Project

General

Profile

Actions
Copy link

action #177066

closed

coordination #161414: [epic] Improved salt based infrastructure management

Prevent _openqa-worker to install random packages size:S

Added by okurz 3 months ago. Updated 2 months ago.

Status:
Resolved
Priority:
Normal
Assignee:
robert.richardson
Category:
Feature requests
Target version:
openQA Project (public) - Ready
Start date:
2025-02-12
Due date:
% Done:

0%

Estimated time:
Tags:
multi-machine, osd, security, salt, infra, reactive work, sudo

Description

Motivation

https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/21108/files#diff-c61b6b7d08adaeb720aec789fbe11aff6a52dc44c3abc09b428fb8cb8cc46fa5R799 - "anything that speaks against removing sudo-permissions to [_openqa-worker] user?"

we already explicitly only give sudo to each individual but also _openqa-worker in https://gitlab.suse.de/openqa/salt-states-openqa/-/blob/master/openqa/worker.sls#L323 which apparently is needed for the openQA multi-machine setup, possibly /etc/wicked/scripts/gre_tunnel_preup.sh
But we never gave sudo to _openqa-worker on o3 workers and there is apparmor. It can't be that severe. How about just removing that rule and then we can selectively remove the residing file one by one and monitor?

Acceptance criteria

  • AC1: _openqa-worker is not able to execute any commands with root level permissions

Suggestions

  • Learn https://neo-layout.org/ to type faster
  • Remove the rule from salt
  • Then remove the sudoers file for _openqa-worker on workers one by one and monitor for impact, e.g. auth denied in logs or system journal or openQA tests failing, etc.
  • Inform in the original PR

Related issues 1 (0 open1 closed)

Related to openQA Infrastructure (public) - action #177393: salt pipelines fail due to missing shadow on w16+17Resolvednicksinger2025-02-17

Actions
Actions
Copy link

Also available in: Atom PDF