Support none root deployment #3000

TommyLike · 2024-01-07T08:59:36Z

Description

Support build and deploy dragonfly within none root user.

Create dragonfly user and group in base/manager/scheduler/dfdaemon/trainer image
Use none root user in docker compose yaml
Add dataDir config option for manager, which is used for overwrite the default value
Update several path for docker compose configuration

Related Issue

Motivation and Context

For security concern, it's better to have process running within none root user.

Screenshots (if appropriate)

Not fully understand the whole picture of draognfly and within this update the seed peer will take several minutes to become ready

2024-01-07T09:51:26.533Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:26Z", "grpc.request.deadline": "2024-01-07T09:51:27Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.056}
2024-01-07T09:51:27.652Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:27Z", "grpc.request.deadline": "2024-01-07T09:51:28Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.021}
2024-01-07T09:51:28.782Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:28Z", "grpc.request.deadline": "2024-01-07T09:51:29Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.036}
2024-01-07T09:51:29.923Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:29Z", "grpc.request.deadline": "2024-01-07T09:51:30Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.095}
2024-01-07T09:51:31.097Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:31Z", "grpc.request.deadline": "2024-01-07T09:51:32Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.068}
2024-01-07T09:51:32.215Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:32Z", "grpc.request.deadline": "2024-01-07T09:51:33Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.158}
2024-01-07T09:51:33.367Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:33Z", "grpc.request.deadline": "2024-01-07T09:51:34Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.04}
2024-01-07T09:51:33.759Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:33Z", "grpc.request.deadline": "2024-01-07T09:51:35Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.038}
2024-01-07T09:51:33.767Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:33Z", "grpc.request.deadline": "2024-01-07T09:51:35Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.024}
2024-01-07T09:51:33.772Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:33Z", "grpc.request.deadline": "2024-01-07T09:51:35Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.056}
2024-01-07T09:51:33.778Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:33Z", "grpc.request.deadline": "2024-01-07T09:51:35Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.028}
2024-01-07T09:51:34.465Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:34Z", "grpc.request.deadline": "2024-01-07T09:51:35Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.165}
2024-01-07T09:51:35.580Z	INFO	zap/server_interceptors.go:39	finished unary call with code OK	{"grpc.start_time": "2024-01-07T09:51:35Z", "grpc.request.deadline": "2024-01-07T09:51:36Z", "system": "grpc", "span.kind": "server", "grpc.service": "grpc.health.v1.Health", "grpc.method": "Check", "grpc.code": "OK", "grpc.time_ms": 0.022}
2024-01-07T09:51:35.801Z	ERROR	grpclog/grpclog.go:55	[scheduler_resolver]resolve addresses error schedulers not found
google.golang.org/grpc/internal/grpclog.ErrorDepth
	/go/pkg/mod/google.golang.org/[email protected]/internal/grpclog/grpclog.go:55
google.golang.org/grpc/grpclog.(*componentData).ErrorDepth
	/go/pkg/mod/google.golang.org/[email protected]/grpclog/component.go:46
google.golang.org/grpc/grpclog.(*componentData).Errorf
	/go/pkg/mod/google.golang.org/[email protected]/grpclog/component.go:79
d7y.io/dragonfly/v2/pkg/resolver.(*SchedulerResolver).ResolveNow
	/go/src/d7y.io/dragonfly/v2/pkg/resolver/scheduler_resolver.go:84
d7y.io/dragonfly/v2/pkg/resolver.(*SchedulerResolver).OnNotify
	/go/src/d7y.io/dragonfly/v2/pkg/resolver/scheduler_resolver.go:109
d7y.io/dragonfly/v2/client/config.(*dynconfigManager).Notify
	/go/src/d7y.io/dragonfly/v2/client/config/dynconfig_manager.go:242
d7y.io/dragonfly/v2/client/config.(*dynconfigManager).Serve
	/go/src/d7y.io/dragonfly/v2/client/config/dynconfig_manager.go:268
d7y.io/dragonfly/v2/client/daemon.(*clientDaemon).Serve.func10
	/go/src/d7y.io/dragonfly/v2/client/daemon/daemon.go:744
golang.org/x/sync/errgroup.(*Group).Go.func1
	/go/pkg/mod/golang.org/x/[email protected]/errgroup/errgroup.go:75

Status after 10 minutes of docker compose, the seed peer finally turns into ready.

