Skip to content

Make gcp-linux example template use a non-root user #2480

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 3, 2022
Merged

Make gcp-linux example template use a non-root user #2480

merged 6 commits into from
Aug 3, 2022

Conversation

dwahler
Copy link
Contributor

@dwahler dwahler commented Jun 17, 2022

Create a non-root user on startup and run the init script as that user, similar to what we do for AWS.

See issue #2178

@dwahler dwahler requested review from spikecurtis and a team June 17, 2022 19:09
deansheather
deansheather reviewed Jun 17, 2022
View reviewed changes
examples/templates/gcp-linux/main.tf Outdated
Comment on lines 80 to 82
useradd -m -s /bin/bash "${local.linux_user}"
echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user
exec sudo -u "${local.linux_user}" sh -c '${coder_agent.dev.init_script}'
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Since it's a persistent root disk, wouldn't this fail on subsequent boots since it doesn't check if the user already exists first?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's a good point actually Dean -- I didn't know this before, but apparently on EC2 the user metadata script only runs on first boot by default, whereas on GCP it runs on every boot.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, good catch.

I originally wanted to just take the same approach that we use for AWS and create the user with cloud-init, which I now realize would have handled this. But unfortunately, cloud-init is excluded from the GCE variants of the Debian cloud images: https://salsa.debian.org/cloud-team/debian-cloud-images/-/issues/41

johnstcn
johnstcn reviewed Jun 17, 2022
View reviewed changes
examples/templates/gcp-linux/main.tf Outdated
/root/coder_agent.sh

useradd -m -s /bin/bash "${local.linux_user}"
echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user
[ ! -e /etc/sudoers.d/coder-user ] && echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user

johnstcn
johnstcn reviewed Jun 17, 2022
View reviewed changes
examples/templates/gcp-linux/main.tf Outdated
export HOME=/root
/root/coder_agent.sh

useradd -m -s /bin/bash "${local.linux_user}"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
useradd -m -s /bin/bash "${local.linux_user}"
grep "${local.linux_user}" /etc/passwd > /dev/null 2>&1 || useradd -m -s /bin/bash "${local.linux_user}"

@dwahler
Copy link
Contributor Author

dwahler commented Jul 1, 2022

I modified the suggested fix slightly so that we only create /etc/sudoers.d/coder-user on the first workspace start, rather than recreating it whenever it doesn't exist. This matches the behavior of our AWS template.

@github-actions
Copy link

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

@github-actions github-actions bot added stale This issue is like stale bread. and removed stale This issue is like stale bread. labels Jul 23, 2022
@ammario ammario added the stale This issue is like stale bread. label Jul 24, 2022
@github-actions github-actions bot removed the stale This issue is like stale bread. label Jul 24, 2022
@github-actions
Copy link

github-actions bot commented Aug 1, 2022

This Pull Request is becoming stale. In order to minimize WIP, prevent merge conflicts and keep the tracker readable, I'm going close to this PR in 3 days if there isn't more activity.

@github-actions github-actions bot added the stale This issue is like stale bread. label Aug 1, 2022
@dwahler dwahler removed the stale This issue is like stale bread. label Aug 3, 2022
@dwahler dwahler merged commit 9f54fa8 into main Aug 3, 2022
@dwahler dwahler deleted the david/gcp-template-nonroot branch August 3, 2022 23:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@johnstcn johnstcn johnstcn approved these changes

@deansheather deansheather deansheather left review comments

@spikecurtis spikecurtis Awaiting requested review from spikecurtis

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@dwahler @johnstcn @deansheather @ammario