From 4531a39e0e6ac14a8793fe0f8f5ca5d715be6f96 Mon Sep 17 00:00:00 2001 From: dwahler Date: Fri, 17 Jun 2022 19:05:12 +0000 Subject: [PATCH 1/5] make gcp-linux example template use a non-root user --- examples/templates/gcp-linux/main.tf | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/examples/templates/gcp-linux/main.tf b/examples/templates/gcp-linux/main.tf index d97bdae3126a5..875253bd05591 100644 --- a/examples/templates/gcp-linux/main.tf +++ b/examples/templates/gcp-linux/main.tf @@ -70,21 +70,20 @@ resource "google_compute_instance" "dev" { email = data.google_compute_default_service_account.default.email scopes = ["cloud-platform"] } - # The startup script runs as root with no $HOME environment set up, which can break workspace applications, so - # instead of directly running the agent init script, setup the home directory, write the init script, and then execute - # it. + # The startup script runs as root with no $HOME environment set up, so instead of directly + # running the agent init script, create a user (with a homedir, default shell and sudo + # permissions) and execute the init script as that user. metadata_startup_script = < /root/coder_agent.sh -${coder_agent.dev.init_script} -EOCODER -chmod +x /root/coder_agent.sh - -export HOME=/root -/root/coder_agent.sh - +useradd -m -s /bin/bash "${local.linux_user}" +echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user +exec sudo -u "${local.linux_user}" sh -c '${coder_agent.dev.init_script}' EOMETA } + +locals { + # Ensure Coder username is a valid Linux username + linux_user = lower(substr(data.coder_workspace.me.owner, 0, 32)) +} From 3f841e4483f5bb669ea8265bcb36fc2dc0e4102e Mon Sep 17 00:00:00 2001 From: dwahler Date: Thu, 30 Jun 2022 22:31:46 +0000 Subject: [PATCH 2/5] don't try to create user account if it already exists --- examples/templates/gcp-linux/main.tf | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/examples/templates/gcp-linux/main.tf b/examples/templates/gcp-linux/main.tf index 875253bd05591..3e3d7c281e62d 100644 --- a/examples/templates/gcp-linux/main.tf +++ b/examples/templates/gcp-linux/main.tf @@ -77,8 +77,13 @@ resource "google_compute_instance" "dev" { #!/usr/bin/env sh set -eux pipefail -useradd -m -s /bin/bash "${local.linux_user}" -echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user +# If user does not exist, create it and set up passwordless sudo +if ! id -u "${local.linux_user}" >&/dev/null +then + useradd -m -s /bin/bash "${local.linux_user}" + echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user +fi + exec sudo -u "${local.linux_user}" sh -c '${coder_agent.dev.init_script}' EOMETA } From 4f9a28eed7385962030d07a5e44e7b7b9f3c1ade Mon Sep 17 00:00:00 2001 From: dwahler Date: Thu, 30 Jun 2022 23:36:34 +0000 Subject: [PATCH 3/5] fix bash syntax --- examples/templates/gcp-linux/main.tf | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/examples/templates/gcp-linux/main.tf b/examples/templates/gcp-linux/main.tf index 3e3d7c281e62d..057a626be193a 100644 --- a/examples/templates/gcp-linux/main.tf +++ b/examples/templates/gcp-linux/main.tf @@ -78,8 +78,7 @@ resource "google_compute_instance" "dev" { set -eux pipefail # If user does not exist, create it and set up passwordless sudo -if ! id -u "${local.linux_user}" >&/dev/null -then +if ! id -u "${local.linux_user}" >/dev/null 2>&1; then useradd -m -s /bin/bash "${local.linux_user}" echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user fi From 7002bc9dceb70c892c48cc70a177329794468756 Mon Sep 17 00:00:00 2001 From: David Wahler Date: Wed, 3 Aug 2022 22:47:32 +0000 Subject: [PATCH 4/5] fix broken merge --- examples/templates/gcp-linux/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/templates/gcp-linux/main.tf b/examples/templates/gcp-linux/main.tf index b789dc08daf84..64c711d1d6779 100644 --- a/examples/templates/gcp-linux/main.tf +++ b/examples/templates/gcp-linux/main.tf @@ -83,7 +83,7 @@ if ! id -u "${local.linux_user}" >/dev/null 2>&1; then echo "${local.linux_user} ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/coder-user fi -exec sudo -u "${local.linux_user}" sh -c '${coder_agent.main.init_script} +exec sudo -u "${local.linux_user}" sh -c '${coder_agent.main.init_script}' EOMETA } From e731e006f547a422493c3a03f2f25752661ced43 Mon Sep 17 00:00:00 2001 From: David Wahler Date: Wed, 3 Aug 2022 22:47:51 +0000 Subject: [PATCH 5/5] upgrade to debian-10 image since debian-9 is no longer available --- examples/templates/gcp-linux/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/templates/gcp-linux/main.tf b/examples/templates/gcp-linux/main.tf index 64c711d1d6779..9200bbacac5c5 100644 --- a/examples/templates/gcp-linux/main.tf +++ b/examples/templates/gcp-linux/main.tf @@ -39,7 +39,7 @@ resource "google_compute_disk" "root" { name = "coder-${lower(data.coder_workspace.me.owner)}-${lower(data.coder_workspace.me.name)}-root" type = "pd-ssd" zone = var.zone - image = "debian-cloud/debian-9" + image = "debian-cloud/debian-10" lifecycle { ignore_changes = [image] }