Page MenuHomePhabricator
Create Task
Maniphest T369573

`toolforge jobs` requires current user to be the tool user and listed in NSS passwd data
Closed, ResolvedPublicBUG REPORT
Actions

Description

Steps to replicate the issue:

  • Put toolforge jobs inside a Build Service created container on the Toolforge cluster
    • here are a number of ways to do this, but likely the easiest is to put git+https://gitlab.wikimedia.org/repos/cloud/toolforge/toolforge-cli and git+https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-cli in an requirements.txt file and then build the image
  • toolforge jobs list

What happens?:

$ toolforge jobs list
Traceback (most recent call last):
  File "/layers/heroku_python/dependencies/bin/toolforge-jobs", line 8, in <module>
    sys.exit(main())
             ^^^^^^
  File "/layers/heroku_python/dependencies/lib/python3.12/site-packages/tjf_cli/cli.py", line 1120, in main
    user = getpass.getuser()
           ^^^^^^^^^^^^^^^^^
  File "/layers/heroku_python/python/lib/python3.12/getpass.py", line 169, in getuser
    return pwd.getpwuid(os.getuid())[0]
           ^^^^^^^^^^^^^^^^^^^^^^^^^
KeyError: 'getpwuid(): uid not found: 55419'

What should have happened instead?:

$ toolforge jobs list
$

Software version: 16.0.12

The assumptions about the runtime user and the ability to fetch NSS data on the user were reasonable on the Toolforge bastions and even in our legacy containers with NSS LDAP support, but the recommended modern container solution makes this method of detecting the executing tool impossible.

See also: T369569: `webservice` requires effective user to be the tool user and listed in NSS passwd data

Related Objects
Search...

Event Timeline

bd808 created this task.Jul 8 2024, 11:28 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJul 8 2024, 11:28 PM
bd808 mentioned this in T369569: `webservice` requires effective user to be the tool user and listed in NSS passwd data.Jul 8 2024, 11:28 PM
bd808 added a parent task: T369693: [toolforge, toolforge-cli] Experiment with PyInstaller to package CLI tools for buildpack images.Jul 10 2024, 3:18 PM
dcaro triaged this task as High priority.Jul 10 2024, 3:41 PM
dcaro moved this task from Backlog to Ready to be worked on on the Toolforge board.
CodeReviewBot added a comment.Jul 11 2024, 7:50 AM

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-cli/-/merge_requests/49

cli: get the toolname from the k8s cert

dcaro changed the task status from Open to In Progress.Jul 11 2024, 7:51 AM
dcaro claimed this task.
dcaro edited projects, added Toolforge (Toolforge iteration 12); removed Toolforge.
dcaro moved this task from Next Up to In Review on the Toolforge (Toolforge iteration 12) board.
dcaro moved this task from In Review to In Progress on the Toolforge (Toolforge iteration 12) board.
CodeReviewBot added a project: Patch-For-Review.Jul 11 2024, 1:12 PM

dcaro opened https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-cli/-/merge_requests/51

d/changelog: bump to 16.0.13

Stashbot added a comment.Jul 11 2024, 1:49 PM

Mentioned in SAL (#wikimedia-cloud) [2024-07-11T13:49:37Z] <dcaro> deploy toolforge-jobs-framework 16.0.13 (T369573)

CodeReviewBot added a comment.Jul 11 2024, 1:53 PM

dcaro merged https://gitlab.wikimedia.org/repos/cloud/toolforge/jobs-cli/-/merge_requests/51

d/changelog: bump to 16.0.13

dcaro closed this task as Resolved.Jul 15 2024, 9:23 AM
dcaro moved this task from In Progress to Done on the Toolforge (Toolforge iteration 12) board.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits