Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove spurious SGID bit on directories #9447

Merged
merged 1 commit into from
Oct 2, 2023
Merged

Remove spurious SGID bit on directories #9447

merged 1 commit into from
Oct 2, 2023

Conversation

smortex
Copy link
Contributor

@smortex smortex commented Aug 19, 2023
edited
Loading

Description

While working on improving OpenSearch packaging in opensearch-project/opensearch-build#3898, we saw that some unexpected SGID bit was set on some directories and that we had to remove it to match the default packages behavior of packages on Debian.

The SGID bit can be tracked to rjernst/elasticsearch@a5c18f1 where it was added so that on first start, the opensearch service has access to the keystore initialized by the root user. However, when deploying OpenSearch today, the keystore is created by the opensearch user and the SGID bit is not required anymore.

This PR remove the code that sets these SGID bits so that we do not need to clean them anymore when packaging.

Related Issues

Check List

  • Commits are signed per the DCO using --signoff

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@smortex smortex mentioned this pull request Aug 19, 2023
Closed
@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

dbwiddis
dbwiddis approved these changes Aug 19, 2023
View reviewed changes
Copy link
Member

@dbwiddis dbwiddis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Do we need a change log entry for this?

@peterzhuamazon peterzhuamazon mentioned this pull request Aug 21, 2023
Merged
@reta
Copy link
Collaborator

reta commented Aug 21, 2023

LGTM. Do we need a change log entry for this?

Yes, I think we need

@opensearch-trigger-bot
Copy link
Contributor

Compatibility status:

Checks if related components are compatible with change 61c5f17

Incompatible components

Incompatible components: [https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/security-analytics.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

@opensearch-trigger-bot
Copy link
Contributor

Compatibility status:

Checks if related components are compatible with change 61c5f17

Incompatible components

Incompatible components: [https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/security-analytics.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      2 org.opensearch.remotestore.SegmentReplicationUsingRemoteStoreIT.classMethod
      1 org.opensearch.remotestore.SegmentReplicationUsingRemoteStoreIT.testScrollWithConcurrentIndexAndSearch

@codecov
Copy link

codecov bot commented Aug 21, 2023
edited
Loading

Codecov Report

Merging #9447 (efaf798) into main (8807d7a) will increase coverage by 0.07%.
Report is 1 commits behind head on main.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##               main    #9447      +/-   ##
============================================
+ Coverage     71.04%   71.12%   +0.07%     
- Complexity    58167    58206      +39     
============================================
  Files          4830     4830              
  Lines        274506   274505       -1     
  Branches      40002    40002              
============================================
+ Hits         195018   195234     +216     
+ Misses        63153    62921     -232     
- Partials      16335    16350      +15
Files Coverage Δ
...arch/analysis/common/MappingCharFilterFactory.java 50.00% <100.00%> (ø)
...n/java/org/opensearch/index/analysis/Analysis.java 84.21% <100.00%> (-0.12%) ⬇️

... and 465 files with indirect coverage changes

@smortex smortex requested a review from reta August 23, 2023 18:09
@opensearch-trigger-bot
Copy link
Contributor

This PR is stalled because it has been open for 30 days with no activity.

@opensearch-trigger-bot opensearch-trigger-bot bot added the stalled Issues that have stalled label Sep 27, 2023
@smortex
Remove spurious SGID
efaf798 
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <[email protected]>
@smortex
Copy link
Contributor Author

smortex commented Sep 28, 2023

Rebased on top of main to fix conflict and adjusted the commit message.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 28, 2023
edited
Loading

Compatibility status:

Checks if related components are compatible with change efaf798

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/neural-search.git]

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.search.SearchWeightedRoutingIT.testSearchAggregationWithNetworkDisruption_FailOpenEnabled

@opensearch-trigger-bot opensearch-trigger-bot bot removed the stalled Issues that have stalled label Sep 28, 2023
@smortex smortex mentioned this pull request Sep 29, 2023
Closed
24 tasks
@dblock dblock merged commit 9d0db5e into opensearch-project:main Oct 2, 2023
14 checks passed
@dblock dblock added the backport 2.x Backport to 2.x branch label Oct 2, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 2, 2023
@github-actions
Remove spurious SGID (#9447)
8dfebdb 
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <[email protected]>
(cherry picked from commit 9d0db5e)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
@opensearch-trigger-bot opensearch-trigger-bot bot mentioned this pull request Oct 2, 2023
Merged
reta pushed a commit that referenced this pull request Oct 3, 2023
@opensearch-trigger-bot @github-actions
Remove spurious SGID (#9447) (#10313)
b272689 
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.


(cherry picked from commit 9d0db5e)

Signed-off-by: Romain Tartière <[email protected]>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
rayshrey pushed a commit to rayshrey/OpenSearch that referenced this pull request Oct 3, 2023
@smortex @rayshrey
Remove spurious SGID (opensearch-project#9447)
3cf8fe9 
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <[email protected]>
deshsidd pushed a commit to deshsidd/OpenSearch that referenced this pull request Oct 9, 2023
@smortex @deshsidd
Remove spurious SGID (opensearch-project#9447)
a557e94 
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <[email protected]>
vikasvb90 pushed a commit to vikasvb90/OpenSearch that referenced this pull request Oct 10, 2023
@smortex @vikasvb90
Remove spurious SGID (opensearch-project#9447)
78b3807 
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <[email protected]>
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
@smortex @shiv0408
Remove spurious SGID (opensearch-project#9447)
d81429b 
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <[email protected]>
Signed-off-by: Shivansh Arora <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reta reta reta approved these changes

@dblock dblock dblock approved these changes

@dbwiddis dbwiddis dbwiddis approved these changes

@anasalkouz anasalkouz Awaiting requested review from anasalkouz anasalkouz is a code owner

@andrross andrross Awaiting requested review from andrross andrross is a code owner

@Bukhtawar Bukhtawar Awaiting requested review from Bukhtawar Bukhtawar is a code owner

@CEHENKLE CEHENKLE Awaiting requested review from CEHENKLE CEHENKLE is a code owner

@gbbafna gbbafna Awaiting requested review from gbbafna gbbafna is a code owner

@setiah setiah Awaiting requested review from setiah

@kartg kartg Awaiting requested review from kartg

@kotwanikunal kotwanikunal Awaiting requested review from kotwanikunal kotwanikunal is a code owner

@mch2 mch2 Awaiting requested review from mch2 mch2 is a code owner

@nknize nknize Awaiting requested review from nknize nknize is a code owner

@owaiskazi19 owaiskazi19 Awaiting requested review from owaiskazi19 owaiskazi19 is a code owner

@Rishikesh1159 Rishikesh1159 Awaiting requested review from Rishikesh1159 Rishikesh1159 is a code owner

@ryanbogan ryanbogan Awaiting requested review from ryanbogan

@saratvemulapalli saratvemulapalli Awaiting requested review from saratvemulapalli saratvemulapalli is a code owner

@shwetathareja shwetathareja Awaiting requested review from shwetathareja shwetathareja is a code owner

@dreamer-89 dreamer-89 Awaiting requested review from dreamer-89

@tlfeng tlfeng Awaiting requested review from tlfeng

@VachaShah VachaShah Awaiting requested review from VachaShah VachaShah is a code owner

@sachinpkale sachinpkale Awaiting requested review from sachinpkale sachinpkale is a code owner

@sohami sohami Awaiting requested review from sohami sohami is a code owner

@peternied peternied Awaiting requested review from peternied

@msfroh msfroh Awaiting requested review from msfroh msfroh is a code owner

Assignees
No one assigned
Labels
backport 2.x Backport to 2.x branch
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@smortex @reta @dblock @dbwiddis