Skip to content

Commit 0eab808

Browse files
kylecarbskylecarbs
committed
fix: Remove "coder" user and group from systemd service
This caused an inability to listen on privileged ports and read certs from LetsEncrypt. It seems more hurtful rather than helpful, so removing the restriction seems reasonable.
1 parent d371a66 commit 0eab808

File tree

2 files changed

+15
-18
lines changed

2 files changed

+15
-18
lines changed

cli/start.go

Lines changed: 13 additions & 14 deletions
Original file line numberDiff line numberDiff line change
@@ -68,11 +68,8 @@ func start() *cobra.Command {
6868
}
6969
defer listener.Close()
7070

71-
tlsConfig := &tls.Config{
72-
MinVersion: tls.VersionTLS12,
73-
}
7471
if tlsEnable {
75-
listener, err = configureTLS(tlsConfig, listener, tlsMinVersion, tlsClientAuth, tlsCertFile, tlsKeyFile, tlsClientCAFile)
72+
listener, err = configureTLS(listener, tlsMinVersion, tlsClientAuth, tlsCertFile, tlsKeyFile, tlsClientCAFile)
7673
if err != nil {
7774
return xerrors.Errorf("configure tls: %w", err)
7875
}
@@ -156,10 +153,11 @@ func start() *cobra.Command {
156153
handler, closeCoderd := coderd.New(options)
157154
client := codersdk.New(localURL)
158155
if tlsEnable {
159-
// Use the TLS config here. This client is used for creating the
160-
// default user, among other things.
156+
// Secure transport isn't needed for locally communicating!
161157
client.HTTPClient.Transport = &http.Transport{
162-
TLSClientConfig: tlsConfig,
158+
TLSClientConfig: &tls.Config{
159+
InsecureSkipVerify: true,
160+
},
163161
}
164162
}
165163

@@ -211,15 +209,13 @@ func start() *cobra.Command {
211209
// such as via the systemd service.
212210
_ = config.URL().Write(client.URL.String())
213211

214-
hasFirstUser, err := client.HasFirstUser(cmd.Context())
215-
if err != nil {
216-
return xerrors.Errorf("check for first user: %w", err)
217-
}
218-
219212
_, _ = fmt.Fprintf(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render(cliui.Styles.Wrap.Render(cliui.Styles.Prompt.String()+`Started in `+
220213
cliui.Styles.Field.Render("production")+` mode. All data is stored in the PostgreSQL provided! Press `+cliui.Styles.Field.Render("ctrl+c")+` to gracefully shutdown.`))+"\n")
221214

222-
if !hasFirstUser {
215+
hasFirstUser, err := client.HasFirstUser(cmd.Context())
216+
if !hasFirstUser && err == nil {
217+
// This could fail for a variety of TLS-related reasons.
218+
// This is a helpful starter message, and not critical for user interaction.
223219
_, _ = fmt.Fprint(cmd.OutOrStdout(), cliui.Styles.Paragraph.Render(cliui.Styles.Wrap.Render(cliui.Styles.FocusedPrompt.String()+`Run `+cliui.Styles.Code.Render("coder login "+client.URL.String())+" in a new terminal to get started.\n")))
224220
}
225221
}
@@ -422,7 +418,10 @@ func printLogo(cmd *cobra.Command) {
422418
`)
423419
}
424420

425-
func configureTLS(tlsConfig *tls.Config, listener net.Listener, tlsMinVersion, tlsClientAuth, tlsCertFile, tlsKeyFile, tlsClientCAFile string) (net.Listener, error) {
421+
func configureTLS(listener net.Listener, tlsMinVersion, tlsClientAuth, tlsCertFile, tlsKeyFile, tlsClientCAFile string) (net.Listener, error) {
422+
tlsConfig := &tls.Config{
423+
MinVersion: tls.VersionTLS12,
424+
}
426425
switch tlsMinVersion {
427426
case "tls10":
428427
tlsConfig.MinVersion = tls.VersionTLS10

coder.service

Lines changed: 2 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -10,15 +10,13 @@ StartLimitBurst=3
1010
[Service]
1111
Type=notify
1212
EnvironmentFile=/etc/coder.d/coder.env
13-
User=coder
14-
Group=coder
1513
ProtectSystem=full
1614
ProtectHome=read-only
1715
PrivateTmp=yes
1816
PrivateDevices=yes
1917
SecureBits=keep-caps
20-
AmbientCapabilities=CAP_IPC_LOCK CAP_NET_BIND_SERVICE
21-
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
18+
AmbientCapabilities=CAP_IPC_LOCK
19+
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK CAP_NET_BIND_SERVICE
2220
NoNewPrivileges=yes
2321
ExecStart=/usr/bin/coder start
2422
Restart=on-failure

0 commit comments

Comments
 (0)