Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

rpmbuild: add copr-builder-rhsm-subscribe script #3434

Merged
merged 1 commit into from
Oct 14, 2024
Merged

rpmbuild: add copr-builder-rhsm-subscribe script #3434

merged 1 commit into from
Oct 14, 2024

Conversation

praiskup
Copy link
Member

This allows us to specify RHSM password so it is not visible on ps aux output

@praiskup praiskup force-pushed the praiskup-rhsm branch 3 times, most recently from 34e7264 to 98cc938 Compare September 30, 2024 15:44
@nikromen
Copy link
Member

nikromen commented Oct 7, 2024

if this will be closed (not merged), we need to do the expect magic in fedora-infra/ansible

FrostyX
FrostyX reviewed Oct 8, 2024
View reviewed changes
rpmbuild/bin/copr-builder-rhsm-subscribe-daemon Outdated
$fail && exit 1

try_indefinitely copr-builder-rhsm-subscribe
try_indefinitely subscription-manager attach --pool "$opt_pool_id"
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please touch some /var/run file here? Please see #3426 (comment)

praiskup added a commit to praiskup/copr that referenced this pull request Oct 10, 2024
@praiskup
rpmbuild: add tooling for "safer" RH subscription
26e9b7f 
The daemon part partly a C&P from
https://pagure.io/fedora-infra/ansible/blob/8ff1e6d9f79ca86e/f/roles/copr/backend/files/provision/copr-rh-subscribe.sh

Closes: fedora-copr#3434
Relates: fedora-copr#3426
@praiskup
Copy link
Member Author

Some new observations:

  • the activation keys have a much smaller identity scope compared to passwords (we are not risking the loss of our identity, just that we give someone rights to enable new systems)
  • the key is read from stdin so it is neither in /proc/self/comm nor in /proc/self/environ
  • the daemon process that has the password in memory disappears relatively quickly, before we let the user in over ssh, unless there's a problem with RHSM
  • because problems with RHSM happen "from time to time", we should count that /proc/self/mem analysis might lead to some leaks, so we should rotate the key (I doubt there's a huge motivation to do this, because getting RH Developer license is much easier).

praiskup added a commit to praiskup/copr that referenced this pull request Oct 10, 2024
@praiskup
rpmbuild: add tooling for "safer" RH subscription
fcf658e 
The daemon part partly a C&P from
https://pagure.io/fedora-infra/ansible/blob/8ff1e6d9f79ca86e/f/roles/copr/backend/files/provision/copr-rh-subscribe.sh

Closes: fedora-copr#3434
Relates: fedora-copr#3426
FrostyX
FrostyX reviewed Oct 14, 2024
View reviewed changes
rpmbuild/bin/copr-builder-rhsm-subscribe
import getpass
import sys

from subscription_manager.scripts.subscription_manager import main as rhsm
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am a bit afraid of them changing the location or the internals of the script and I would probably rather call it through subprocess but we can do this.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is sub-optimal, but subprocess.call means the key goes to /proc/self/cmdline

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you please add a code comment about that so that I don't get the great idea to re-implement it someday? :-)

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

done

@FrostyX
Copy link
Member

FrostyX commented Oct 14, 2024

This PR is probably blocked by the switch of our account to SCA, right?

praiskup added a commit to praiskup/copr that referenced this pull request Oct 14, 2024
@praiskup
rpmbuild: add tooling for "safer" RH subscription
940ea93 
The daemon part partly a C&P from
https://pagure.io/fedora-infra/ansible/blob/8ff1e6d9f79ca86e/f/roles/copr/backend/files/provision/copr-rh-subscribe.sh

Closes: fedora-copr#3434
Relates: fedora-copr#3426
@praiskup
Copy link
Member Author

This PR is probably blocked by the switch of our account to SCA, right?

Not really, this can stay unused till we switch.

@nikromen nikromen merged commit 1685748 into fedora-copr:main Oct 14, 2024
6 of 7 checks passed
ryanlerch pushed a commit to fedora-infra/ansible that referenced this pull request Nov 27, 2024
@FrostyX
copr-be: use copr-builder-rhsm-subscribe-daemon to activate subscription
1f55cc9 
See fedora-copr/copr#3434
See fedora-copr/copr#3426
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@FrostyX FrostyX FrostyX approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@praiskup @nikromen @FrostyX