PMM-12529 Run pmm-agent as non root

build/ansible/roles/pmm2-images/tasks/main.yml

@@ -103,7 +103,6 @@
         - { name: nginx, gid: 999 }
         - { name: grafana, gid: 998 }
         - { name: clickhouse, gid: 997 }
-        - { name: pmm-agent, gid: 996 }
 
     - name: Create users              | Create users
       user:
@@ -119,7 +118,6 @@
         - { name: nginx, uid: 999, comment: "nginx user", shell: "/sbin/nologin", home: "/var/cache/nginx", group: nginx, }
         - { name: grafana, uid: 998, comment: "Grafana Dashboard", shell: "/sbin/nologin", home: "/etc/grafana", group: grafana, }
         - { name: clickhouse, uid: 997, comment: "Clickhouse server", shell: "/sbin/nologin", home: "/var/lib/clickhouse", group: clickhouse, }
-        - { name: pmm-agent, uid: 996, comment: "pmm-agent", shell: "/bin/false", home: "/usr/local/percona/", group: pmm-agent, }
   when: ansible_virtualization_type == "docker"
 
 - name: Create directories        | Create dirs

build/docker/server/create_users.sh

@@ -5,7 +5,6 @@ users=(
   "nginx:999:/sbin/nologin:/var/cache/nginx:nginx"
   "grafana:998:/sbin/nologin:/etc/grafana:grafana"
   "clickhouse:997:/sbin/nologin:/var/lib/clickhouse:clickhouse"
-  "pmm-agent:996:/bin/false:/usr/local/percona/:pmm-agent"
 )
 
 for user in "${users[@]}"; do

build/packages/deb/postinst

@@ -9,10 +9,10 @@ fi
 
 case "$1" in
     configure)
-      chown -R pmm-agent:pmm-agent /usr/local/percona/pmm2
+      chown -R pmm:pmm /usr/local/percona/pmm2
       if [ ! -f /usr/local/percona/pmm2/config/pmm-agent.yaml ]; then
           install -d -m 0755 /usr/local/percona/pmm2/config
-          install -m 0660 -o pmm-agent -g pmm-agent /dev/null /usr/local/percona/pmm2/config/pmm-agent.yaml
+          install -m 0660 -o pmm -g pmm /dev/null /usr/local/percona/pmm2/config/pmm-agent.yaml
       fi
     ;;
 

build/packages/deb/postrm

@@ -21,7 +21,7 @@ case "$1" in
 esac
 
 if [ "$1" = "purge" ]; then
-    userdel pmm-agent || true
+    userdel pmm || true
     if [ -f /usr/local/percona/pmm2/config/pmm-agent.yaml ]; then
         rm -f /usr/local/percona/pmm2/config/pmm-agent.yaml
     fi

build/packages/deb/preinst

@@ -5,8 +5,8 @@
 
 # create group and user
 
-if ! getent passwd pmm-agent >/dev/null 2>&1; then
-  adduser --system --home /usr/local/percona --group pmm-agent
+if ! getent passwd pmm >/dev/null 2>&1; then
+  adduser --system --home /usr/local/percona --group pmm
 fi
 
 #DEBHELPER#

build/packages/rpm/client/pmm2-client.spec

@@ -97,9 +97,9 @@ rm -rf $RPM_BUILD_ROOT
 
 %pre
 if [ $1 == 1 ]; then
-  if ! getent passwd pmm-agent > /dev/null 2>&1; then
-    /usr/sbin/groupadd -r pmm-agent
-    /usr/sbin/useradd -M -r -g pmm-agent -d /usr/local/percona/ -s /bin/false -c pmm-agent pmm-agent > /dev/null 2>&1
+  if ! getent passwd pmm > /dev/null 2>&1; then
+    /usr/sbin/groupadd -r pmm
+    /usr/sbin/useradd -M -r -g pmm -d /usr/local/percona/ -s /bin/false -c pmm pmm > /dev/null 2>&1
   fi
 fi
 if [ $1 -eq 2 ]; then
@@ -117,7 +117,7 @@ done
 if [ $1 == 1 ]; then
     if [ ! -f /usr/local/percona/pmm2/config/pmm-agent.yaml ]; then
         install -d -m 0755 /usr/local/percona/pmm2/config
-        install -m 0660 -o pmm-agent -g pmm-agent /dev/null /usr/local/percona/pmm2/config/pmm-agent.yaml
+        install -m 0660 -o pmm -g pmm /dev/null /usr/local/percona/pmm2/config/pmm-agent.yaml
     fi
     /usr/bin/systemctl enable pmm-agent >/dev/null 2>&1 || :
     /usr/bin/systemctl daemon-reload
@@ -135,17 +135,17 @@ fi
 %postun
 case "$1" in
    0) # This is a yum remove.
-      /usr/sbin/userdel pmm-agent
+      /usr/sbin/userdel pmm
       %systemd_postun_with_restart pmm-agent.service
    ;;
    1) # This is a yum upgrade.
       %systemd_postun_with_restart pmm-agent.service
    ;;
 esac
 if [ $1 == 0 ]; then
-  if /usr/bin/id -g pmm-agent > /dev/null 2>&1; then
-    /usr/sbin/userdel pmm-agent > /dev/null 2>&1
-    /usr/sbin/groupdel pmm-agent > /dev/null 2>&1 || true
+  if /usr/bin/id -g pmm > /dev/null 2>&1; then
+    /usr/sbin/userdel pmm > /dev/null 2>&1
+    /usr/sbin/groupdel pmm > /dev/null 2>&1 || true
     if [ -f /usr/local/percona/pmm2/config/pmm-agent.yaml ]; then
         rm -r /usr/local/percona/pmm2/config/pmm-agent.yaml
     fi
@@ -164,12 +164,15 @@ fi
 
 %files
 %config %{_unitdir}/pmm-agent.service
-%attr(0660,pmm-agent,pmm-agent) %ghost /usr/local/percona/pmm2/config/pmm-agent.yaml
-%attr(-,pmm-agent,pmm-agent) /usr/local/percona/pmm2
+%attr(0660,pmm,pmm) %ghost /usr/local/percona/pmm2/config/pmm-agent.yaml
+%attr(-,pmm,pmm) /usr/local/percona/pmm2
 
 %changelog
+* Fri Nov 3 2023 Alex Demidoff <[email protected]>
+- PMM-12529 run pmm-agent as non-root pmm user.
+
 * Tue Jun 21 2022 Nikita Beletskii <[email protected]>
-- PMM-7 remove support for RHEL older then 7
+- PMM-7 remove support for RHEL older then 7.
 
 * Tue Aug 24 2021 Vadim Yalovets <[email protected]>
 - PMM-8618 ship default PG queries in PMM.

managed/services/supervisord/pmm_config.go

@@ -181,6 +181,7 @@ redirect_stderr = true
 [program:pmm-agent]
 priority = 15
 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm2/config/pmm-agent.yaml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000

managed/testdata/supervisord.d/pmm-db_disabled.ini

@@ -76,6 +76,7 @@ redirect_stderr = true
 [program:pmm-agent]
 priority = 15
 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm2/config/pmm-agent.yaml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000

managed/testdata/supervisord.d/pmm-db_enabled.ini

@@ -100,6 +100,7 @@ redirect_stderr = true
 [program:pmm-agent]
 priority = 15
 command = /usr/sbin/pmm-agent --config-file=/usr/local/percona/pmm2/config/pmm-agent.yaml
+user = pmm
 autorestart = true
 autostart = true
 startretries = 1000