Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove spurious SGID bit on directories #9447

Merged
merged 1 commit into from
Oct 2, 2023

Conversation

smortex
Copy link
Contributor

@smortex smortex commented Aug 19, 2023

Description

While working on improving OpenSearch packaging in opensearch-project/opensearch-build#3898, we saw that some unexpected SGID bit was set on some directories and that we had to remove it to match the default packages behavior of packages on Debian.

The SGID bit can be tracked to rjernst/elasticsearch@a5c18f1 where it was added so that on first start, the opensearch service has access to the keystore initialized by the root user. However, when deploying OpenSearch today, the keystore is created by the opensearch user and the SGID bit is not required anymore.

This PR remove the code that sets these SGID bits so that we do not need to clean them anymore when packaging.

Related Issues

Check List

  • Commits are signed per the DCO using --signoff

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

Copy link
Member

@dbwiddis dbwiddis left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Do we need a change log entry for this?

@reta
Copy link
Collaborator

reta commented Aug 21, 2023

LGTM. Do we need a change log entry for this?

Yes, I think we need

@opensearch-trigger-bot
Copy link
Contributor

Compatibility status:

Checks if related components are compatible with change 61c5f17

Incompatible components

Incompatible components: [https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/security-analytics.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

@opensearch-trigger-bot
Copy link
Contributor

Compatibility status:

Checks if related components are compatible with change 61c5f17

Incompatible components

Incompatible components: [https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/security-analytics.git]

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/neural-search.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git]

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      2 org.opensearch.remotestore.SegmentReplicationUsingRemoteStoreIT.classMethod
      1 org.opensearch.remotestore.SegmentReplicationUsingRemoteStoreIT.testScrollWithConcurrentIndexAndSearch

@codecov
Copy link

codecov bot commented Aug 21, 2023

Codecov Report

Merging #9447 (efaf798) into main (8807d7a) will increase coverage by 0.07%.
Report is 1 commits behind head on main.
The diff coverage is 100.00%.

@@             Coverage Diff              @@
##               main    #9447      +/-   ##
============================================
+ Coverage     71.04%   71.12%   +0.07%     
- Complexity    58167    58206      +39     
============================================
  Files          4830     4830              
  Lines        274506   274505       -1     
  Branches      40002    40002              
============================================
+ Hits         195018   195234     +216     
+ Misses        63153    62921     -232     
- Partials      16335    16350      +15     
Files Coverage Δ
...arch/analysis/common/MappingCharFilterFactory.java 50.00% <100.00%> (ø)
...n/java/org/opensearch/index/analysis/Analysis.java 84.21% <100.00%> (-0.12%) ⬇️

... and 465 files with indirect coverage changes

@smortex smortex requested a review from reta August 23, 2023 18:09
@opensearch-trigger-bot
Copy link
Contributor

This PR is stalled because it has been open for 30 days with no activity.

@opensearch-trigger-bot opensearch-trigger-bot bot added the stalled Issues that have stalled label Sep 27, 2023
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <romain@blogreen.org>
@smortex
Copy link
Contributor Author

smortex commented Sep 28, 2023

Rebased on top of main to fix conflict and adjusted the commit message.

@github-actions
Copy link
Contributor

github-actions bot commented Sep 28, 2023

Compatibility status:

Checks if related components are compatible with change efaf798

Incompatible components

Skipped components

Compatible components

Compatible components: [https://github.com/opensearch-project/security.git, https://github.com/opensearch-project/alerting.git, https://github.com/opensearch-project/index-management.git, https://github.com/opensearch-project/anomaly-detection.git, https://github.com/opensearch-project/sql.git, https://github.com/opensearch-project/job-scheduler.git, https://github.com/opensearch-project/asynchronous-search.git, https://github.com/opensearch-project/observability.git, https://github.com/opensearch-project/common-utils.git, https://github.com/opensearch-project/k-nn.git, https://github.com/opensearch-project/reporting.git, https://github.com/opensearch-project/cross-cluster-replication.git, https://github.com/opensearch-project/security-analytics.git, https://github.com/opensearch-project/custom-codecs.git, https://github.com/opensearch-project/performance-analyzer.git, https://github.com/opensearch-project/ml-commons.git, https://github.com/opensearch-project/opensearch-oci-object-storage.git, https://github.com/opensearch-project/performance-analyzer-rca.git, https://github.com/opensearch-project/geospatial.git, https://github.com/opensearch-project/notifications.git, https://github.com/opensearch-project/neural-search.git]

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

@github-actions
Copy link
Contributor

Gradle Check (Jenkins) Run Completed with:

  • RESULT: UNSTABLE ❕
  • TEST FAILURES:
      1 org.opensearch.search.SearchWeightedRoutingIT.testSearchAggregationWithNetworkDisruption_FailOpenEnabled

@dblock dblock merged commit 9d0db5e into opensearch-project:main Oct 2, 2023
@dblock dblock added the backport 2.x Backport to 2.x branch label Oct 2, 2023
opensearch-trigger-bot bot pushed a commit that referenced this pull request Oct 2, 2023
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <romain@blogreen.org>
(cherry picked from commit 9d0db5e)
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
reta pushed a commit that referenced this pull request Oct 3, 2023
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.


(cherry picked from commit 9d0db5e)

Signed-off-by: Romain Tartière <romain@blogreen.org>
Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
rayshrey pushed a commit to rayshrey/OpenSearch that referenced this pull request Oct 3, 2023
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <romain@blogreen.org>
deshsidd pushed a commit to deshsidd/OpenSearch that referenced this pull request Oct 9, 2023
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <romain@blogreen.org>
vikasvb90 pushed a commit to vikasvb90/OpenSearch that referenced this pull request Oct 10, 2023
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <romain@blogreen.org>
shiv0408 pushed a commit to Gaurav614/OpenSearch that referenced this pull request Apr 25, 2024
Setting the SGID bit on directories is maybe something some users will
want to use, but setting it by default for all users does not really
make sense and when packaging OpenSearch, we need to remove this
customization when building packges.

This was added to ElasticSearch to make it possible to manage the
keystore as root while the service runs as an unprivileged user.
Without the SGID trick, the generated keystore was owned by root and
ElasticSearch could not access it.

It is preferable to manage the keystore with non-root privileges, and
this hack is not required in this case.  Stick to the default
permissions and remove this personalization.

Signed-off-by: Romain Tartière <romain@blogreen.org>
Signed-off-by: Shivansh Arora <hishiv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
backport 2.x Backport to 2.x branch
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants