Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PMM-8471 run nginx as non-root #2589

Merged
merged 15 commits into from
Dec 11, 2023
Merged

PMM-8471 run nginx as non-root #2589

Show file tree
Hide file tree
Changes from 13 commits
Commits
Show all changes
15 commits
Select commit Hold shift + click to select a range
b10fa8b
PMM-8471 run nginx as non-root
ademidoff Nov 2, 2023
4b403bd
PMM-8471 fix the tests
ademidoff Nov 2, 2023
c6be207
PMM-8471 fix supervisord tests
ademidoff Nov 2, 2023
0fe2c3c
PMM-8471 fix an unvoluntary typo )
ademidoff Nov 2, 2023
54762ae
PMM-8471 run nginx on behalf of pmm user
ademidoff Nov 3, 2023
ca6840b
PMM-8471 do not create nginx user
ademidoff Nov 3, 2023
2e1b178
PMM-8471 update nginx.conf to run nginx on behalf of pmm user
ademidoff Nov 3, 2023
f2c96c1
PMM-8471 revert some changes related to the client
ademidoff Nov 9, 2023
44a5288
Merge branch 'v3' into PMM-8471-run-nginx-as-non-root
ademidoff Nov 10, 2023
6803c0a
Merge branch 'v3' into PMM-8471-run-nginx-as-non-root
ademidoff Dec 1, 2023
bcfb6a5
Merge branch 'PMM-8471-run-nginx-as-non-root' of github.com:percona/p…
ademidoff Dec 1, 2023
529697c
PMM-8471 fix http ports in docker-compose
ademidoff Dec 1, 2023
3a3c50f
PMM-8471 skip the update test
ademidoff Dec 1, 2023
5ef450e
Merge branch 'v3' into PMM-8471-run-nginx-as-non-root
ademidoff Dec 4, 2023
94f4a99
Merge branch 'v3' into PMM-8471-run-nginx-as-non-root
ademidoff Dec 11, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions admin/commands/pmm/server/docker/install.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -129,8 +129,8 @@ func (c *InstallCommand) runContainer(ctx context.Context, volume *volume.Volume
logrus.Info("Starting PMM Server")

ports := nat.PortMap{
"443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
"80/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
"8443/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPSListenPort))}},
"8080/tcp": []nat.PortBinding{{HostIP: "0.0.0.0", HostPort: strconv.Itoa(int(c.HTTPListenPort))}},
}

containerID, err := startPMMServer(ctx, volume, "", dockerImage, c.dockerFn, ports, c.ContainerName)
Expand Down
2 changes: 1 addition & 1 deletion agent/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ PMM_RELEASE_VERSION ?= $(shell git describe --always --dirty | cut -b2-)
PMM_RELEASE_TIMESTAMP ?= $(shell date '+%s')
PMM_RELEASE_FULLCOMMIT ?= $(shell git rev-parse HEAD)
PMM_RELEASE_BRANCH ?= $(shell git describe --always --contains --all)
PMM_DEV_SERVER_PORT ?= 443
PMM_DEV_SERVER_PORT ?= 8443
ifeq ($(GOBIN),)
GOBIN := $(shell go env GOPATH)/bin
endif
Expand Down
2 changes: 1 addition & 1 deletion agent/agents/supervisor/supervisor_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@ func TestSupervisor(t *testing.T) {
cfgStorage := config.NewStorage(&config.Config{
Paths: config.Paths{TempDir: tempDir},
Ports: config.Ports{Min: 65000, Max: 65099},
Server: config.Server{Address: "localhost:443"},
Server: config.Server{Address: "localhost:8443"},
LogLinesCount: 1,
})
s := NewSupervisor(ctx, nil, cfgStorage)
Expand Down
4 changes: 2 additions & 2 deletions agent/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ services:
image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:3-dev-latest}
container_name: pmm-agent_pmm-server
ports:
- "127.0.0.1:80:80"
- "127.0.0.1:443:443"
- "127.0.0.1:80:8080"
- "127.0.0.1:443:8443"
environment:
- PMM_DEBUG=1
- PERCONA_TEST_CHECKS_INTERVAL=10s
Expand Down
4 changes: 2 additions & 2 deletions api-tests/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ services:
image: ${PMM_SERVER_IMAGE:-perconalab/pmm-server:3-dev-latest}
container_name: pmm-agent_pmm-server
ports:
- 127.0.0.1:80:80
- 127.0.0.1:443:443
- 127.0.0.1:80:8080
- 127.0.0.1:443:8443
environment:
- PMM_DEBUG=1
- PERCONA_TEST_CHECKS_INTERVAL=10s
Expand Down
2 changes: 1 addition & 1 deletion build/ansible/pmm/post-build-actions.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -68,7 +68,7 @@
--config-file=/usr/local/percona/pmm/config/pmm-agent.yaml
--skip-registration
--id=pmm-server
--server-address=127.0.0.1:443
--server-address=127.0.0.1:8443
--server-insecure-tls

- name: Reread supervisord configuration EL7
Expand Down
2 changes: 0 additions & 2 deletions build/ansible/roles/pmm-images/tasks/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -100,7 +100,6 @@
non_unique: true
loop:
- { name: pmm, gid: 1000 }
- { name: nginx, gid: 999 }
- { name: grafana, gid: 998 }
- { name: clickhouse, gid: 997 }

Expand All @@ -115,7 +114,6 @@
non_unique: true
loop:
- { name: pmm, uid: 1000, comment: "PMM Server", shell: "/bin/false", home: "/home/pmm", group: pmm, }
- { name: nginx, uid: 999, comment: "nginx user", shell: "/sbin/nologin", home: "/var/cache/nginx", group: nginx, }
- { name: grafana, uid: 998, comment: "Grafana Dashboard", shell: "/sbin/nologin", home: "/etc/grafana", group: grafana, }
- { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, }
when: ansible_virtualization_type == "docker"
Expand Down
2 changes: 1 addition & 1 deletion build/docker/server/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
LABEL org.opencontainers.image.vendor Percona
LABEL org.opencontainers.image.version ${VERSION}

EXPOSE 80 443
EXPOSE 8080 8443

WORKDIR /opt

Expand Down
2 changes: 1 addition & 1 deletion build/docker/server/Dockerfile.el9
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,7 @@ LABEL org.opencontainers.image.title Percona Monitoring and Management
LABEL org.opencontainers.image.vendor Percona LLC
LABEL org.opencontainers.image.version ${VERSION}

EXPOSE 80 443
EXPOSE 8080 8443

WORKDIR /opt

Expand Down
1 change: 0 additions & 1 deletion build/docker/server/create_users.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@

users=(
"pmm:1000:/bin/false:/home/pmm:pmm"
"nginx:999:/sbin/nologin:/var/cache/nginx:nginx"
"grafana:998:/sbin/nologin:/etc/grafana:grafana"
"clickhouse:997:/sbin/nologin:/var/lib/clickhouse:clickhouse"
)
Expand Down
16 changes: 8 additions & 8 deletions docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -74,8 +74,8 @@ services:
memlock: 67108864

ports:
- ${PMM_PORT_HTTP:-80}:80
- ${PMM_PORT_HTTPS:-443}:443
- ${PMM_PORT_HTTP:-80}:8080
- ${PMM_PORT_HTTPS:-443}:8443
# For headless delve
- ${PMM_PORT_DELVE:-2345}:2345
# PG
Expand Down Expand Up @@ -266,8 +266,8 @@ services:
memlock: 67108864

ports:
- ${PMM_PORT_HTTP:-8081}:80
- ${PMM_PORT_HTTPS:-8441}:443
- ${PMM_PORT_HTTP:-8081}:8080
- ${PMM_PORT_HTTPS:-8441}:8443
# For headless delve
- ${PMM_PORT_DELVE:-2345}:2345
volumes:
Expand Down Expand Up @@ -350,8 +350,8 @@ services:
memlock: 67108864

ports:
- ${PMM_PORT_HTTP:-8082}:80
- ${PMM_PORT_HTTPS:-8432}:443
- ${PMM_PORT_HTTP:-8082}:8080
- ${PMM_PORT_HTTPS:-8432}:8443
# For headless delve
- ${PMM_PORT_DELVE:-12345}:2345
volumes:
Expand Down Expand Up @@ -434,8 +434,8 @@ services:
memlock: 67108864

ports:
- ${PMM_PORT_HTTP:-8083}:80
- ${PMM_PORT_HTTPS:-8433}:443
- ${PMM_PORT_HTTP:-8083}:8080
- ${PMM_PORT_HTTPS:-8433}:8443
# For headless delve
# - ${PMM_PORT_DELVE:-12345}:2345
volumes:
Expand Down
2 changes: 1 addition & 1 deletion get-pmm.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -237,7 +237,7 @@ start_pmm() {
run_docker 'stop pmm-server' || :
run_docker "rename pmm-server $pmm_archive\n"
fi
run_pmm="run -d -p $port:443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"
run_pmm="run -d -p $port:8443 --volumes-from pmm-data --name $container_name --restart always $repo:$tag"

run_docker "$run_pmm 1> /dev/null"
msg "Created PMM Server: $container_name"
Expand Down
2 changes: 2 additions & 0 deletions managed/services/supervisord/devcontainer_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,6 +58,8 @@ func TestDevContainer(t *testing.T) {
})

t.Run("Check", func(t *testing.T) {
t.Skip("This test is to be deprecated or completely rewritten")

ctx := context.TODO()
checker := NewPMMUpdateChecker(logrus.WithField("test", t.Name()))

Expand Down
1 change: 1 addition & 0 deletions managed/services/supervisord/pmm_config.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -150,6 +150,7 @@ redirect_stderr = true
[program:nginx]
priority = 4
command = nginx
user = pmm
autorestart = true
autostart = true
startretries = 10
Expand Down
1 change: 1 addition & 0 deletions managed/testdata/supervisord.d/pmm-db_disabled.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,6 +43,7 @@ redirect_stderr = true
[program:nginx]
priority = 4
command = nginx
user = pmm
autorestart = true
autostart = true
startretries = 10
Expand Down
1 change: 1 addition & 0 deletions managed/testdata/supervisord.d/pmm-db_enabled.ini
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -67,6 +67,7 @@ redirect_stderr = true
[program:nginx]
priority = 4
command = nginx
user = pmm
autorestart = true
autostart = true
startretries = 10
Expand Down
4 changes: 2 additions & 2 deletions qan-api2/docker-compose.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,8 @@ services:
container_name: pmm-server
image: perconalab/pmm-server:3-dev-latest
ports:
- 80:80
- 443:443
- 80:8080
- 443:8443
- 19000:9000
- 9933:9933
restart: always
Expand Down
4 changes: 2 additions & 2 deletions update/ansible/playbook/tasks/roles/nginx/files/conf.d/pmm.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,8 +28,8 @@
}

server {
listen 80;
listen 443 ssl http2;
listen 8080;
listen 8443 ssl http2;
server_name _;
server_tokens off;

Expand Down
2 changes: 1 addition & 1 deletion update/ansible/playbook/tasks/roles/nginx/files/nginx.conf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
user nginx;
user pmm;
worker_processes 2;

daemon off;
Expand Down
Loading