Arvados

Background¶

crunch-dispatch copies code into the internal.git tree and tags commits with job UUIDs. It runs as root, and it invokes git as root. Two reasons why this is not desirable:

1. Normally these are no-ops because the API server has already done so. However, if they ever aren't no-ops (which admittedly can't happen if everything is working as expected) they can result in files and directories in internal.git that are owned by root. If git creates a directory (e.g., the "ab" directory when creating "objects/ab/abcdef01234...") while running as root, then someday in the future the API server (running as www-data) will try to make an object in that root-owned directory while satisfying a "jobs.create" request, and fail. (I ran into this situation on a dev site, where at some point in the past an API server had been missing the "copy SDK code into internal.git" step, and crunch-dispatch had been picking up the slack.)
2. Don't run things as root if you don't need to.

Aside: crunch-dispatch itself could run as a non-root user, as long as it can switch to www-data to run git and switch to crunch to start slurm jobs -- but that probably requires extra deployment steps to configure sudo...

Proposed fix¶

Use sudo -u {web-user} when invoking git from crunch-dispatch. This will probably require an environment variable or Rails configuration setting so it can be "www-data" or "apache" as needed.

It would be nice to get away from sudo and use something like chpst or gosu, but crunch-dispatch already relies on sudo so that seems expedient.