HomePhabricator

puppet: Remove PrivateDevices=true from mw-jobrunner

Authored by Nikerabbit on Dec 22 2019, 6:06 PM.

Description

puppet: Remove PrivateDevices=true from mw-jobrunner

This breaks sending emails. If you read the documentation for
PrivateDevices carefully, you will see this snippet:

If turned on and if running in user mode, or in system mode, but
without the CAP_SYS_ADMIN capability (e.g. setting User=),
NoNewPrivileges=yes is implied.

We are running, in system mode, but setting User=, so we match this
condition. PHP's mail() function uses sendmail binary, which is a
suid binary, and NoNewPrivileges=yes prevents them from changing
uid/gid.

While at it, reduce the restart timeout to avoid false positivies
from our jobqueue status checker script. The only purpose is to spare
some system resources would the script fail to start continously.

Change-Id: I34c8b06294f8ad517a66c59dc1da57891d470fba

Details

Committed
NikerabbitDec 22 2019, 6:11 PM
Parents
rGTWN96941fa79361: Remove last node from site.pp
Branches
Unknown
Tags
Unknown
ChangeId
I34c8b06294f8ad517a66c59dc1da57891d470fba