Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

unixPB: removes become for brew installs in macos - > common task #3757

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

mahdipub
Copy link

In macos when installing using brew and using a root/powered user, an error will show by brew: Running Homebrew as root is extremely dangerous and no longer supported.. In general we do not need become when installing with brew. This will remove become in common > macos brew installations.

Signed-off-by: [email protected]

Checklist
  • commit message has one of the standard prefixes
  • faq.md updated if appropriate
  • other documentation is changed or added (if applicable)
  • playbook changes run through VPC or QPC (if you have access)
  • VPC/QPC not applicable for this PR
  • for inventory.yml changes, bastillion/nagios/jenkins updated accordingly

In macos when installing using brew and using a root/powered user, an error will show by brew: `Running Homebrew as root is extremely dangerous and no longer supported.`. In general we do not need `become` when installing with brew. This will remove become in common > macos brew installations.

Signed-off-by: [email protected]
@mahdipub mahdipub force-pushed the macos_common_brew_issue branch from 8602287 to 6b77d38 Compare September 30, 2024 15:47
@karianna
Copy link
Contributor

karianna commented Oct 1, 2024

The Mac OS X GH Action failed with:

TASK [Common : Add AdoptOpenJDK Java Repo] *************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "added: 0, unchanged: 0, error: failed to tap: AdoptOpenJDK/openjdk due to Error: Running Homebrew as root is extremely dangerous and no longer supported.\nAs Homebrew does not drop privileges on installation you would be giving all\nbuild scripts full access to your system.\n"}

@mahdipub
Copy link
Author

mahdipub commented Oct 1, 2024

The Mac OS X GH Action failed with:

TASK [Common : Add AdoptOpenJDK Java Repo] ************************************* fatal: [localhost]: FAILED! => {"changed": false, "msg": "added: 0, unchanged: 0, error: failed to tap: AdoptOpenJDK/openjdk due to Error: Running Homebrew as root is extremely dangerous and no longer supported.\nAs Homebrew does not drop privileges on installation you would be giving all\nbuild scripts full access to your system.\n"}

I am not sure how did you set up your environment but I think it is because you are running ansible with root/privileged user. In your case you need become to switch to less privileged user. But most of the time, the user we run on mac is not root and either is not privileged and need sudo to do something.

@karianna
Copy link
Contributor

karianna commented Oct 2, 2024

The Mac OS X GH Action failed with:
TASK [Common : Add AdoptOpenJDK Java Repo] ************************************* fatal: [localhost]: FAILED! => {"changed": false, "msg": "added: 0, unchanged: 0, error: failed to tap: AdoptOpenJDK/openjdk due to Error: Running Homebrew as root is extremely dangerous and no longer supported.\nAs Homebrew does not drop privileges on installation you would be giving all\nbuild scripts full access to your system.\n"}

I am not sure how did you set up your environment but I think it is because you are running ansible with root/privileged user. In your case you need become to switch to less privileged user. But most of the time, the user we run on mac is not root and either is not privileged and need sudo to do something.

That's a separate fix that may need to be applied to how we set up the GH action in that case. Is that something you can fix as part of this PR?

@mahdipub
Copy link
Author

mahdipub commented Oct 9, 2024

The Mac OS X GH Action failed with:
TASK [Common : Add AdoptOpenJDK Java Repo] ************************************* fatal: [localhost]: FAILED! => {"changed": false, "msg": "added: 0, unchanged: 0, error: failed to tap: AdoptOpenJDK/openjdk due to Error: Running Homebrew as root is extremely dangerous and no longer supported.\nAs Homebrew does not drop privileges on installation you would be giving all\nbuild scripts full access to your system.\n"}

I am not sure how did you set up your environment but I think it is because you are running ansible with root/privileged user. In your case you need become to switch to less privileged user. But most of the time, the user we run on mac is not root and either is not privileged and need sudo to do something.

That's a separate fix that may need to be applied to how we set up the GH action in that case. Is that something you can fix as part of this PR?

I guess the fix is you run MAC pb with a lower privileged users and then this change will work for you either. Nothing to do with ansible code itself.

Copy link

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A block has been put on this Pull Request as this repository is temporarily under a code freeze due to an ongoing release cycle.

If this pull request needs to be merged during the release cycle then please comment /merge and a PMC member will be able to remove the block.

If the code freeze is over you can remove this block by commenting /thaw.

@sxa
Copy link
Member

sxa commented Dec 4, 2024

That's a separate fix that may need to be applied to how we set up the GH action in that case. Is that something you can fix as part of this PR?

@karianna are you saying that the operations in mac actions is running as an administrator user by default? FYI @mahdipub the code that runs the action is in https://github.com/adoptium/infrastructure/blob/master/.github/workflows/build_mac.yml if you want to look at it.

From other invocations in GitHub actions it looks like the playbooks are running with "ansible_user: runner" so if that's a non-administrative user and this PR is no longer switching to it that would likely be the cause of the problem int he checks with this PR (I'm speculating here of course!)

@mahdipub
Copy link
Author

mahdipub commented Dec 4, 2024

@mahdipub the code that runs the action is in https://github.com/adoptium/infrastructure/blob/master/.github/workflows/build_mac.yml if you want to look at it.

@sxa, from the build_mac.yml I see that this line runs with sudo.

sudo ansible-playbook -i hosts playbooks/AdoptOpenJDK_Unix_Playbook/main.yml --skip-tags="hosts_file,hostname,brew_upgrade,brew_cu,kernel_tuning,adoptopenjdk,jenkins,nagios,superuser,swap_file,crontab"

That could be the cause. Why do we need sudo there? I believe this sudo turns the user root then it tried to run ansible on remote host by root as no -u or other options provided.
The other support for my argument is, if the user is root before that line, then brew will argue here:

    - name: Install Python
      run: brew install [email protected] --overwrite

to not run brew as root. So before that playbook line user is not privileged.

@karianna
Copy link
Contributor

karianna commented Dec 5, 2024

That's a separate fix that may need to be applied to how we set up the GH action in that case. Is that something you can fix as part of this PR?

@karianna are you saying that the operations in mac actions is running as an administrator user by default?

Yes :-)

@sxa
Copy link
Member

sxa commented Dec 5, 2024

That could be the cause. Why do we need sudo there?

That would be a question for @gdams

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants