Idea #22940: Deploy core services with an arvados group - Arvados

Actions

Idea #22940

open

Status:

New

Priority:

Normal

Assigned To:

Category:

Deployment

Target version:

Start date:

Due date:

Story points:

Description

Basic idea:

At some low level, we ship /usr/lib/sysusers.d/arvados.conf with:
```
g arvados -
```
See sysusers.d
We arrange for /etc/arvados to be 0755 root:arvados and /etc/arvados/config.yml to be 0640 root:arvados.
Services that need to read the cluster configuration declare SupplementaryGroups=arvados in their unit definitions.

This lets us run all services as non-root, or ideally with DynamicUser, while retaining secure, read-only access to the cluster configuration.

Related issues 2 (2 open — 0 closed)

Actions

Related to Idea #22941: arvados-server package replaces all of its clones added

Actions

Related to Support #22799: Review security hardening of systemd units used for services added

Actions

Also available in: Atom PDF

	Related to Arvados - Idea #22941: arvados-server package replaces all of its clones	New					Actions
	Related to Arvados - Support #22799: Review security hardening of systemd units used for services	New					Actions