Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

release-21.1: acceptance: run python, psql containers as current uid #81665

Merged
merged 2 commits into from
May 24, 2022
Merged

release-21.1: acceptance: run python, psql containers as current uid #81665

merged 2 commits into from
May 24, 2022

Conversation

rickystewart
Copy link
Collaborator

@rickystewart rickystewart commented May 23, 2022
edited
Loading

Manual cherry-pick from #81460.

postgres's permission checking for certificates has gotten more
rigorous since this commit.
This has broken a couple acceptance tests which do not pin to any
specific postgres version (see #81313, #81437).

Here we attempt to solve the problem "once and for all" by ensuring that
these containers run with a UID that is equal to the one that created
the certificates.

Release note: None
Release justification: Test-only change

@rickystewart rickystewart requested a review from a team May 23, 2022 15:58
@blathers-crl
Copy link

blathers-crl bot commented May 23, 2022

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Patches should only be created for serious issues or test-only changes.
  • Patches should not break backwards-compatibility.
  • Patches should change as little code as possible.
  • Patches should not change on-disk formats or node communication protocols.
  • Patches should not add new functionality.
  • Patches must not add, edit, or otherwise modify cluster versions; or add version gates.
If some of the basic criteria cannot be satisfied, ensure that the exceptional criteria are satisfied within.
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters.
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.

Add a brief release justification to the body of your PR to justify this backport.

Some other things to consider:

  • What did we do to ensure that a user that doesn’t know & care about this backport, has no idea that it happened?
  • Will this work in a cluster of mixed patch versions? Did we test that?
  • If a user upgrades a patch version, uses this feature, and then downgrades, what happens?

@cockroach-teamcity
Copy link
Member

This change is Reviewable

@otan
Copy link
Contributor

otan commented May 23, 2022

(there is a test failing tho)

@rickystewart
Copy link
Collaborator Author

@knz Cherry-picking the fix to TestComposeGSSPython isn't really working. With a simple manual cherry-pick I had this error:

python_1     | psql: ERROR:  password authentication failed for user roach

I then tried to update pkg/acceptance/compose/gss/python/Dockerfile to make it closer to the content we have at master, but that didn't do the trick either. Now I get this error:

python_1     | psql: could not read certificate file "/certs/client.root.crt": ee key too small

I don't know what the exact root cause of this is but I don't know if client.root.crt even exists at this old branch.

Can you advise about what changes we need to make to get the test working on release-21.1? Alternatively we can start skipping this test outright at release-21.1, I'm not sure what (if any) value it is providing at this point.

@knz
acceptance: comply with openssl key size restrictions
dd62bad 
The RSA key size used by TLS certs for acceptance tests must be at
least 2048 to please OpenSSL (which is used by libpq in tests).

The previous PR cockroachdb#71134 had improved this for some cases but the
chance was hidden in-between other things. This commit makes
it clearer what is going on.

Release note: None
@knz
Copy link
Contributor

knz commented May 24, 2022

Need to rebase on top of #81730.

@knz
Copy link
Contributor

knz commented May 24, 2022

I see I can't merge #81730 without this PR, and this one can't merge without the other one. So I think the best way is to integrate the two commits into one PR (presumably this one).

@rickystewart
release-21.1: acceptance: run python, psql containers as current uid
b065031 
Manual cherry-pick from cockroachdb#81460.

`postgres`'s permission checking for certificates has gotten more
rigorous since [this commit](https://git.postgresql.org/gitweb/?p=postgresql.git;a=commitdiff;h=a59c79564bdc209a5bc7b02d706f0d7352eb82fa).
This has broken a couple `acceptance` tests which do not pin to any
specific `postgres` version (see cockroachdb#81313, cockroachdb#81437).

Here we attempt to solve the problem "once and for all" by ensuring that
these containers run with a UID that is equal to the one that created
the certificates.

Release note: None
@rickystewart
Copy link
Collaborator Author

I see I can't merge #81730 without this PR, and this one can't merge without the other one. So I think the best way is to integrate the two commits into one PR (presumably this one).

Done, going to make sure it passes CI.

@rickystewart rickystewart merged commit 57cc082 into cockroachdb:release-21.1 May 24, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@otan otan otan approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rickystewart @cockroach-teamcity @otan @knz