On Mon, Apr 06, 2020 at 12:09:50PM +0200, Erik Skultety wrote: > On Fri, Apr 03, 2020 at 06:26:23PM +0200, Andrea Bolognani wrote: > > Looks like I somehow sent an empty reply by mistake the first time > > around. Let's try again... > > > > On Fri, 2020-04-03 at 16:04 +0200, Erik Skultety wrote: > > > On Fri, Apr 03, 2020 at 03:50:21PM +0200, Andrea Bolognani wrote: > > > > I have tested this, though not extensively, on Linux and adding > > > > User=gitlab to the service file seems to be basically all that's > > > > > > Did ^this actually work? I recall having some issues on Linux when I used the > > > User= directive and I could not get the agent pull a job from the server, > > > > It would seem that way: > > > > https://gitlab.com/abologna/libvirt/pipelines/132661098 > > Sorry, what exactly am I looking at ^here? Those are all containers, whereas > these patches are targeting VMs mainly. > > Anyhow, now I remember why I didn't go with User=gitlab systemd service > directive and opted for dropping the privileges by gitlab-runner itself, the > build fails on debian-9: > https://gitlab.com/eskultety/libvirt/-/jobs/498107944 > > ..so far, I haven't been able to identify the problem on debian. In fact, if I > create the directory forcefully, I get: > https://gitlab.com/eskultety/libvirt/-/jobs/499941944 Found it [1],[2] [1] https://gitlab.com/gitlab-org/gitlab-runner/issues/4449 [2] https://gitlab.com/gitlab-org/gitlab-runner/issues/1379 If I haven't missed anything in the discussion, gitlab is going with the following "fix": https://gitlab.com/ubarbaxor/gitlab-runner/-/merge_requests/1/diffs?commit_id=a9e021885ddddfb18aea7d1dd32ec8840c480157 Unfortunately for us, that "fix" is irrelevant to our use case as it's only available for packaged versions of gitlab-runner and by the time the package would be installed and created the user without the skeleton files we'd had already created the user profile including them, because we need .bashrc anyway. However, after wiping the contents of .bash_logout, the build passes: https://gitlab.com/eskultety/libvirt/-/jobs/499969944 So, I suggest I add an additional ansible task that removes .bash_logout (it's empty on RH-like distros and isn't even created on FreeBSD) and adjust the service file as you suggested in your original patch review, that way, we run the gitlab-runner with the right privileges since the very begining. -- Erik Skultety