Types of changes

Bug fix (non-breaking change which fixes an issue)
New feature (non-breaking change which adds functionality)
Breaking change (fix or feature that would cause existing functionality to change)
Documentation Update (if none of the other choices apply)

Checklist

My change requires a change to the documentation.
I have updated the documentation accordingly.
I have read the CONTRIBUTING document.
I have added tests to cover my changes.

codecov · 2024-01-07T09:06:29Z

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (1e39879) 51.45% compared to head (cc02ac6) 51.41%.
Report is 6 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3000      +/-   ##
==========================================
- Coverage   51.45%   51.41%   -0.05%     
==========================================
  Files         162      162              
  Lines       22171    22147      -24     
==========================================
- Hits        11408    11386      -22     
+ Misses      10105    10103       -2     
  Partials      658      658

Flag	Coverage Δ
Object-compatibility-e2etests	`?`
e2etests	`?`
unittests	`51.41% <ø> (-0.05%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files	Coverage Δ
manager/config/config.go	`96.56% <ø> (ø)`

... and 7 files with indirect coverage changes

gaius-qi · 2024-01-08T03:20:33Z

build/images/dfdaemon/Dockerfile

@@ -29,11 +29,28 @@ RUN if [ "$(uname -m)" = "ppc64le" ]; then \

 FROM ${BASE_IMAGE}

+ARG USER_NAME=dragonfly


I think the default user should be root, please do not to break compatibility with previous versions of dragonfly.

the code only adds the none root user and group, the default user is still root.

Please do not change the default root user using command.

Please do not change the default root user using command.

If I understand correctly

the default user when running container is still root and we can use the dragonfly user by adding user argument

the binary would belongs to dragonfly/dragonfly can it can still work within root user.

gaius-qi · 2024-01-08T03:20:46Z

build/images/base/Dockerfile

+ARG USER_UID=1000
+ARG GROUP_NAME=dragonfly
+ARG GROUP_GID=1000
+RUN groupadd -g $GROUP_GID $GROUP_NAME && useradd -u $USER_UID -g $GROUP_GID -m -s /bin/bash $USER_NAME


Remove blank line.

deploy/docker-compose/template/dfget.template.yaml

gaius-qi · 2024-01-09T02:38:14Z

build/images/dfdaemon/Dockerfile

@@ -29,11 +29,28 @@ RUN if [ "$(uname -m)" = "ppc64le" ]; then \

 FROM ${BASE_IMAGE}

+ARG USER_NAME=dragonfly


Please do not change the default root user using command.

TommyLike · 2024-01-10T01:10:56Z

@gaius-qi updated as comments

Signed-off-by: TommyLike <[email protected]>

TommyLike requested a review from a team as a code owner January 7, 2024 08:59

TommyLike requested review from imeoer, KubeStacker and cndoit18 January 7, 2024 08:59

TommyLike force-pushed the bug/support-none-root-deployment branch from 10e9e32 to 0bd9ed0 Compare January 7, 2024 09:50

gaius-qi requested changes Jan 8, 2024

View reviewed changes

TommyLike force-pushed the bug/support-none-root-deployment branch from 0bd9ed0 to 8e26328 Compare January 8, 2024 10:38

TommyLike mentioned this pull request Jan 8, 2024

Support the deployment of dragonfly within none root user? #2998

Open

gaius-qi requested changes Jan 9, 2024

View reviewed changes

TommyLike force-pushed the bug/support-none-root-deployment branch from 8e26328 to de37a1b Compare January 10, 2024 01:07

Support build&deploy dragonfly within none root user

cc02ac6

Signed-off-by: TommyLike <[email protected]>

TommyLike force-pushed the bug/support-none-root-deployment branch from de37a1b to cc02ac6 Compare January 10, 2024 01:15

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Support none root deployment #3000

Support none root deployment #3000

TommyLike commented Jan 7, 2024 •

edited

Loading

codecov bot commented Jan 7, 2024 •

edited

Loading

gaius-qi Jan 8, 2024

TommyLike Jan 8, 2024

gaius-qi Jan 9, 2024

TommyLike Jan 10, 2024 •

edited

Loading

gaius-qi Jan 8, 2024

TommyLike Jan 8, 2024

gaius-qi Jan 9, 2024

TommyLike commented Jan 10, 2024

		@@ -29,11 +29,28 @@ RUN if [ "$(uname -m)" = "ppc64le" ]; then \

		FROM ${BASE_IMAGE}

		ARG USER_NAME=dragonfly

Support none root deployment #3000

Are you sure you want to change the base?

Support none root deployment #3000

Conversation

TommyLike commented Jan 7, 2024 • edited Loading

Description

Related Issue

Motivation and Context

Screenshots (if appropriate)

Types of changes

Checklist

codecov bot commented Jan 7, 2024 • edited Loading

Codecov Report

gaius-qi Jan 8, 2024

Choose a reason for hiding this comment

TommyLike Jan 8, 2024

Choose a reason for hiding this comment

gaius-qi Jan 9, 2024

Choose a reason for hiding this comment

TommyLike Jan 10, 2024 • edited Loading

Choose a reason for hiding this comment

gaius-qi Jan 8, 2024

Choose a reason for hiding this comment

TommyLike Jan 8, 2024

Choose a reason for hiding this comment

gaius-qi Jan 9, 2024

Choose a reason for hiding this comment

TommyLike commented Jan 10, 2024

TommyLike commented Jan 7, 2024 •

edited

Loading

codecov bot commented Jan 7, 2024 •

edited

Loading

TommyLike Jan 10, 2024 •

edited

Loading