, possibly /etc/wicked/scripts/gre_tunnel_preup.sh
But we never gave sudo to _openqa-worker on o3 workers and there is apparmor. It can't be that severe. How about just removing that rule and then we can selectively remove the residing file one by one and monitor?
Acceptance criteria¶
- AC1: _openqa-worker is not able to execute any commands with root level permissions
Suggestions¶
- Learn https://neo-layout.org/ to type faster
- Remove the rule from salt
- Then remove the sudoers file for _openqa-worker on workers one by one and monitor for impact, e.g. auth denied in logs or system journal or openQA tests failing, etc.
- Inform in the original PR
Updated by jbaier_cz 27 days ago
- Related to action #177393: salt pipelines fail due to missing shadow on w16+17 added
Updated by robert.richardson 27 days ago
- Subject changed from Prevent _openqa-worker to install random packages to Prevent _openqa-worker to install random packages size: S
- Description updated (diff)
- Status changed from New to Workable
Updated by robert.richardson 21 days ago
- Status changed from Workable to In Progress
Updated by robert.richardson 20 days ago
jbaier_cz wrote in #note-6:
I guess you are working on it?
Just started with the suggested PR.
So not much done yet, do you want to take the ticket instead ?
Updated by openqa_review 20 days ago
- Due date set to 2025-03-11
Setting due date based on mean cycle time of SUSE QE Tools
Updated by livdywan 19 days ago
As discussed:
- Please mention jobs you're looking at
- Apply salt changes?
- https://gitlab.suse.de/openqa/salt-states-openqa/-/merge_requests/1384/diffs was merged. Is this effective yet?
- Please provide examples of jobs that run (not necessarily passing)
Updated by robert.richardson 19 days ago
- Status changed from In Progress to Resolved
I have manually removed the file /etc/sudoers.d/_openqa-worker from several workers (diesel, grenache, mania, worker29 - worker 40) yesterday and so far couldn't find any permission related errors.
-> example run with parallel dependencies
so i have now removed the file from all workers
> sudo salt -C 'G@roles:worker' cmd.run 'rm /etc/sudoers.d/_openqa-worker'
Updated by okurz 18 days ago
- Due date deleted (
2025-03-11)
today's osd deployment failed due to an agama_devel repository which was also pulled in by tests. I fixed that with sudo salt \* cmd.run 'zypper rr systemsmanagement_Agama_Devel' . I assume the work in this ticket is enough to prevent that in the future