Make sure sensubility has proper permission

This patch makes it possible to use podman socket for sensubility checks
running in collectd container.

Change-Id: I28c3b133bb0d57667f1f3bf8c96f245a6fa62def
This commit is contained in:
Martin Mágr 2022-08-17 23:49:23 +02:00
parent 235124983a
commit 298463b810
2 changed files with 16 additions and 2 deletions

View File

@ -15,6 +15,7 @@
# under the License.
import json
import os
import shutil
import subprocess
import sys
@ -30,6 +31,14 @@ SKIP_LIST = ['_bootstrap', 'container-puppet-', '_db_sync',
def execute(cmd, workdir: str = None,
prev_proc: subprocess.Popen = None) -> subprocess.Popen:
# Note(mmagr): When this script is executed by collectd-sensubility started
# via collectd the script has non-root permission but inherits
# environment from collectd with root permission. We need
# to avoid sensubility access /root when using podman-remote.
# See https://bugzilla.redhat.com/show_bug.cgi?id=2091076 for
# more info.
proc_env = os.environ.copy()
proc_env["HOME"] = "/tmp"
if type(cmd[0]) is list: # multiple piped commands
last = prev_proc
for c in cmd:
@ -37,7 +46,7 @@ def execute(cmd, workdir: str = None,
return last
else: # single command
inpipe = prev_proc.stdout if prev_proc is not None else None
proc = subprocess.Popen(cmd, cwd=workdir, stdin=inpipe,
proc = subprocess.Popen(cmd, cwd=workdir, env=proc_env, stdin=inpipe,
stdout=subprocess.PIPE, stderr=subprocess.PIPE)
if prev_proc is not None:
prev_proc.stdout.close()

View File

@ -572,7 +572,7 @@ outputs:
mode: "0755"
content: { get_file: ../../container_config_scripts/monitoring/collectd_check_health.py }
docker_config:
step_5:
step_3:
collectd:
image: {get_attr: [RoleParametersValue, value, ContainerCollectdImage]}
net: host
@ -637,6 +637,11 @@ outputs:
service:
name: rsyslog
state: restarted
- name: add access to podman to collectd user
ansible.builtin.shell: sudo podman exec -it collectd setfacl -R -m u:collectd:rwx /run/podman
when:
- enable_sensubility
- step|int == 4
host_prep_tasks:
- name: create persistent directories
file: