search

hashicorp / terraform-google-consul

A Terraform Module for how to run Consul on Google Cloud using Terraform and Packer
Apache License 2.0
94 stars 90 forks source link

Define $HOME when running Consul on supervisord #10

Closed thevilledev closed 6 years ago

thevilledev commented 6 years ago

Consul uses references to $HOME environment variables quite a bit, for example on Google Cloud Platform retry-join provider. By default supervisord does not set it at all even if user is defined to a different user than root.

The user will be changed using setuid only. This does not start a login shell and does not change environment variables like USER or HOME.

This means that by default Consul tries to read GCP auth file from /.config/gcloud/application_default_credentials.json.

This PR modifies supervisord auto-generated config to include a proper definition for $HOME environment variable. For a user generated by useradd -d /opt/consul consul the resulting config file looks like this:

[program:consul]
command=/opt/consul/bin/consul agent -config-dir /opt/consul/config -data-dir /opt/consul/data
stdout_logfile=/opt/consul/log/consul-stdout.log
stderr_logfile=/opt/consul/log/consul-error.log
numprocs=1
autostart=true
autorestart=true
stopsignal=INT
user=consul
environment=HOME="/opt/consul"
josh-padnick commented 6 years ago

Thanks for submitting this PR! I realize there was a delay in responding, but we've now made the decision to commit to timely follow-up on the Gruntwork-managed GCP Terraform modules.

Regarding this PR, my concern with the proposed change is that today we create the consul user with this code, which does not create any home directory for the consul user.

In fact, here's the output I get when I check the value of $HOME via SSH:

josh@consul-server-josh-51p5:/home$ sudo su - consul -c 'echo $HOME'
No directory, logging in with HOME=/
/

This seems to match the behavior you described in your original report.

If we're going to pass the $HOME value to the supervisord process, we should probably resolve this. Perhaps we should amend the create_consul_user function to use:

 sudo useradd --create-home "$username"

Also, can you just add a comment to the supervisord config file that explains that when supervisord runs a process it does not start a login shell and does not change environment variables like USER or HOME, so we must pass this in manually?

If you make the above changes, I'd be happy to merge.

josh-padnick commented 6 years ago

Just added the necessary changes, so we're good to merge now!