action #177066
closedcoordination #161414: [epic] Improved salt based infrastructure management
Prevent _openqa-worker to install random packages size:S
0%
Description
Motivation¶
https://github.com/os-autoinst/os-autoinst-distri-opensuse/pull/21108/files#diff-c61b6b7d08adaeb720aec789fbe11aff6a52dc44c3abc09b428fb8cb8cc46fa5R799 - "anything that speaks against removing sudo-permissions to [_openqa-worker] user?"
we already explicitly only give sudo to each individual but also _openqa-worker in https://gitlab.suse.de/openqa/salt-states-openqa/-/blob/master/openqa/worker.sls#L323 which apparently is needed for the openQA multi-machine setup, possibly /etc/wicked/scripts/gre_tunnel_preup.sh
But we never gave sudo to _openqa-worker on o3 workers and there is apparmor. It can't be that severe. How about just removing that rule and then we can selectively remove the residing file one by one and monitor?
Acceptance criteria¶
- AC1: _openqa-worker is not able to execute any commands with root level permissions
Suggestions¶
- Learn https://neo-layout.org/ to type faster
- Remove the rule from salt
- Then remove the sudoers file for _openqa-worker on workers one by one and monitor for impact, e.g. auth denied in logs or system journal or openQA tests failing, etc.
- Inform in the original PR