From 0ad920ff1532a6c8470ad881800506c367fb8e31 Mon Sep 17 00:00:00 2001 From: Steve Traylen Date: Wed, 11 Dec 2024 11:26:55 +0100 Subject: [PATCH] Run cvmfs_fsck service as user cvmfs The cvmfs_fsck service can run as user cvmfs which is safer than running as root. --- spec/classes/fsck_spec.rb | 13 +++++++++---- templates/fsck/cvmfs-fsck.service.epp | 1 + 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/spec/classes/fsck_spec.rb b/spec/classes/fsck_spec.rb index 8072d05..8265d32 100644 --- a/spec/classes/fsck_spec.rb +++ b/spec/classes/fsck_spec.rb @@ -28,10 +28,15 @@ it { is_expected.not_to contain_cron('clean_quarantaine') } it { is_expected.not_to contain_cron('cvmfs_fsck') } it { is_expected.to contain_systemd__tmpfile('cvmfs-quarantaine.conf').with_ensure('absent') } - it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').with_service_content(%r{^ExecStart=/usr/bin/cvmfs_fsck /var/lib/cvmfs/shared$}) } - it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').with_service_content(%r{^ConditionPathExists=/var/lib/cvmfs/shared/txn$}) } - it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').with_timer_content(%r{^OnUnitActiveSec=1week$}) } - it { is_expected.to contain_systemd__timer('cvmfs-fsck.timer').without_timer_content(%r{^OnBootSec$}) } + + it { + is_expected.to contain_systemd__timer('cvmfs-fsck.timer'). + with_service_content(%r{^ExecStart=/usr/bin/cvmfs_fsck /var/lib/cvmfs/shared$}). + with_service_content(%r{^ConditionPathExists=/var/lib/cvmfs/shared/txn$}). + with_service_content(%r{^User=cvmfs$}). + with_timer_content(%r{^OnUnitActiveSec=1week$}). + without_timer_content(%r{^OnBootSec$}) + } end end diff --git a/templates/fsck/cvmfs-fsck.service.epp b/templates/fsck/cvmfs-fsck.service.epp index a06e1c2..39aa741 100644 --- a/templates/fsck/cvmfs-fsck.service.epp +++ b/templates/fsck/cvmfs-fsck.service.epp @@ -10,6 +10,7 @@ ConditionPathExists=<%= $cache_base %>/shared/txn [Service] Type=oneshot +User=cvmfs Nice=19 IOSchedulingClass=2 IOSchedulingPriority=7